2025年最新のCIPP-E問題集PDFでCIPP-Eリアル試験問題解答 [Q137-Q154]

Share

2025年最新のCIPP-E問題集PDFでCIPP-Eリアル試験問題解答

有効なCIPP-Eテスト解答とIAPP CIPP-E試験PDF問題を試そう

質問 # 137
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
JaphSoft's use of pseudonymization is NOT in compliance with the CDPR because?

  • A. JaphSoft was in possession of information that could be used to identify data subjects.
  • B. JaphSoft failed to first anonymize the personal data.
  • C. JaphSoft pseudonymized all the data instead of deleting what it no longer needed.
  • D. JaphSoft failed to keep personally identifiable information in a separate database.

正解:C


質問 # 138
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A.
She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
Under the GDPR, which of Company B's actions would NOT be likely to trigger a potential enforcement action?

  • A. Their engagement of Company C to improve their payroll service.
  • B. Their decision to operate without a data protection officer.
  • C. Their omission of data protection provisions in their contract with Company C.
  • D. Their failure to provide sufficient security safeguards to Company A's data.

正解:A


質問 # 139
According to the E-Commerce Directive 2000/31/EC, where is the place of "establishment" for a company providing services via an Internet website confirmed by the GDPR?

  • A. Where the customer's Internet service provider is located
  • B. Where the decisions about processing are made
  • C. Where the website is accessed
  • D. Where the technology supporting the website is located

正解:A


質問 # 140
Which marketing-related activity is least likely to be covered by the provisions of Privacy and Electronic Communications Regulations (Directive 2002/58/EC)?

  • A. A text message to individuals from a company offering concert tickets for sale.
  • B. An email from a retail outlet promoting a sale to one of their previous customer.
  • C. The use of cookies to collect data about an individual.
  • D. Advertisements passively displayed on a website.

正解:D

解説:
The Privacy and Electronic Communications Regulations (PECR) are derived from the e-privacy Directive 2002/58/EC, which aims to protect the privacy and confidentiality of users of electronic communications services. The PECR cover various aspects of electronic marketing, such as the use of cookies, unsolicited communications, and traffic and location data. According to the PECR, the following marketing-related activities require the consent of the user or subscriber, unless certain exemptions apply:
The use of cookies or similar technologies to store or access information on the user's device (Regulation 6).
The sending of electronic mail for direct marketing purposes to individual subscribers who have not given their prior consent (Regulation 22).
The making of unsolicited calls for direct marketing purposes to individual subscribers who have registered their number with the Telephone Preference Service or who have objected to such calls from a specific caller (Regulation 21).
The sending of unsolicited communications for direct marketing purposes by means of electronic mail, fax, or automated calling systems to corporate subscribers, unless they have indicated that they do not wish to receive such communications (Regulation 23).
Therefore, among the four options, the one that is least likely to be covered by the provisions of the PECR is the advertisements passively displayed on a website, as they do not involve the use of cookies, the sending of unsolicited communications, or the processing of traffic or location data. However, such advertisements may still be subject to other data protection laws, such as the GDPR, if they involve the processing of personal data of the users.
Reference:
PECR
e-privacy Directive
ICO guide to PECR


質問 # 141
WP29's "Guidelines on Personal data breach notification under Regulation 2016/679'' provides examples of ways to communicate data breaches transparently. Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?

  • A. A postal notification
  • B. A notice on a corporate blog
  • C. A prominent advertisement in print media
  • D. A direct electronic message

正解:B

解説:
According to the WP29's "Guidelines on Personal data breach notification under Regulation 2016/679'', the communication of a personal data breach to the data subjects should be clear, concise, transparent, easily accessible and understandable, and use clear and plain language. The communication should also be made as soon as reasonably feasible and in close cooperation with the supervisory authority. The guidelines provide some examples of methods that may be effective for communicating a breach to data subjects, such as a direct electronic message (e.g. email, SMS, direct message), a postal notification, a prominent advertisement in print media, or a notice on the homepage of the affected website. However, the guidelines also state that a notice on a corporate blog or social media would not be an effective method of communication, as it would not reach all the affected data subjects and would not allow them to take immediate action to protect themselves. Therefore, the correct answer is C. A notice on a corporate blog. Reference:
WP29's "Guidelines on Personal data breach notification under Regulation 2016/679'', pages 20-211


質問 # 142
A U.S. company's website sells widgets. Which of the following factors would NOT in itself subject the company to the GDPR?

  • A. The widgets are offered in EU and priced in euro.
  • B. An affiliate office is located in France but the processing is in the U.S.
  • C. The website is in English and French, and is accessible in France.
  • D. The website places cookies to monitor the EU website user behavior.

正解:C


質問 # 143
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location.
During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization.
The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
What would be the MOST APPROPRIATE way for Building Block to handle the situation with the employee from Italy?

