2023年最新の本日更新された最新のCIPP-EのPDFにはCIPP-Eテスト限定無料! [Q128-Q149]

Share

2023年最新の本日更新された最新のCIPP-EのPDFにはCIPP-Eテスト限定無料!

完全版最新の問題集PDFで最新CIPP-E試験問題と解答


この試験は、一般データ保護規則(GDPR)、データ保護指令、その他の関連する欧州の法律や規制など、さまざまなトピックをカバーしています。また、候補者のプライバシーフレームワーク、原則、ベストプラクティスに関する知識と理解も評価されます。この認定は、欧州のデータ保護法律や規制について包括的な理解を提供し、プロフェッショナルがプライバシーの実践に強固な基盤を築くのに役立ちます。

 

質問 # 128
SCENARIO
Please use the following to answer the next question:
Jason, a long-time customer of ABC insurance, was involved in a minor car accident a few months ago.
Although no one was hurt, Jason has been plagued by texts and calls from a company called Erbium Insurance offering to help him recover compensation for personal injury. Jason has heard about insurance companies selling customers' data to third parties, and he's convinced that Erbium must have gotten his information from ABC.
Jason has also been receiving an increased amount of marketing information from ABC, trying to sell him their full range of their insurance policies.
Perturbed by this, Jason has started looking at price comparison sites on the Internet and has been shocked to find that other insurers offer much cheaper rates than ABC, even though he has been a loyal customer for many years. When his ABC policy comes up for renewal, he decides to switch to Xentron Insurance.
In order to activate his new insurance policy, Jason needs to supply Xentron with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask ABC to transfer his information directly to Xentron. He also takes this opportunity to ask ABC to stop using his personal data for marketing purposes.
ABC supplies Jason with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Jason it cannot transfer his data directly to Xentron at this is not technically feasible. ABC also explains that Jason's contract included a provision whereby Jason agreed that his data could be used for marketing purposes; according to ABC, it is too late for Jason to change his mind about this. It angers Jason when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Jason is still receiving unwanted calls from Erbium Insurance. He writes to Erbium to ask for the name of the organization that supplied his details to them. He warns Erbium that he plans to complain to the data protection authority because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Erbium's response letter confirms Jason's suspicions. Erbium is ABC's wholly owned subsidiary, and they received information about Jason's accident from ABC shortly after Jason submitted his accident claim. Erbium assures Jason that there has been no breach of the GDPR, as Jason's contract included a provision in which he agreed to share his information with ABC's affiliates for business purposes.
Jason is disgusted by the way in which he has been treated by ABC, and writes to them insisting that all his information be erased from their computer system.
After Jason has exercised his right to restrict the use of his data, under what conditions would Erbium have grounds for refusing to comply?

  • A. If Erbium also uses the data to conduct public health research.
  • B. If the data becomes necessary to defend Erbium's legal rights.
  • C. If Erbium is entitled to use of the data as an affiliate of ABC.
  • D. If the accuracy of the data is not an aspect that Jason is disputing.

正解:C


質問 # 129
A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a global data transfer solution. Which of the following statements would help the company make an effective decision?

  • A. The company will need the prior authorization of all EU data protection authorities for concluding Standard Contractual Clauses.
  • B. The data exporter does not need to be located in the EU for the standard Contractual Clauses.
  • C. Binding Corporate Rules provide a global solution for all the entities of a company that are bound by the intra-group agreement.
  • D. Binding Corporate Rules are especially recommended for small and medium companies.

正解:C


質問 # 130
A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an article about the prank at the time, and the article is still available on the newspaper's website. Unfortunately, the prank is the top search result when a user searches on the victim's name. The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article. What else must SearchCo do?

  • A. Notify the newspaper that its article it is delisting the article.
  • B. Prevent the article from being listed in search results no matter what search terms are entered into the search engine.
  • C. Identify other controllers who are processing the same information and inform them of the delisting request.
  • D. Fully erase the URL to the content, as opposed to delist which is mainly based on data subject's name.

正解:A


質問 # 131
According to the European Data Protection Board, data subjects should be aware of any video surveillance in operation. How should a retail shop operator ensure that data subjects receive at information required for such a purpose under EU data protection law?

  • A. The shop operator should post a copy of the manual of the video surveillance system in the shop and on its social media channels.
  • B. The shop operator should instruct the data protection officer to hand out a comprehensive notice to data subjects every time they enter the shop.
  • C. The shop operator should provide full notice of the intended video surveillance outside the shop, for example with a sign or a stand-up display.
  • D. The shop operator should provide the most important information on a clearly readable warning sign to data subjects before they enter the monitored area, and additional mandatory details by other means.

