
2025年最新のCIPP-E問題集レビュー専門クイズ学習材料
CIPP-Eテスト準備トレーニング練習試験問題 練習テスト
CIPP/E認定試験では、GDPRの法的枠組み、データコントローラーとプロセッサの役割と責任、データ保護インパクト評価、データ主体の権利、および国境を越えたデータ転送など、幅広いトピックをカバーしています。試験に合格した個人は、GDPRの理解と、その原則を実際の状況に適用する能力を示しています。この認定は、プライバシーの専門家の主要な資格として世界中で認識されており、さまざまな業界の雇用主に非常に求められています。
この試験は、GDPRとデータ保護原則に関する候補者の知識をテストするように設計された90の複数選択の質問で構成されています。この試験は開かれた本です。つまり、候補者はテスト中にメモや学習資料を参照できます。 CIPP/E試験の合格スコアは、500ポイントのうち300ポイントです。この試験は、英語、フランス語、ドイツ語、イタリア語、スペイン語、ポルトガル語、オランダ語など、複数の言語で利用できます。
質問 # 165
SCENARIO
Please use the following to answer the next question:
Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.
After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents. In relation to the emails Jack listed six members of the management team whose inboxes the required access.
How should the company respond to Jack's request to be forgotten?
- A. The company should ensure that the information is stored outside of the European Union so that the right to be forgotten under the GDPR does not apply.
- B. The company should claim that the right to be forgotten is not applicable to them, as only a fraction of their global workforce resides in the European Union.
- C. The company should not erase the data at this time as it may be required to defend a legal claim of unfair dismissal.
- D. The company should erase all data relating to Jack without undue delay as the right to be forgotten is an absolute right.
正解:B
質問 # 166
When may browser settings be relied upon for the lawful application of cookies?
- A. When it is impossible to bypass the choices made by users in their browser settings.
- B. When users are provided with information about which cookies have been set.
- C. When a user rejects cookies that are strictly necessary.
- D. When users are aware of the ability to adjust their settings.
正解:A
解説:
According to the ICO guidance on the use of cookies and similar technologies1, browser settings and other control mechanisms can be relied upon for the lawful application of cookies only if they meet the following conditions:
They are designed to protect users' privacy and provide them with control over the use of cookies and similar technologies; They are prominent and easy to use, and do not require users to take unnecessary steps or provide unnecessary information; They are specific and granular enough to allow users to express their preferences for different types and purposes of cookies and similar technologies; They are sufficiently informed and clear about the cookies and similar technologies that will be set or accessed, and the purposes for which they will be used; They are regularly reviewed and updated to reflect any changes in the cookies and similar technologies that are used or the purposes for which they are used; They are not overridden or circumvented by other software or settings that may interfere with users' choices; They provide an effective means of withdrawing consent at any time.
Therefore, browser settings and other control mechanisms can be a valid way of obtaining consent for cookies and similar technologies, but only if they meet these high standards and ensure that users have a real and meaningful choice over the use of cookies and similar technologies on their devices. Reference: 1 How do we comply with the cookie rules? | ICO. Available at: 4 (Accessed: 11 December 2023).
質問 # 167
An organization receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal dat a. Under what condition can the organization charge the data subject a fee for processing the request?
- A. Only where the administrative costs of taking the action requested exceeds a certain threshold.
- B. Only to the extent this is allowed under the restrictions on data subjects' rights introduced under Art 23 of GDPR.
- C. Only if the organization can demonstrate that the request is clearly excessive or misguided.
- D. Only where the organization can show that it is reasonable to do so because more than one request was made.
正解:B
質問 # 168
Many businesses print their employees' photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted?
- A. Because photographs qualify as biometric data only when they undergo a "specific technical processing".
- B. Because employees are deemed to have given their explicit consent when they agree to be photographed by their employer.
- C. Because photographic ID is a physical security measure which is "necessary for reasons of substantial public interest".
- D. Because use of biometric data to confirm the unique identification of data subjects benefits from an exemption.