  • A. Since the employee was the cause of a serious risk for the server performance and their data, the company would be entitled to apply disciplinary measures to this employee, including fair dismissal.
  • B. Since the employee was not informed that the security measures would be used for other purposes such as monitoring, the company could face difficulties in applying any disciplinary measures to this employee.
  • C. Since the GDPR does not apply to this situation, the company would be entitled to apply any disciplinary measure authorized under Italian labor law.
  • D. Since this was a serious infringement, but the employee was not appropriately informed about the consequences the new security measures, the company would be entitled to apply some disciplinary measures, but not dismissal.

正解:D


質問 # 144
A private company has establishments in France, Poland, the United Kingdom and, most prominently, Germany, where its headquarters is established. The company offers its services worldwide. Most of the services are designed in Germany and supported in the other establishments. However, one of the services, a Software as a Service (SaaS) application, was defined and implemented by the Polish establishment. It is also supported by the other establishments.
What is the lead supervisory authority for the SaaS service?

  • A. The supervisory authority of the European Union.
  • B. The supervisory authority of Germany at federal level.
  • C. The supervisory authority of Germany at regional level.
  • D. The supervisory authority of the Republic of Poland.

正解:D

解説:
According to the GDPR, the lead supervisory authority (LSA) is the one located in the EU member state where the controller or processor has its main establishment or single establishment. The main establishment is the place where the decisions on the purposes and means of the processing of personal data are taken. In this case, the SaaS service was defined and implemented by the Polish establishment, so the decisions on the processing of personal data for this service are taken in Poland. Therefore, the LSA for the SaaS service is the supervisory authority of the Republic of Poland.
Reference:
GDPR Article 4(16): Definition of main establishment
GDPR Article 56: Competence of the lead supervisory authority
GDPR Recital 36: Determination of the main establishment
IAPP CIPP/E Study Guide, Chapter 5, Section 5.1: Lead Supervisory Authority


質問 # 145
Which of the following is an accurate statement regarding the "one-stop-shop" mechanism of the GDPR?

  • A. It gives competence to the lead supervisory authority to address privacy issues derived from processes carried out by public authorities established in different countries.
  • B. It applies only to direct enforcement of data protection supervisory authorities (e.g.. finding a breach), but not to initiating or engaging m court proceedings
  • C. It allows supervisory authorities concerned (other than the lead supervisory authority) to act against organizations m exceptional cases even if they do not have any type of establishment in the Member State of the respective authority.
  • D. It can result in several lead supervisory authorities in the EU assuming competence over the same data processing activities of an organization.

正解:C

解説:
The "one-stop-shop" mechanism of the GDPR is a system of co-operation and consistency procedures that aims to ensure that the data protection regulation is enforced uniformly across all member states and calls on the data protection authorities (DPAs) across member states to co-operate with each other and the Commission to ensure consistent application of the GDPR1. The "one-stop-shop" mechanism applies to organisations that conduct cross-border data processing, which means that they process personal data in the context of the activities of their establishments in more than one member state, or that they target or monitor data subjects in more than one member state1. Under the "one-stop-shop" mechanism, such organisations will have to deal primarily with the DPA of the member state where they have their main establishment or their single establishment in the EU, which will act as their lead supervisory authority for all matters related to their cross-border data processing1. The lead supervisory authority will co-ordinate with other concerned supervisory authorities, which are the DPAs of the member states where the data subjects are affected by the data processing1. The lead supervisory authority will have the competence to adopt binding decisions regarding measures to ensure compliance with the GDPR, such as imposing administrative fines or ordering the suspension of data flows1. However, the "one-stop-shop" mechanism does not prevent the concerned supervisory authorities from acting against organisations in exceptional cases, even if they do not have any type of establishment in the member state of the respective authority1. These exceptional cases include the following situations2:
When a complaint is lodged with a supervisory authority, the subject matter relates only to an establishment in its member state or substantially affects data subjects only in its member state; When a supervisory authority is addressing a possible infringement related to the offering of goods or services to data subjects in its member state or to the monitoring of their behaviour in its member state; When a supervisory authority adopts provisional measures intended to produce legal effects in its own member state; When an urgent need to act arises in order to protect the rights and freedoms of data subjects. In these cases, the concerned supervisory authority will inform the lead supervisory authority and the other concerned supervisory authorities, and will try to reach a consensus on the action to be taken2. If no consensus is reached, the consistency mechanism will apply, which involves the intervention of the European Data Protection Board (EDPB) to issue a binding decision on the matter2. Therefore, option D is the correct answer. Reference: Art. 60 GDPR - Cooperation between the lead supervisory authority and the other supervisory authorities concerned, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)


質問 # 146
The origin of privacy as a fundamental human right can be found in which document?

