正真正銘のCIPP-E問題集には100%合格率練習テスト問題集 [Q25-Q44]

Share

正真正銘のCIPP-E問題集には100%合格率練習テスト問題集

IAPP CIPP-Eリアル試験問題保証付き 更新された問題集


IAPP CIPP/E認定は、欧州で働くプライバシー専門家にとって必須の資格です。認定は、GDPRやePrivacy指令を含む欧州のデータ保護法に対する包括的な理解を提供します。認定試験は challenging であり、合格することはデータ保護に関する高度な専門知識と専門性を示すことになります。CIPP/E認定は、グローバルに認められ尊敬されており、プライバシーとデータ保護のキャリアを進めるための優れた投資です。

 

質問 # 25
SCENARIO
Please use the following to answer the next question:
Zandelay Fashion ('Zandelay') is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company's compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.
The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.
In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company's customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.
Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay's business plan and associated processing activities.
What would MOST effectively assist Zandelay in conducting their data protection impact assessment?

  • A. Existing DPIA guides published by local supervisory authorities.
  • B. Records of processing activities that data controllers are required to maintain.
  • C. Information about DPIAs found in Articles 38 through 40 of the GDPR.
  • D. Data breach documentation that data controllers are required to maintain.

正解:A

解説:
A data protection impact assessment (DPIA) is a process to help identify and minimise the data protection risks of a project that involves personal data, especially when using new technologies or processing that is likely to result in a high risk to individuals1. The UK GDPR requires data controllers to carry out a DPIA before starting such processing and to consult the supervisory authority if the DPIA indicates a high risk that cannot be mitigated1. The UK GDPR also provides some general guidance on the content and methodology of a DPIA, but it does not prescribe a specific format or procedure1. Therefore, to effectively assist Zandelay in conducting their DPIA, it would be helpful to refer to existing DPIA guides published by local supervisory authorities, such as the ICO in the UK or the DPC in Ireland23. These guides offer more detailed and practical advice on how to conduct a DPIA, what to include in it, how to assess and mitigate the risks, and when to consult the authority23. They also provide templates, checklists, examples, and case studies to illustrate the DPIA process23. By following these guides, Zandelay can ensure that their DPIA is comprehensive, consistent, and compliant with the UK GDPR and the relevant national laws.
The other options are not as effective as option C, because:
Option A: Information about DPIAs found in Articles 38 through 40 of the UK GDPR is too general and vague to assist Zandelay in conducting their DPIA. These articles only outline the basic requirements and principles of a DPIA, but do not provide any specific guidance on how to conduct one, what to include in it, or how to assess and mitigate the risks1. Zandelay would need more detailed and practical advice to effectively perform a DPIA.
Option B: Data breach documentation that data controllers are required to maintain is not relevant to conducting a DPIA. A data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data1. A data controller must document any data breaches, including the facts, effects, and remedial actions taken, and notify the supervisory authority and the affected individuals without undue delay1. However, a data breach is not the same as a data protection risk, which is the potential for adverse effects on individuals as a result of the processing of their personal data2. A DPIA is a proactive and preventive measure to identify and minimise the data protection risks of a project, not a reactive and corrective measure to deal with the consequences of a data breach2.
Option D: Records of processing activities that data controllers are required to maintain are not sufficient to assist Zandelay in conducting their DPIA. A record of processing activities is a document that contains information about the purposes, categories, recipients, transfers, retention periods, and security measures of the processing of personal data by a data controller or a data processor1. A data controller must maintain a record of processing activities under its responsibility and make it available to the supervisory authority upon request1. However, a record of processing activities is not the same as a DPIA, which is a more in-depth and systematic analysis of the data protection risks and the measures to address them2. A record of processing activities may provide some useful information for a DPIA, such as the nature, scope, context, and purposes of the processing, but it does not cover other aspects, such as the necessity, proportionality, compliance, and impact of the processing2.
https://blog.netwrix.com/2021/02/17/data-protection-impact-assessment/
https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/


質問 # 26
Which judicial body makes decisions on actions taken by individuals wishing to enforce their rights under EU law?