正解:A
解説:
According to Recital 51 of the GDPR, photographs are not automatically considered as biometric data, unless they are processed by a specific technical means that allows the unique identification or authentication of a natural person1. This means that printing employees' photographs on building passes does not necessarily involve biometric data, as long as the photographs are not used for facial recognition or other similar purposes. The other options are incorrect, as they do not reflect the definition of biometric data or the conditions for processing special categories of personal data under the GDPR2. Reference:
Recital 51 of the GDPR
ICO guidance on special category data
Reference https://ess.csa.canon.com/rs/206-CLL-191/images/IAPP-Top-10-Operational-Impacts-of- GDPR.pdf?TC=DM&CN=CSA_OMNIA_Partners&CS=CSA&CR=T1_Gov%20GenNonProfit (11)
質問 # 169
Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?
- A. The data subject already has information regarding how his data will be used
- B. The processing of the data subject's data is protected by appropriate technical measures
- C. Third-party data would be disclosed by providing such information to the data subject
- D. The provision of such information to the data subject would be too problematic
正解:A
解説:
Explanation/Reference: https://dataprivacymanager.net/gdpr-exemptions-from-the-obligation-to-provide-information-to-the- individual-data-subject/
質問 # 170
A dynamic Internet Protocol (IP) address is considered persona! data when it is combined with what?
- A. Other data held by the controller
- B. Other data held by recipients of the data.
- C. Other data held by Internet Service Providers (ISPs).
- D. Other data held by the processor.
正解:A
解説:
A dynamic IP address is a unique numerical label for a device on the internet that changes every time the device connects to the internet. A dynamic IP address by itself is not personal data, as it does not directly identify the person who owns or uses the device. However, a dynamic IP address can become personal data when it is combined with other data held by the controller, such as the web pages accessed by the device, the time and duration of the visit, the location of the device, or the user's preferences and interests. In this case, the controller can use the additional data to identify the data subject, either directly or indirectly, by linking the dynamic IP address to a specific person or a profile. This was confirmed by the Court of Justice of the European Union (CJEU) in the case of Breyer v Bundesrepublik Deutschland, where the CJEU ruled that a dynamic IP address registered by a website provider constitutes personal data in relation to that provider, where the latter has the legal means to obtain the identity of the data subject from the internet service provider (ISP) that assigned the dynamic IP address. Therefore, option B is the correct answer. Reference: Directive 95/46/EC, Directive 2002/58/EC, Breyer v Bundesrepublik Deutschland, Case C-582/14, Dynamic IP Addresses can be Personal Data
質問 # 171
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
What would be the MOST APPROPRIATE way for Building Block to handle the situation with the employee from Italy?
- A. Since the employee was the cause of a serious risk for the server performance and their data, the company would be entitled to apply disciplinary measures to this employee, including fair dismissal.
- B. Since this was a serious infringement, but the employee was not appropriately informed about the consequences the new security measures, the company would be entitled to apply some disciplinary measures, but not dismissal.
- C. Since the employee was not informed that the security measures would be used for other purposes such as monitoring, the company could face difficulties in applying any disciplinary measures to this employee.
- D. Since the GDPR does not apply to this situation, the company would be entitled to apply any disciplinary measure authorized under Italian labor law.
正解:C
解説:
According to the GDPR, the processing of personal data obtained through monitoring software must be lawful, fair, and transparent. This means that the employer must inform the employees about the nature, extent, and reasons for monitoring, and the possible consequences of non-compliance with the company's policies. The employer must also have a legitimate interest or another lawful basis for processing the employees' data, and respect their rights and freedoms. The employer must also comply with the national laws and guidelines of each member state where it operates, which may impose additional conditions or limitations on employee monitoring. In this case, Building Block did not inform the employee from Italy that the security software would also monitor his computer activity and location, and did not specify the purpose and scope of such monitoring. Therefore, the employee could not reasonably expect that his personal data would be processed in this way, and could not exercise his rights under the GDPR, such as the right to access, rectify, or object to the processing. Moreover, the employer did not conduct a proper assessment of the necessity and proportionality of the monitoring, and did not consider less intrusive alternatives to achieve its security goals. Therefore, the employer could face legal challenges from the employee, the Italian supervisory authority, or the labor courts, if it decides to apply disciplinary measures based on the data obtained through the monitoring software. The employer could also face fines or sanctions for violating the GDPR and the Italian data protection law. Reference: GDPR requirements for employee monitoring: rules to follow, Can Your Organisation Monitor Employees' Personal Communications?, ICO publishes guidance to ensure lawful monitoring in the workplace, [Guidelines on processing personal data in the context of connected vehicles and mobility related applications]
質問 # 172
What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?