正解:C


質問 # 132
Read the following steps:
* Discover which employees are accessing cloud services and from which devices and apps
* Lock down the data in those apps and devices
* Monitor and analyze the apps and devices for compliance
* Manage application life cycles
* Monitor data sharing
An organization should perform these steps to do which of the following?

  • A. Ensure cloud vendors are complying with internal data use policies.
  • B. Pursue a GDPR-compliant Privacy by Design process.
  • C. Maintain a secure Bring Your Own Device (BYOD) program.
  • D. Institute a GDPR-compliant employee monitoring process.

正解:C

解説:
Explanation/Reference: https://www.itproportal.com/features/heading-off-the-spectre-of-gdpr-compliance-with-secure-byod/


質問 # 133
Under the Data Protection Law Enforcement Directive of the EU, a government can carry out covert investigations involving personal data, as long it is set forth by law and constitutes a measure that is both necessary and what?

  • A. Prudent.
  • B. Important.
  • C. Proportionate.
  • D. DPA-approved.

正解:C


質問 # 134
Which of the following is NOT considered a fair processing practice in relation to the transparency principle?

  • A. Providing a "just-in-time" contextual pop-up privacy notice, in an online application from field.
  • B. Providing a QR code linking to more detailed privacy notice, in a CCTV sign.
  • C. Providing a multi-layered privacy notice, in a website environment.
  • D. Providing a hyperlink to the organization's home page, in a hard copy application form.

正解:C


質問 # 135
In 2016's Guidance, the United Kingdom's Information Commissioner's Office (ICO) reaffirmed the importance of using a "layered notice" to provide data subjects with what?

  • A. A privacy notice explaining the consequences for opting out of the use of cookies on a website.
  • B. An explanation of the security measures used when personal data is transferred to a third party.
  • C. A privacy notice containing brief information whilst offering access to further detail.
  • D. An efficient means of providing written consent in member states where they are required to do so.

正解:B


質問 # 136
As a result of the European Court of Justice's ruling in the case of Google v. Spain, search engines outside the EEA are also likely to be subject to the Regulation's right to be forgotten. This holds true if the activities of an EU subsidiary and its U.S. parent are what?

  • A. Inextricably linked in their businesses.
  • B. Bound by a standard contractual clause.
  • C. Consistent with Privacy Shield requirements
  • D. Supervised by the same Data Protection Officer.

正解:A


質問 # 137
SCENARIO
Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.
Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain's locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.
What is the time period in which Mike should receive a response to his request?

  • A. Not more than two months after verifying Mike's identity.
  • B. Not more than one month of receipt of Mike's request.
  • C. Not more than thirty days after submission of Mike's request.
  • D. When all the information about Mike has been collected.

正解:B


質問 # 138
SCENARIO
Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner's Office ('ICO' - the U.K.'s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT's main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR.
The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.
Assuming that multiple EVETFIT branches across several EU countries are acting as separate data controllers, and that each of those branches were responsible for mishandling Javier's request, how may Javier proceed in order to seek compensation?

  • A. He will be able to sue any one of the relevant EVETFIT branches, as each one may be held liable for the entire damage.
  • B. He will have to sue the EVETFIT's head office in France, where EVETFIT has its main establishment.
  • C. He will have to sue each EVETFIT branch so that each branch provides proportionate compensation commensurate with its contribution to the damage or distress suffered by Javier.
  • D. He will be able to apply to the European Data Protection Board in order to determine which particular EVETFIT branch is liable for damages, based on the decision that was made by the board.

正解:B


質問 # 139
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Granchester's Alumni portal.
* Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level.
Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Anna will find that a risk analysis is NOT necessary in this situation as long as?

  • A. The data subjects are no longer current students of Frank's
  • B. The algorithms that Frank uses for the processing are technologically sound
  • C. The processing will not negatively affect the rights of the data subjects
  • D. The data subjects gave their unambiguous consent for the original processing

正解:D


質問 # 140
What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

  • A. The controller will be liable to pay an administrative fine
  • B. The processor will be liable to pay compensation to affected data subjects
  • C. The processor will be considered to be a controller in respect of the processing concerned
  • D. The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved

正解:B


質問 # 141
Which of the following would most likely NOT be covered by the definition of "personal data" under the GDPR?