  • A. Court of Justice of European Union
  • B. European Data Protection Board
  • C. European Court of Human Rights
  • D. Court of Auditors

正解:A


質問 # 27
Under what circumstances might the "soft opt-in" rule apply in relation to direct marketing?

  • A. Where an individual is given the ability to unsubscribe from marketing emails sent to him.
  • B. When an individual's details are obtained from their inquiries about buying a product.
  • C. Where an individual's details have been obtained from a bought-in marketing list.
  • D. When an individual has not consented to the marketing.

正解:B

解説:
The "soft opt-in" rule is an exception to the general requirement of obtaining consent before sending electronic mail marketing to individuals. It applies when the following conditions are met12:
the sender has obtained the contact details of the recipient in the context of the sale or negotiations for the sale of a product or service to that recipient; the sender only sends direct marketing relating to its own similar products or services; and the recipient has been given a simple opportunity to refuse or opt out of the marketing, both when the details were initially collected and in every subsequent message.
The option B matches these conditions, as it implies that the individual has shown an interest in buying a product from the sender, and that the sender can use the individual's details to send marketing about similar products, as long as the individual can easily opt out. The other options do not qualify for the "soft opt-in" rule, as they either involve no consent, no prior relationship, or no opt-out mechanism. Reference: Electronic mail marketing | ICO, Direct marketing rules and exceptions under the GDPR


質問 # 28
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asi a. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's QUESTION. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which practice should the company institute?

  • A. Insert contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union.
  • B. Encrypt the data in transit over the wireless Bluetooth connection.
  • C. Include dual-factor authentication before each use by a child in order to ensure a minimum amount of security.
  • D. Include three-factor authentication before each use by a child in order to ensure the best level of security possible.

正解:B

解説:
According to Article 32 of the GDPR, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The GDPR also provides some examples of such measures, including the pseudonymisation and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In this scenario, the company is processing personal data of children, such as their voice, questions, preferences, and location, through the connected toys that use a wireless Bluetooth connection to communicate with smartphones, tablets, cloud servers, and other toys. This poses a high risk to the security of the data, as Bluetooth is a short-range wireless technology that can be easily intercepted, hacked, or compromised by malicious actors. Therefore, the company should encrypt the data in transit over the Bluetooth connection, to prevent unauthorized access, disclosure, or alteration of the data. Encryption is a process of transforming data into an unreadable form, using a secret key or algorithm, that can only be reversed by authorized parties who have the corresponding key or algorithm. Encryption can protect the data from being accessed or modified by anyone who does not have the key or algorithm, thus ensuring the confidentiality and integrity of the data.
The other options are incorrect because:
B) Including dual-factor authentication before each use by a child in order to ensure a minimum amount of security is not a sufficient measure to protect the data in transit over the Bluetooth connection. Dual-factor authentication is a process of verifying the identity of a user by requiring two pieces of evidence, such as a password and a code sent to a phone or email. While this may enhance the security of the user's account or device, it does not protect the data that is transmitted over the wireless connection, which can still be intercepted, hacked, or compromised by malicious actors. Moreover, dual-factor authentication may not be suitable or convenient for children, who may not have access to a phone or email, or who may forget their passwords or codes.
C) Including three-factor authentication before each use by a child in order to ensure the best level of security possible is not a necessary or proportionate measure to protect the data in transit over the Bluetooth connection. Three-factor authentication is a process of verifying the identity of a user by requiring three pieces of evidence, such as a password, a code sent to a phone or email, and a biometric feature, such as a fingerprint or a face scan. While this may provide a high level of security for the user's account or device, it does not protect the data that is transmitted over the wireless connection, which can still be intercepted, hacked, or compromised by malicious actors. Furthermore, three-factor authentication may not be appropriate or feasible for children, who may not have access to a phone or email, or who may not have reliable biometric features, or who may find the process too complex or cumbersome.
D) Inserting contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union, is not a relevant measure to protect the data in transit over the Bluetooth connection. Contractual clauses are legal agreements that specify the obligations and responsibilities of the parties involved in a data transfer, such as the level of data protection, the rights of data subjects, and the remedies for breaches. While contractual clauses may be necessary to ensure the compliance of the data transfer to South Africa, which is a non-EU country that does not have an adequacy decision from the European Commission, they do not address the security of the data that is transmitted over the wireless connection, which can still be intercepted, hacked, or compromised by malicious actors. Moreover, contractual clauses are not a technical or organisational measure, but a legal measure, that falls under a different provision of the GDPR, namely Article 46.


