
2022年最新の有効なCIPP-Cテスト解答とIAPP試験PDF問題を試そう
無料IAPP CIPP-C試験問題と解答トレーニングを提供していますFast2test
IAPP CIPP-C 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|---|
| トピック 1 |
|
| トピック 2 |
|
| トピック 3 |
|
| トピック 4 |
|
| トピック 5 |
|
質問 90
Even when dealing with an organization subject to the CCPA, California residents are NOT legally entitled to request that the organization do what?
- A. Delete their personal information.
- B. Refrain from selling their personal information to third parties.
- C. Disclose their personal information to them.
- D. Correct their personal information.
正解: D
質問 91
A company's employee wellness portal offers an app to track exercise activity via users' mobile devices. Which of the following design techniques would most effectively inform users of their data privacy rights and privileges when using the app?
- A. Offer information about data collection and uses at key data entry points.
- B. Publish a privacy policy written in clear, concise, and understandable language.
- C. Provide a link to the wellness program privacy policy at the bottom of each screen.
- D. Present a privacy policy to users during the wellness program registration process.
正解: D
質問 92
The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?
- A. Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing.
- B. Failure to process personal information in a manner compatible with its original purpose.
- C. Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default.
- D. Failure to provide the means for a data subject to rectify inaccuracies in personal data.
正解: D
質問 93
What is the main reason some supporters of the European approach to privacy are skeptical about self-regulation of privacy practices?
- A. Industries may not be strict enough in the creation and enforcement of rules
- B. A new business owner may not understand the regulations
- C. Human rights maybe disregarded for the sake of privacy
- D. A large amount of money may have to be sent on improved technology and security
正解: A
質問 94
Under what circumstances might the "soft opt-in" rule apply in relation to direct marketing?
- A. When an individual has not consented to the marketing.
- B. Where an individual's details have been obtained from a bought-in marketing list.
- C. Where an individual is given the ability to unsubscribe from marketing emails sent to him.
- D. When an individual's details are obtained from their inquiries about buying a product.
正解: D
質問 95
What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?
- A. The controller will be liable to pay an administrative fine
- B. The processor will be liable to pay compensation to affected data subjects
- C. The processor will be considered to be a controller in respect of the processing concerned
- D. The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved
正解: B
質問 96
Which of the following entities would most likely be exempt from complying with the GDPR?
- A. A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers.
- B. A South American company that regularly collects European customers' personal data.
- C. A company that stores all customer data in Australia and is headquartered in a European Union (EU) member state.
- D. A North American company servicing customers in South Africa that uses a cloud storage system made by a European company.
正解: A
質問 97
What privacy concept grants a consumer the right to view and correct errors on his or her credit report?
- A. Access.
- B. Action.
- C. Choice.
- D. Notice.
正解: D
質問 98
Which is the best way to view an organization's privacy framework?
- A. As a fixed structure that directs changes in the organization
- B. As a living structure that aligns to changes in the organization
- C. As an aspirational goal that improves the organization
- D. As an industry benchmark that can apply to many organizations
正解: A
質問 99
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location.
During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
What would be the MOST APPROPRIATE way for Building Block to handle the situation with the employee from Italy?
- A. Since this was a serious infringement, but the employee was not appropriately informed about the consequences the new security measures, the company would be entitled to apply some disciplinary measures, but not dismissal.
- B. Since the employee was the cause of a serious risk for the server performance and their data, the company would be entitled to apply disciplinary measures to this employee, including fair dismissal.
- C. Since the employee was not informed that the security measures would be used for other purposes such as monitoring, the company could face difficulties in applying any disciplinary measures to this employee.
- D. Since the GDPR does not apply to this situation, the company would be entitled to apply any disciplinary measure authorized under Italian labor law.
正解: A
質問 100
SCENARIO
Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K.
brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner's Office ('ICO' - the U.K.'s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e.
the supervisory authority of EVERFIT's main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.
Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has formed its view on the matter?
- A. Submit a draft decision to other supervisory authorities for their opinion.
- B. Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism.
- C. Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.
- D. Request that members of the seconding supervisory authority and the host supervisory authority co-draft a decision.
正解: C
質問 101
Which federal law or regulation preempts state law?
- A. Electronic Communications Privacy Act of 1986
- B. Health Insurance Portability and Accountability Act
- C. Controlling the Assault of Non-Solicited Pornography and Marketing Act
- D. Telemarketing Sales Rule
正解: B
質問 102
Which of the following does Title VII of the Civil Rights Act prohibit an employer from asking a job applicant?
- A. Questions about a national origin
- B. Questions about a disability
- C. Questions about intended pregnancy
- D. Questions about age
正解: A
質問 103
The Video Privacy Protection Act of 1988 restricted which of the following?
- A. Who advertisements for videos and video games may target
- B. Which purchase records of audio visual materials may be disclosed
- C. When a user's viewing of online video content can be monitored
- D. When downloading of copyrighted audio visual materials is allowed
正解: B
質問 104
Which sentence best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?
- A. Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.
- B. Employees must sign an ad hoc contractual agreement each time personal data is exported.
- C. All employees are subject to the rules in their entirety, regardless of where the work is taking place.
- D. All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.
正解: D
質問 105
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Ontario University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Ontario's Alumni portal.
Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Before Anna determines whether Frank's performance database is permissible, what additional information does she need?
- A. More information about the extent of the information loss.
- B. More information about the algorithm Frank used to mask student numbers.
- C. More information about Frank's data protection training.
- D. More information about what students have been told and how the research will be used.
正解: D
質問 106
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
Which of the following BEST describes the relationship between Liem, EcoMick and JaphSoft?
- A. Liem is a controller and EcoMick is a processor because Liem provides specific instructions regarding how the marketing campaigns should be rolled out.
- B. JaphSoft is the sole processor because it processes personal data on behalf of its clients.
- C. Liem and EcoMick are joint controllers because they carry out joint marketing activities.
- D. EcoMick and JaphSoft are is a controller and Liem is a processor because EcoMick is sharing its marketing data with Liem for contacts in Europe.
正解: D
質問 107
SCENARIO
Please use the following to answer the next question:
T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.
T-Craze also opened various office locations throughout Europe to help expand its business. While Germany Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.
The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.
What is the best option for the lead regulator when responding to the Spanish supervisory authority's notice that it plans to take action regarding Sofia's complaint?
- A. Accept, because it did not receive any complaints.
- B. Reject, because GDPR does not allow other supervisory authorities to take action if there is a lead authority.
- C. Accept, because GDPR permits non-lead authorities to take action for such complaints.
- D. Reject, because Right Target's processing was conducted throughout Europe.
正解: B
質問 108
Which venture would be subject to the requirements of Section 5 of the Federal Trade Commission Act?
- A. An online merchant's free shipping offer
- B. A local nonprofit charity's fundraiser
- C. A national bank's no-fee checking promotion
- D. A city bus system's frequent rider program
正解: A
質問 109
......
トップクラスIAPP CIPP-Cオンライン問題集:https://jp.fast2test.com/CIPP-C-premium-file.html