  • A. The identification number of a German candidate for a professional examination in Germany
  • B. The U.S. social security number of an American citizen living in France
  • C. The payment card number of a Dutch citizen
  • D. The unlinked aggregated data used for statistical purposes by an Italian company

正解:D


質問 # 142
Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?

  • A. The contact information of the controller and a description of the retention policy.
  • B. The name/s of relevant government agencies involved and the steps needed for revising the data.
  • C. The authority by which the controller is collecting the data and the third parties to whom the data will be sent.
  • D. The identity and contact details of the controller and the reasons the data is being collected.

正解:D

解説:
Reference https://gdpr-info.eu/art-13-gdpr/


質問 # 143
SCENARIO
Please use the following to answer the next question:
Ben is a member of the fitness club STAYFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Ben lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Ben was photographed while working out at a branch of STAYFIT in Frankfurt, Germany. At the time, Ben gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Ben no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Ben sends a letter to STAYFIT requesting that his image be removed from the website and all promotional materials. Months pass and Ben, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact STAYFIT through alternate channels, he decides to take action against the company.
Ben contacts the U.K. Information Commissioner's Office ('ICO' - the U.K.'s supervisory authority) to lodge a complaint about this matter.
Assuming that multiple STAYFIT branches across several EU countries are acting as separate data controllers, and that each of those branches were responsible for mishandling Ben's request, how may Ben proceed in order to seek compensation?

  • A. He will be able to sue any one of the relevant STAYFIT branches, as each one may be held liable for the entire damage.
  • B. He will have to sue the STAYFIT's head office in France, where STAYFIT has its main establishment.
  • C. He will be able to apply to the European Data Protection Board in order to determine which particular STAYFIT branch is liable for damages, based on the decision that was made by the board.
  • D. He will have to sue each STAYFIT branch so that each branch provides proportionate compensation commensurate with its contribution to the damage or distress suffered by Ben.

正解:B


質問 # 144
Which of the following is NOT considered a fair processing practice in relation to the transparency principle?

  • A. Providing a "just-in-time" contextual pop-up privacy notice, in an online application from field.
  • B. Providing a multi-layered privacy notice, in a website environment.
  • C. Providing a QR code linking to more detailed privacy notice, in a CCTV sign.
  • D. Providing a hyperlink to the organization's home page, in a hard copy application form.

正解:D


質問 # 145
How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?

  • A. The Data Retention Directive's annulment makes such data retention now permissible.
  • B. The ePrivacy Directive harmonizes EU member states' rules concerning such data retention.
  • C. The ePrivacy Directive allows individual EU member states to engage in such data retention.
  • D. The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.

正解:D


質問 # 146
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
What would be the MOST APPROPRIATE way for Building Block to handle the situation with the employee from Italy?

  • A. Since this was a serious infringement, but the employee was not appropriately informed about the consequences the new security measures, the company would be entitled to apply some disciplinary measures, but not dismissal.
  • B. Since the employee was not informed that the security measures would be used for other purposes such as monitoring, the company could face difficulties in applying any disciplinary measures to this employee.
  • C. Since the GDPR does not apply to this situation, the company would be entitled to apply any disciplinary measure authorized under Italian labor law.
  • D. Since the employee was the cause of a serious risk for the server performance and their data, the company would be entitled to apply disciplinary measures to this employee, including fair dismissal.

正解:A


質問 # 147
SCENARIO
Please use the following to answer the next question:
Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta (EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.
The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a Are the cybersecurity assessors required to sign a data processing agreement with the company in order to comply with the GDPR''

  • A. Yes. the assessors a-e considered to be joint data controllers and must sign a mutual data processing agreement.
  • B. No. the assessors do not quality as data processors as they do not copy the data to their facilities.
  • C. No, the assessors do not quality as data processors as they only have access to encrypted data.
  • D. Yes, the assessors are data processors and their processing of personal data must be governed by a separate contract or other legal act.

正解:D


質問 # 148
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent.
All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
The data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from?

  • A. The European Data Protection Board.
  • B. The European Commission.
  • C. The Data Protection Authority.
  • D. The Court of Justice of the European Union.

正解:C


質問 # 149
......

無料CIPP-E試験問題CIPP-E実際の無料試験問題:https://jp.fast2test.com/CIPP-E-premium-file.html

無料CIPP-E試験を簡単に100%合格できる試験問題集:https://drive.google.com/open?id=1vvomHOCpuXbWkd2sYhhrnrW4kL4fSKFy


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어