質問 # 29
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Granchester's Alumni portal.
* Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level.
Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Anna will find that a risk analysis is NOT necessary in this situation as long as?

  • A. The data subjects gave their unambiguous consent for the original processing
  • B. The data subjects are no longer current students of Frank's
  • C. The algorithms that Frank uses for the processing are technologically sound
  • D. The processing will not negatively affect the rights of the data subjects

正解:A


質問 # 30
Which change was introduced by the 2009 amendments to the e-Privacy Directive 2002/58/EC?

  • A. A mandatory notification for personal data breaches applicable to all data controllers.
  • B. A voluntary notification for personal data breaches applicable to electronic communication providers.
  • C. A voluntary notification for personal data breaches applicable to all data controllers.
  • D. A mandatory notification for personal data breaches applicable to electronic communication providers.

正解:D

解説:
Reference https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32009L0136


質問 # 31
In 2016's Guidance, the United Kingdom's Information Commissioner's Office (ICO) reaffirmed the importance of using a "layered notice" to provide data subjects with what?

  • A. A privacy notice containing brief information whilst offering access to further detail.
  • B. An efficient means of providing written consent in member states where they are required to do so.
  • C. An of the security measures used when personal data is transferred to a third party.
  • D. A privacy notice explaining the consequences for opting out of the use of cookies on a website.

正解:A


質問 # 32
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
Why would the consent provided by Ms. Iman NOT be considered valid in regard to JaphSoft?

  • A. She only viewed the visual representations of the privacy notice Liem provided.
  • B. She has never made any purchases from JaphSoft and has no relationship with the company.
  • C. She was not told which controller would be processing her personal data.
  • D. She did not read the privacy notice stating that her personal data would be shared.

正解:D

解説:
The reason why the consent provided by Ms. Iman would not be considered valid in regard to JaphSoft is not because she did not provide her consent for her personal data to be shared with EcoMick, but because she was not told which controller would be processing her personal data. JaphSoft is a controller, as it determines the purpose and means of the processing of personal data, which is to improve its marketing optimization models and to provide better services to its customers. JaphSoft does not act only on the instructions of Liem and EcoMick, who are the original controllers of the personal data, but rather uses the data for its own benefit and interest. Therefore, JaphSoft should have obtained a separate consent from Ms. Iman, or relied on another lawful basis, such as legitimate interest, to process her personal data. Ms. Iman only gave consent to Liem, not to JaphSoft, and she was not informed that her personal data would be shared with or processed by another controller.


質問 # 33
SCENARIO
Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron's marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron's legal department.
Registration Form
Vigotron's new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.) Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your dat a. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron's cloud provider, Stratculous. (Read more about Stratculous here.) Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer's name, email address or any other information gathered from the app to any third- party without a customer's consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer's legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.) First name:
Surname:
Year of birth:
Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to [email protected] or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions
1. Jurisdiction. [...]
2. Applicable law. [...]
3. Limitation of liability. [...]
Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
If a user of the M-Health app were to decide to withdraw his consent, Vigotron would first be required to do what?