- A. The requirements were financially burdensome to EU businesses.
- B. The requirements had limitations on how national authorities could use data.
- C. The requirements affected individuals without exception.
- D. The requirements specified that data must be held within the EU.
正解:C
解説:
The Data Retention Directive was a EU law that required providers of electronic communications services to retain certain data, such as traffic and location data, for a period of between six months and two years, for the purpose of preventing, investigating, detecting and prosecuting serious crime1. However, in 2014, the Court of Justice of the European Union declared the Directive invalid, because it violated the fundamental rights to respect for private life and to the protection of personal data, as enshrined in the Charter of Fundamental Rights of the EU2. The Court found that the Directive entailed a wide-ranging and particularly serious interference with those rights, without being limited to what is strictly necessary3. One of the reasons for this finding was that the Directive applied to all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception, thus affecting the entire population of the EU4. The Court also noted that the Directive did not provide sufficient safeguards to ensure effective protection of the data against the risk of abuse and unlawful access, and did not require the data to be retained within the EU5. Reference: 1 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC2 Charter of Fundamental Rights of the European Union3 Press release No 54/14 - Judgment in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others4 Judgment of the Court (Grand Chamber) of 8 April 2014. Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Karntner Landesregierung and Others. Requests for a preliminary ruling from the High Court (Ireland) and the Verfassungsgerichtshof (Austria). Joined cases C-293/12 and C-594/125 Ibid.
Reference:
%20the%20Grand,proportionality%20in%20forging%20the%20Directive.
質問 # 173
The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?
- A. Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing.
- B. Failure to process personal information in a manner compatible with its original purpose.
- C. Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default.
- D. Failure to provide the means for a data subject to rectify inaccuracies in personal data.
正解:D
質問 # 174
SCENARIO
Please use the following to answer the next question:
Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located m Malta |EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.
The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a What is potentially wrong with the backup system operated in the AWS cloud?
- A. AWS is a U S company, and no personal data of European residents may be transferred to it without explicit written consent from data subjects.
- B. The AWS servers are located in the EU but in a country different than the location of the corporate headquarters.
- C. It is unlawful to process any personal data in a cloud unless the cloud is certified as GOPR-compliant by a competent supervisory authority.
- D. The data storage period has to be revised, and a data processing agreement w*h AWS must be signed
正解:D
解説:
According to the GDPR, personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed1. Therefore, the data storage period of the backup system must be aligned with this principle and reviewed regularly. Moreover, the GDPR requires that when a controller (the company) uses a processor (AWS) to process personal data on its behalf, it must ensure that the processor provides sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of the GDPR and ensure the protection of the rights of the data subjects2. This is usually done by signing a data processing agreement that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller3. AWS offers a GDPR-compliant Data Processing Addendum (DPA) that is incorporated into the AWS Service Terms and applies automatically to all customers who require it to comply with the GDPR4. Reference:
Free CIPP/E Study Guide, page 24, section 4.2.1
Free CIPP/E Study Guide, page 25, section 4.3
GDPR, Article 28
GDPR - Amazon Web Services (AWS), section "GDPR resources"
質問 # 175
SCENARIO
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company's outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.'s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories - age, income, ethnicity - that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website's traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website's effectiveness. Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.'s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva's system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company's system of access control must be reconsidered.
With regard to TripBliss Inc.'s use of website cookies, which of the following statements is correct?
