試験問題解答ブレーン問題集でCIPP-E試験問題集PDF問題 [Q116-Q134]

Share

試験問題解答ブレーン問題集でCIPP-E試験問題集PDF問題

無料ダウンロードIAPP CIPP-Eリアル試験問題

質問 # 116
A mobile device application that uses cookies will be subject to the consent requirement of which of the following?

  • A. The EU Cybersecurity Directive
  • B. The E-Commerce Directive
  • C. The ePrivacy Directive
  • D. The Data Retention Directive

正解:C

解説:
Reference https://www.iubenda.com/en/help/5525-cookies-gdpr-requirements


質問 # 117
Data retention in the EU was underpinned by a legal framework established by the Data Retention Directive (2006/24/EC). Why is the Directive no longer part of EU law?

  • A. The Directive was annulled by the Court of Justice of the European Union.
  • B. The Directive was annulled by the European Court of Human Rights.
  • C. The Directive was superseded by the EU Directive on Privacy and Electronic Communications.
  • D. The Directive was superseded by the General Data Protection Regulation.

正解:A


質問 # 118
Company X has entrusted the processing of their payroll data to Provider Y. Provider Y stores this encrypted data on its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify?

  • A. The supervisory authority
  • B. The public
  • C. Law enforcement
  • D. Company X

正解:D

解説:
According to Article 33 of the GDPR, in the case of a personal data breach, the processor (Provider Y) shall notify the controller (Company X) without undue delay after becoming aware of the breach. The processor does not have the obligation to notify the supervisory authority, the public, or law enforcement, unless otherwise required by law. The controller is responsible for notifying the supervisory authority and, where necessary, the data subjects, unless the breach is unlikely to result in a risk to their rights and freedoms. Reference:
Article 33 of the GDPR, which regulates the notification of a personal data breach to the supervisory authority.
[Article 34 of the GDPR], which regulates the communication of a personal data breach to the data subject.
ICO guidance, which explains the roles and responsibilities of controllers and processors in relation to data breach notification.


質問 # 119
Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric dat a. Which of the following is NOT one of these exceptions?

  • A. The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent.
  • B. The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State law to lift the prohibition.
  • C. The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a judicial capacity.
  • D. The processing is done by a non-profit organization and the results are disclosed outside the organization.

正解:D

解説:
Article 9 of the GDPR prohibits the processing of special category data, which includes biometric data for the purpose of uniquely identifying a natural person1. However, there are 10 exceptions to this general prohibition, usually referred to as 'conditions for processing special category data'2. These are:
(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims and judicial acts
(g) Substantial public interest conditions
(h) Health or social care
(i) Public health
(j) Archiving, research and statistics
Option A is not one of these exceptions, and therefore it is not a valid reason to process biometric data under Article 9. Option B, C and D are all valid exceptions, as they correspond to conditions , (f) and (a) respectively. Therefore, the correct answer is A.
Reference:
4: Art. 9 GDPR Processing of special categories of personal data
6: What are the rules on special category data? | ICO


質問 # 120

  • A. Avoiding the use of another company's data to improve their own services.
  • B. Vetting companies' measures with the appropriate supervisory authority.
  • C. This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
    Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
    The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?
  • D. Hiring companies whose measures are consistent with recommendations of accrediting bodies.
  • E. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
    Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
    Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company
  • F. Requesting advice and technical support from Company A's IT team.

正解:D、E

解説:
Explanation/Reference: https://www.knowyourcompliance.com/gdpr-technical-organisational-measures/


質問 # 121
The Planet 49 CJEU Judgement applies to?

  • A. Cookies where the data accessed is considered as personal data only.
  • B. Cookies regardless of whether the data accessed is personal or not.
  • C. Cookies used only by third parties.
  • D. Cookies that are deemed technically necessary.

正解:B

解説:
Reference https://www.twobirds.com/en/news/articles/2019/global/planet49-cjeu-rules-on-cookie-consent


質問 # 122
If a company is planning to use closed-circuit television (CCTV) on its premises and is concerned with GDPR compliance, it should first do all of the following EXCEPT?

  • A. Ensure that safeguards are in place to prevent unauthorized access to the footage.
  • B. Notify the appropriate data protection authority.
  • C. Create an information retention policy for those who operate the system.
  • D. Perform a data protection impact assessment (DPIA).