  • A. Erase any data collected from the time the app was first used.
  • B. Cease processing any data collected through use of the app.
  • C. Provide the user with logs of data collected through use of the app.
  • D. Inform any third parties of the user's withdrawal of consent.

正解:B


質問 # 34
Many businesses print their employees' photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted?

  • A. Because employees are deemed to have given their explicit consent when they agree to be photographed by their employer.
  • B. Because use of biometric data to confirm the unique identification of data subjects benefits from an exemption.
  • C. Because photographs qualify as biometric data only when they undergo a "specific technical processing".
  • D. Because photographic ID is a physical security measure which is "necessary for reasons of substantial public interest".

正解:C

解説:
Reference https://ess.csa.canon.com/rs/206-CLL-191/images/IAPP-Top-10-Operational-Impacts-of- GDPR.pdf?TC=DM&CN=CSA_OMNIA_Partners&CS=CSA&CR=T1_Gov%20GenNonProfit (11)


質問 # 35
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage Why was Jackie correct in not completing a transfer impact assessment for HRYourWay?

  • A. HRYourWay is not located in a third country.
  • B. ProStorage can rely on its Binding Corporate Rules
  • C. ProStorage will obtain consent for all transfers.
  • D. HRYourWay was ultimately not selected

正解:C


質問 # 36
In the Planet 49 case, what was the man judgement of the Coon of Justice of the European Union (CJEU) regarding the issue of cookies?

  • A. If the cookies do not track personal data, then pre-checked boxes are acceptable.
  • B. If a website's cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.
  • C. If a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.
  • D. If the ePrivacy Directive requires consent for cookies, then the GDPR's consent requirements apply.

正解:D

解説:
According to the CJEU, the ePrivacy Directive does not define the concept of consent, but refers to the GDPR for its interpretation1. Therefore, the GDPR standard of consent applies to the use of cookies and similar technologies that require consent under the ePrivacy Directive. The GDPR defines consent as any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her2. The CJEU also clarified that the consent requirements apply regardless of whether the cookies constitute personal data or not, as the ePrivacy Directive covers any information stored or accessed on the user's device1. The other options are incorrect, as the CJEU ruled that pre-checked boxes, implicit consent by scrolling, and insufficient information on the cookies do not meet the GDPR standard of consent1. Reference:
Free CIPP/E Study Guide, page 14, section 2.3
GDPR, Article 4 (11)
ePrivacy Directive, Article 5 (3)
Planet49: CJEU Rules on Cookie Consent
CURIA - List of results


質問 # 37
Under which of the following conditions does the General Data Protection Regulation NOT apply to the processing of personal data?

  • A. When the personal data is processed only in non-electronic form
  • B. When the personal data is collected and then pseudonymised by the controller
  • C. When the personal data is processed by an individual only for their household activities
  • D. When the personal data is held by the controller but not processed for further purposes

正解:B

解説:
Explanation/Reference: https://gdpr-info.eu/art-6-gdpr/


質問 # 38
Which of the following elements does NOT need to be presented to a data subject in order to collect valid consent for the use of cookies?

  • A. Information on the purpose of the cookies.
  • B. A list of cookies that may be placed.
  • C. A "Cookies Settings" button.
  • D. A "Reject All" cookies button.