- A. Because Techiva will receive only aggregate statistics of data collected from the cookies, no additional consent is necessary.
- B. Because not all of the cookies are strictly necessary to enable the use of a service requested from TripBliss Inc., consent requirements apply to their use of cookies.
- C. Because the use of cookies involves the potential for location tracking, explicit consent must be obtained from customers.
- D. Because of the categories of data involved, explicit consent for the use of cookies must be obtained separately from customers.
正解:B
解説:
According to the ePrivacy Directive (2002/58/EC), the use of cookies or similar devices that store or access information on the user's device requires the user's consent, unless the cookie is strictly necessary to enable the use of a service requested by the user. For example, a cookie that remembers the items in a shopping cart does not require consent, but a cookie that tracks the user's browsing behavior for analytics or advertising purposes does. The consent must be freely given, specific, informed, and unambiguous, and can be obtained through appropriate settings of the browser or other application. The consent must also be separate from other consents, such as the consent to the processing of personal data. The categories of data involved or the recipients of the data do not affect the consent requirement for the use of cookies. The consent must also be obtained before the cookie is placed or accessed, unless the cookie is exempted. Therefore, option A is correct.
Option B is incorrect because explicit consent is not required for the use of cookies, unless the cookie also involves the processing of special categories of personal data under the GDPR. However, in this scenario, there is no indication that the cookies collect or process such data. Therefore, option B is incorrect.
Option C is incorrect because the consent requirement for the use of cookies does not depend on the recipients of the data or the level of aggregation of the data. The consent must be obtained from the user whose device is accessed or stored by the cookie, regardless of who receives the data or how it is processed. Therefore, option C is incorrect.
Option D is incorrect because the consent requirement for the use of cookies does not depend on the potential for location tracking. The consent must be obtained for any cookie that is not strictly necessary to enable the use of a service requested by the user, regardless of the type or purpose of the cookie. Therefore, option D is incorrect.
Reference:
ePrivacy Directive, Article 5(3)
GDPR, Article 4(11), Article 7, Article 9
CIPP/E Study Guide, Chapter 5, Section 5.2.2
質問 # 176
A worker in a European Union (EU) member state has ceased his employment with a company. What should the employer most likely do in regard to the worker's personal data?
- A. Store all of the data in case the departing worker makes a subject access request.
- B. Securely store the data that is required to be kept under local law.
- C. Destroy sensitive information and store the rest per applicable data protection rules.
- D. Provide the employee the reasons for retaining the data.
正解:B
質問 # 177
Which of the following would require designating a data protection officer?
- A. Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.
- B. The core activities of the controller or processor consist of processing operations of financial information or information relating to children.
- C. The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale.
- D. Processing is carried out by an organization employing 250 persons or more.
正解:C
質問 # 178
A data controller appoints a data protection officer. Which of the following conditions would NOT result in an infringement of Articles 37 to 39 of the GDPR?
- A. If the data protection officer is provided by the data processor.
- B. If the data protection officer also manages the marketing budget.
- C. If the data protection officer lacks ISO 27001 auditor certification.
- D. If the data protection officer receives instructions from the data controller.
正解:C
解説:
Reference:
A data controller appointing a data protection officer who lacks ISO 27001 auditor certification would not result in an infringement of Articles 37 to 39 of the GDPR. According to Article 37 (5) of the GDPR, the data protection officer must be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39 1. However, the GDPR does not specify any formal qualifications or certifications that the data protection officer must have, and leaves it to the discretion of the controller or the processor to determine the level of expertise required, depending on the complexity and sensitivity of the data processing activities 2. Therefore, the lack of ISO 27001 auditor certification, which is a standard for information security management systems, does not necessarily mean that the data protection officer is not qualified or competent for the role.
The other options are incorrect because they would result in an infringement of Articles 37 to 39 of the GDPR. According to Article 37 (6) of the GDPR, the data protection officer may be a staff member of the controller or the processor, or fulfil the tasks on the basis of a service contract 1. However, the data protection officer must be independent and report directly to the highest management level of the controller or the processor 3. Therefore, if the data protection officer is provided by the data processor, there may be a conflict of interest or a lack of autonomy, which would violate Article 38 (3) and (6) of the GDPR 4.