正解:B

解説:
Under the GDPR, using CCTV on business premises involves the processing of personal data, which requires compliance with the data protection principles and obligations. However, notifying the appropriate data protection authority (DPA) is not one of the steps that a company should take before using CCTV, unless the DPA has specifically requested it or the CCTV involves high-risk processing that requires prior consultation.
The other steps are necessary to ensure GDPR compliance, as explained below:
* Performing a data protection impact assessment (DPIA) is a mandatory requirement for any type of processing that is likely to result in a high risk to the rights and freedoms of individuals, such as large- scale or systematic monitoring of public areas. A DPIA is a process that helps identify and mitigate the potential privacy risks of using CCTV, and document the measures taken to address them. A DPIA should include a description of the processing, its purpose and necessity, its risks and benefits, the safeguards and security measures, and the consultation with stakeholders. A DPIA should be carried out before the CCTV system is installed or upgraded, and reviewed regularly or whenever there is a significant change in the processing.
* Creating an information retention policy for those who operate the system is a good practice to ensure that the personal data collected by CCTV is not kept longer than necessary for the purpose for which it was collected, and that it is securely deleted or anonymised when no longer needed. The retention period should be determined by the specific purpose and context of using CCTV, and take into account any legal or contractual obligations, as well as the expectations and rights of the data subjects. The retention policy should also specify who is responsible for managing and deleting the CCTV footage, and how the deletion process is verified and documented.
* Ensuring that safeguards are in place to prevent unauthorized access to the footage is an essential requirement to comply with the GDPR principle of integrity and confidentiality, which states that personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage. The safeguards may include technical and organisational measures, such as encryption, access control, logging, audit, training, policies and procedures, that aim to protect the CCTV footage from unauthorized or unlawful access, disclosure, alteration, or destruction, both during transmission and storage. References: GDPR Article 35, GDPR Article 36, GDPR Article 5, CCTV and video surveillance | ICO, 5 Step Guide to Check if Your CCTV is GDPR Compliant


質問 # 123
A Spanish electricity customer calls her local supplier with questions about the company's upcoming merger. Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information?

  • A. Verify that the identity of the customer can be proven by other means.
  • B. Verify that the request is applicable to the data collected before the GDPR entered into force.
  • C. Verify that the personal data has not already been sent to the customer.
  • D. Verify that the purpose of the request from the customer is in line with the GDPR.

正解:B


質問 # 124
A private company has establishments in France, Poland, the United Kingdom, and most prominently, Germany, where its headquarters is established. The company offers its services worldwide. Most of the services are designed in Germany and supported in the other establishments. However, one of the services, a Software as a Service (SaaS) application, was defined and implemented by the Polish establishment. It is also supported by the other establishments.
What is the lead supervisory authority for the SaaS service?

  • A. The supervisory authority of the Republic of Poland.
  • B. The supervisory authority of Germany at the federal level.
  • C. The supervisory authority of the European Union.
  • D. The supervisory authority of Germany at the regional level.

正解:A

解説:
Under the GDPR, the lead supervisory authority is determined by where the main establishment related to the processing activity is located.
In this case, even though the company's headquarters is in Germany, the SaaS application was specifically defined and implemented by the Polish establishment. This indicates that the Polish establishment has the primary role in determining the purposes and means of processing personal data related to that SaaS service.
Therefore, the supervisory authority of Poland would be the lead supervisory authority for this specific processing activity.
References:
* GDPR Article 56 - Competence of the lead supervisory authority
* IAPP CIPP/E textbook, Chapter 3: EU General Data Protection Regulation (specifically, sections on One-Stop Shop mechanism and lead supervisory authority)


質問 # 125
Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

  • A. Incidents of personal data breaches, whether disclosed or not.
  • B. Categories of recipients to whom the personal data have been disclosed.
  • C. Data inventory or data mapping exercises that have been conducted.
  • D. Retention periods for erasure and deletion of categories of personal data.

正解:D

解説:
Section: (none)
Explanation
Reference https://medium.com/golden-data/what-records-must-controllers-and-processors-keep-to-comply- with-eu-data-protection-law-3e8bac177695


質問 # 126
Based on GDPR Article 35, which of the following situations would trigger the need to complete a DPIA?

  • A. A company wants to use location data to track delivery trucks in order to make the routes more efficient.
  • B. A company wants to build a dating app that creates candidate profiles based on location data and data from third-party sources.
  • C. A company wants to use location data to infer information on a person's clothes purchasing habits.
  • D. A company wants to combine location data with other data in order to offer more personalized service for the customer.

正解:B


質問 # 127
Please use the following to answer the next question:
WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids' website states the following:
"WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child's personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the dat a. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child's personal information. We will only share you and your child's personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers."
"We may retain you and your child's personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years."
"We are processing you and your child's personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your child's personal information; rectify or erase you or your child's personal information; the right to correction or erasure of you and/or your child's personal information; object to any processing of you and your child's personal information. You also have the right to complain to the supervisory authority about our data processing activities." What direct marketing information can WonderKids send by email without prior consent of the person booking the childcare?

  • A. Marketing information related to other business operations of WonderKids.
  • B. Marketing information for products or services similar to those purchased from WonderKids.
  • C. Any marketing information at all.
  • D. No marketing information at all.

正解:A


質問 # 128
Company X has entrusted the processing of their payroll data to Provider
Y. Provider Y stores this encrypted data on its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify?

  • A. Law enforcement
  • B. Company X
  • C. The supervisory authority
  • D. The public

正解:A


質問 # 129
The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?

  • A. Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing.
  • B. Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default.
  • C. Failure to process personal information in a manner compatible with its original purpose.
  • D. Failure to provide the means for a data subject to rectify inaccuracies in personal data.