正解:C

解説:
According to the EDPB Guidelines 05/2020 on consent under Regulation 2016/6791, valid consent for the use of cookies must meet the following conditions:
* It must be freely given, which means that the data subject must have a genuine choice and the ability to refuse or withdraw consent without detriment.
* It must be specific, which means that the data subject must give consent for each distinct purpose of the processing and for each type of cookie.
* It must be informed, which means that the data subject must receive clear and comprehensive information about the identity of the controller, the purposes of the processing, the types of cookies used, the duration of the cookies, and the possibility of withdrawing consent.
* It must be unambiguous, which means that the data subject must express their consent by a clear affirmative action, such as clicking on an "I agree" button or selecting specific settings in a cookie banner.
* It must be granular, which means that the data subject must be able to consent to different types of cookies separately, such as essential, functional, performance, or marketing cookies.
Therefore, a "Cookies Settings" button is not a necessary element to collect valid consent for the use of cookies, as long as the data subject can exercise their choice and preference through other means, such as a cookie banner with different options. However, a "Cookies Settings" button may be a good practice to enhance transparency and user control, as it allows the data subject to access and modify their consent settings at any time.
On the other hand, a "Reject All" cookies button is a necessary element to collect valid consent for the use of cookies, as it ensures that the data subject can freely refuse consent without detriment. A list of cookies that may be placed and information on the purpose of the cookies are also necessary elements to collect valid consent for the use of cookies, as they ensure that the data subject is informed and can give specific consent for each type of cookie.


質問 # 39
Since blockchain transactions are classified as pseudonymous, are they considered to be within the material scope of the GDPR or outside of it?

  • A. Within the material scope of the GDPR but outside of the territorial scope, because blockchains are decentralized.
  • B. Outside the material scope of the GDPR, because transactions do not include personal data about data subjects m the European Union.
  • C. Outside the material scope of the GDPR, because transactions are for personal or household purposes
  • D. Within the material scope of the GDPR to the extent that transactions include data subjects in the European Union.

正解:D


質問 # 40
What was the aim of the European Data Protection Directive 95/46/EC?

  • A. To implement the OECD Guidelines on the Protection of Privacy and trans-border flows of Personal Data.
  • B. To further reconcile the protection of the fundamental rights of individuals with the free flow of data from one member state to another.
  • C. To harmonize the implementation of the European Convention of Human Rights across all member states.
  • D. To completely prevent the transfer of personal data out of the European Union.

正解:A


質問 # 41
In the Planet 49 case, what was the man judgement of the Coon of Justice of the European Union (CJEU) regarding the issue of cookies?

  • A. If the cookies do not track personal data, then pre-checked boxes are acceptable.
  • B. If a website's cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.
  • C. If a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.
  • D. If the ePrivacy Directive requires consent for cookies, then the GDPR's consent requirements apply.

正解:D


質問 # 42
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
Under the GDPR, Liem and EcoMick's contract with MarketIQ must include all of the following provisions EXCEPT?

  • A. Processing the personal data upon documented instructions regarding data transfers outside of the EEA.
  • B. Returning or deleting personal data after the end of the provision of the services.
  • C. Assistance to Liem and EcoMick in their compliance with data protection impact assessments.
  • D. Notification regarding third party requests for access to Liem and EcoMick's personal data.

正解:C


質問 # 43
If a company is planning to use closed-circuit television (CCTV) on its premises and is concerned with GDPR compliance, it should first do all of the following EXCEPT?

  • A. Ensure that safeguards are in place to prevent unauthorized access to the footage.
  • B. Notify the appropriate data protection authority.
  • C. Create an information retention policy for those who operate the system.
  • D. Perform a data protection impact assessment (DPIA).

正解:C


質問 # 44
......


この試験は、一般データ保護規則(GDPR)、データ保護指令、その他の関連する欧州の法律や規制など、さまざまなトピックをカバーしています。また、候補者のプライバシーフレームワーク、原則、ベストプラクティスに関する知識と理解も評価されます。この認定は、欧州のデータ保護法律や規制について包括的な理解を提供し、プロフェッショナルがプライバシーの実践に強固な基盤を築くのに役立ちます。

 

検証済み!合格できるCIPP-E試験一発合格保証付き:https://jp.fast2test.com/CIPP-E-premium-file.html

無料CIPP-Eサンプル問題と 100%カバー率でリアル試験問題:https://drive.google.com/open?id=1U3Obd5VUB4as2bDwh6SS-dNTRjkF8WWR


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어