According to Article 38 (6) of the GDPR, the data protection officer may fulfil other tasks and duties, provided that they do not result in a conflict of interests 4. However, managing the marketing budget would likely involve a conflict of interests, as the data protection officer would have to oversee and advise on the data processing activities related to marketing, which may not be compatible with his or her role as a data protection officer 5. Therefore, if the data protection officer also manages the marketing budget, this would infringe Article 38 (6) of the GDPR 4.
According to Article 38 (3) of the GDPR, the data protection officer must not receive any instructions regarding the exercise of his or her tasks 4. The data protection officer must act in an independent manner and perform the tasks assigned by the GDPR, such as informing and advising the controller or the processor and the employees, monitoring compliance, cooperating with the supervisory authority, and acting as the contact point for data subjects and the supervisory authority 6. Therefore, if the data protection officer receives instructions from the data controller, this would infringe Article 38 (3) of the GDPR 4. Reference: 1: Article 37 of the GDPR 2: Guidelines on Data Protection Officers ('DPOs') 3: Article 38 (2) of the GDPR 4: Article 38 of the GDPR 5: Data protection officer (DPO) | European Commission 6: Article 39 of the GDPR
質問 # 179
Which of the following would NOT be relevant when determining if a processing activity would be considered profiling?
- A. If the processing is to be performed by a third-party vendor
- B. If the processing is used to predict the behavior of data subjects
- C. If the processing involves data that is considered personal data
- D. If the processing of the data is done through automated means
正解:A
解説:
The GDPR defines profiling as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements12. Therefore, the relevant factors when determining if a processing activity would be considered profiling are:
whether the processing involves data that is considered personal data;
whether the processing of the data is done through automated means; and whether the processing is used to predict the behavior of data subjects.
The identity of the processor, whether it is the controller or a third-party vendor, is not relevant for the definition of profiling. However, it may have implications for the accountability and responsibility of the parties involved, as well as the data protection rights of the data subjects34. Reference: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, What is automated individual decision-making and profiling? | ICO, WP29 releases guidelines on profiling under the GDPR, UK: A Guide To GDPR Profiling And Automated Decision-Making - Mondaq
質問 # 180
According to the E-Commerce Directive 2000/31/EC, where is the place of "establishment" for a company providing services via an Internet website confirmed by the GDPR?
- A. Where the decisions about processing are made
- B. Where the website is accessed
- C. Where the technology supporting the website is located
- D. Where the customer's Internet service provider is located
正解:D
質問 # 181
Which of the following entities would most likely be exempt from complying with the GDPR?
- A. A company that stores all customer data in Australia and is headquartered in a European Union (EU) member state.
- B. A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers.
- C. A North American company servicing customers in South Africa that uses a cloud storage system made by a European company.
- D. A South American company that regularly collects European customers' personal data.
正解:C
質問 # 182
Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?
- A. Incidents of personal data breaches, whether disclosed or not.
- B. Retention periods for erasure and deletion of categories of personal data.
- C. Categories of recipients to whom the personal data have been disclosed.
- D. Data inventory or data mapping exercises that have been conducted.
正解:B
解説:
Section: (none)
Explanation
質問 # 183
SCENARIO
Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner's Office ('ICO' - the U.K.'s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT's main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR.
The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.
Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has formed its view on the matter?
- A. Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.
- B. Request that members of the seconding supervisory authority and the host supervisory authority co-draft a decision.
- C. Submit a draft decision to other supervisory authorities for their opinion.
- D. Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism.
正解:A
質問 # 184
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?
- A. The restriction of cross-border data flow
- B. The creation of legally binding data protection principles
- C. The establishment of a list of legitimate data processing criteria
- D. The synchronization of approaches to data protection
正解:D
質問 # 185
When does the European Data Protection Board (EDPB) recommend reevaluating whether a transfer tool is effectively providing a level of personal data protection that is in compliance with the European Union (EU) level?