正解:B

解説:
According to Article 83 of the GDPR, the less severe administrative fines of up to 10 million euros or 2% of the annual worldwide turnover apply to infringements of the articles governing controllers and processors, certification bodies, and monitoring bodies. These include Articles 8, 11, 25-39, 42, and 43. Among the answer choices, only option B falls under this category, as Article 25 requires controllers to implement data protection by design and by default. Option A is related to Article 7, which governs the conditions for consent. Option C is related to Article 5, which sets out the principles for processing personal data. Option D is related to Article 16, which grants the right to rectification to data subjects. These articles are subject to the more severe administrative fines of up to 20 million euros or 4% of the annual worldwide turnover. Reference:
GDPR Article 83
GDPR Article 25
GDPR Article 7
GDPR Article 5
GDPR Article 16


質問 # 130
Which statement is correct when considering the right to privacy under Article 8 of the European Convention on Human Rights (ECHR)?

  • A. The right to privacy is an absolute right
  • B. The right to freedom of expression under Article 10 of the ECHR will always override the right to privacy
  • C. The right to privacy has to be balanced against other rights under the ECHR
  • D. The right to privacy protects the right to hold opinions and to receive and impart ideas without interference

正解:C


質問 # 131
What was the main failing of Convention 108 that led to the creation of the Data Protection Directive (Directive 95/46/EC)?

  • A. It was implemented in a fragmented manner by a small number of states.
  • B. It did not include protections for sensitive personal data
  • C. IT did not account for the rapid growth of the Internet
  • D. Its penalties for violations of data protection rights were widely viewed as r sufficient.

正解:A

解説:
Convention 108 was the first legally binding international instrument in the data protection field, adopted by the Council of Europe in 19811. However, it had some limitations that led to the creation of the Data Protection Directive (Directive 95/46/EC) by the European Union in 19952. One of the main failings of Convention 108 was that it was implemented in a fragmented manner by a small number of states, resulting in divergent and inconsistent national laws and practices3. The Data Protection Directive aimed to harmonize the data protection rules within the EU and to ensure a high level of protection for individuals' rights and freedoms2. Therefore, option C is the correct answer. Option A is incorrect because Convention 108 did account for the rapid growth of the Internet by allowing for amendments and protocols to adapt to technological developments1. Option B is incorrect because Convention 108 did include protections for sensitive personal data, such as those revealing racial origin, political opinions, religious beliefs, health, or sexual life1. Option D is incorrect because Convention 108 did not prescribe specific penalties for violations of data protection rights, but left it to the Parties to adopt appropriate sanctions and remedies1. References:
* Convention 108 and Protocols
* CIPP/E Certification
* Convention 108+ and the Data Protection Framework of the EU


質問 # 132
It a company receives an anonymous email demanding ransom for the stolen personal data of its clients, what must the company do next, per GDPR requirements'3

  • A. Send a notification to the competent supervisory authority describing the incident.
  • B. Notify the police and Tile a criminal complaint about the incident
  • C. Send an email about the incident to all clients and ask them to change their passwords
  • D. Start an investigation to understand the incident's possible scope, duration and nature

正解:A


質問 # 133
Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric data. Which of the following is NOT one of these exceptions?

  • A. The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent.
  • B. The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State law to lift the prohibition.
  • C. The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a judicial capacity.
  • D. The processing is done by a non-profit organization and the results are disclosed outside the organization.

正解:D

解説:
Article 9 of the GDPR prohibits the processing of special category data, which includes biometric data for the purpose of uniquely identifying a natural person1. However, there are 10 exceptions to this general prohibition, usually referred to as 'conditions for processing special category data'2. These are:
* (a) Explicit consent
* (b) Employment, social security and social protection (if authorised by law)
* Vital interests
* (d) Not-for-profit bodies
* (e) Made public by the data subject
* (f) Legal claims and judicial acts
* (g) Substantial public interest conditions
* (h) Health or social care
* (i) Public health
* (j) Archiving, research and statistics
Option A is not one of these exceptions, and therefore it is not a valid reason to process biometric data under Article 9. Option B, C and D are all valid exceptions, as they correspond to conditions , (f) and (a) respectively. Therefore, the correct answer is A.
References:
* 4: Art. 9 GDPR Processing of special categories of personal data
* 6: What are the rules on special category data? | ICO


質問 # 134
......


IAPP CIPP/E認定は、欧州で働くプライバシー専門家にとって必須の資格です。認定は、GDPRやePrivacy指令を含む欧州のデータ保護法に対する包括的な理解を提供します。認定試験は challenging であり、合格することはデータ保護に関する高度な専門知識と専門性を示すことになります。CIPP/E認定は、グローバルに認められ尊敬されており、プライバシーとデータ保護のキャリアを進めるための優れた投資です。

 

最新のIAPP CIPP-Eリアル試験問題集PDF:https://jp.fast2test.com/CIPP-E-premium-file.html

CIPP-E試験問題集、CIPP-E練習テスト問題:https://drive.google.com/open?id=1vvomHOCpuXbWkd2sYhhrnrW4kL4fSKFy


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어