- A. On an ongoing basis.
- B. Every year.
- C. After a personal data breach.
- D. Every three (3) years.
正解:A
解説:
Reference https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf
質問 # 186
All of the following will be established by the second Network and Information Security Directive ("NIS2") EXCEPT?
- A. Baseline cybersecurity measures that each covered entity must address.
- B. A common controls framework that every organization must adopt.
- C. A new network for EU member states to cooperate on large-scale breaches.
- D. Powers to inspect, audit, or require information from covered organizations.
正解:B
解説:
The NIS2 Directive is the EU's legislation on cybersecurity that updates and replaces the previous NIS Directive. It aims to create a high common level of cybersecurity across the EU by setting up legal measures for the security of network and information systems used by essential and important entities in various sectors and by enhancing cooperation among the member states. The NIS2 Directive does not establish a common controls framework that every organization must adopt, but rather allows each member state to define the appropriate security measures and incident reporting requirements for the entities under its jurisdiction, taking into account the specificities of each sector and subsector. However, the NIS2 Directive does provide some general principles and objectives for the security measures, such as proportionality, risk-based approach, state of the art, and regular review and update. The NIS2 Directive also introduces minimum harmonised rules for the supervision and enforcement of the security measures and incident reporting obligations, including the possibility of imposing administrative fines.
Reference:
NIS2 Directive, Articles 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, and 14.
The NIS2 Directive: A high common level of cybersecurity in the EU, pages 1, 2, 3, 4, 5, 6, 7, and 8.
質問 # 187
The Planet 49 CJEU Judgement applies to?
- A. Cookies used only by third parties.
- B. Cookies where the data accessed is considered as personal data only.
- C. Cookies that are deemed technically necessary.
- D. Cookies regardless of whether the data accessed is personal or not.
正解:D
解説:
Reference:
The Planet 49 CJEU Judgement applies to cookies regardless of whether the data accessed is personal or not. The Court of Justice of the European Union (the 'CJEU') delivered this judgement on 1 October 2019, in response to a request for a preliminary ruling from the German Federal Court of Justice (the 'Bundesgerichtshof') . The case concerned the validity of consent for the use of cookies and similar technologies under the e-Privacy Directive and the GDPR.
The CJEU ruled that Article 5 (3) of the e-Privacy Directive, which requires consent for the storage of, or access to, information stored in the user's terminal equipment, applies to any information installed or accessed from an individual's device, regardless of whether it constitutes personal data or not. The Court reasoned that the aim of the provision is to protect the user from interference with his or her private sphere, which may occur irrespective of the nature of the information stored or accessed. Therefore, the consent requirement applies to all cookies and similar technologies, except for those that are strictly necessary for the provision of a service explicitly requested by the user.
The CJEU also clarified that the consent required for cookies under the e-Privacy Directive must comply with the standard of consent under the GDPR, which means that it must be freely given, specific, informed and unambiguous, and given by a clear affirmative action. The Court held that a pre-ticked checkbox does not constitute valid consent, as it does not imply active behaviour by the user. The Court also stated that the user must be provided with clear and comprehensive information about the cookies, including their duration and whether third parties will have access to them. Reference:
Planet 49 Judgment - takeaways for Cookie Monsters
The Planet 49 decision: Implications for organisations that use cookies CURIA - List of results
質問 # 188
To which of the following parties does the territorial scope of the GDPR NOT apply?
- A. All member countries party to the Treaty of Lisbon.
- B. All member countries of the European Economic Area.
- C. All member countries of the European Union.
- D. All member countries party to the Paris Agreement.
正解:B
質問 # 189
......
試験問題解答ブレーン問題集でCIPP-E試験問題集PDF問題:https://jp.fast2test.com/CIPP-E-premium-file.html
CIPP-E試験問題集、CIPP-E練習テスト問題:https://drive.google.com/open?id=1O1zRi1fggBTUPs8X9Nb_AQ-yk-gBS0qq