  • A. European Convention of Human Rights 1953.
  • B. Universal Declaration of Human Rights 1948.
  • C. OECD Guidelines on the Protection of Privacy 1980.
  • D. Charier of Fundamental Rights of the European Union 2000.

正解:B


質問 # 147
Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?

  • A. To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.
  • B. The European Commission can adopt an adequacy decision for individual companies.
  • C. EU member states are vested with the power to accept or reject a European Commission adequacy decision.
  • D. The European Commission can adopt, repeal or amend an existing adequacy decision.

正解:B


質問 # 148
Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?

  • A. Third-party data would be disclosed by providing such information to the data subject
  • B. The data subject already has information regarding how his data will be used
  • C. The processing of the data subject's data is protected by appropriate technical measures
  • D. The provision of such information to the data subject would be too problematic

正解:B

解説:
Explanation/Reference: https://dataprivacymanager.net/gdpr-exemptions-from-the-obligation-to-provide-information-to-the- individual-data-subject/


質問 # 149
SCENARIO
Please use the following to answer the next question:
Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in Greece (5), Italy (15) and Spain (1), have registered their most profitable results ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based in ARRA's main Italian establishment, has organized a team event for its 420 employees and their families at its hotel in Spain.
Upon arrival at the hotel, each employee and family member is given an electronic wristband at the reception desk. The wristband serves a number of functions:
. Allows access to the "party zone" of the hotel, and emits a buzz if the user approaches any unauthorized areas
. Allows up to three free drinks for each person of legal age, and emits a buzz once this limit has been reached
. Grants a unique ID number for participating in the games and contests that have been planned.
Along with the wristband, each guest receives a QR code that leads to the online privacy notice describing the use of the wristband. The page also contains an unchecked consent checkbox. In the case of employee family members under the age of 16, consent must be given by a parent.
Among the various activities planned for the event, ARRA Hotels' HR office has autonomously set up a photocall area, separate from the main event venue, where employees can come and have their pictures taken in traditional carnival costume.
The photos will be posted on ARRA Hotels' main website for general marketing purposes.
On the night of the event, an employee from one of ARRA's Greek hotels is displeased with the results of the photos in which he appears. He intends to file a complaint with the relevant supervisory authority in regard to the following:
. The lack of any privacy notice in the separate photocall area
The unlawful cross-border processing of his personal data
. The unacceptable aesthetic outcome of his photos
Which of the following principles has likely been violated in the processing of the photocall photos containing personal data?

  • A. Transparency.
  • B. Data minimization.
  • C. Lawfulness.
  • D. Adequacy.

正解:A


質問 # 150
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?

  • A. The creation of legally binding data protection principles
  • B. The synchronization of approaches to data protection
  • C. The restriction of cross-border data flow
  • D. The establishment of a list of legitimate data processing criteria

正解:B


質問 # 151
SCENARIO
Please use the following to answer the next Question: 01
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.
Based on the GDPR's position on the use of personal data for direct marketing purposes, which of the following is true about Louis's rights as a data subject?

  • A. Louis does not have the right to object to the use of his data if Bedrock can demonstrate compelling legitimate grounds for the processing.
  • B. Louis has the right to object at any time to the use of his data and Bedrock must honor his request to cease use.
  • C. Louis does not have the right to object to the use of his data because he previously consented to it.
  • D. Louis has the right to object to the use of his data, unless his data is required by Bedrock for the purpose of exercising a legal claim.

正解:B


質問 # 152
Which of the following is NOT recognized as being a common characteristic of cloud-computing services?

  • A. The supplier allows customer data to be transferred around the infrastructure according to capacity.
  • B. The service's infrastructure is shared among the supplier's customers and can be located in a number of countries.
  • C. The supplier assumes the vendor's business risk associated with data processed by the supplier.
  • D. The supplier determines the location, security measures, and service standards applicable to the processing.

正解:C

解説:
Reference https://www.softwaremajor.com/news-articles/64-gdpr-how-does-it-apply-to-the-cloud


質問 # 153
Please use the following to answer the next question:
Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located m Malta |EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.
The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a What is potentially wrong with the backup system operated in the AWS cloud?

  • A. AWS is a U S company, and no personal data of European residents may be transferred to it without explicit written consent from data subjects.
  • B. It is unlawful to process any personal data in a cloud unless the cloud is certified as GOPR-compliant by a competent supervisory authority.
  • C. The data storage period has to be revised, and a data processing agreement w*h AWS must be signed
  • D. The AWS servers are located in the EU but in a country different than the location of the corporate headquarters.

正解:C


質問 # 154
......


CIPP/E認定は、プライバシー業界で高く評価されており、世界中の多くの組織によって認められています。個人は、ヨーロッパのプライバシーリスクとコンプライアンス要件を効果的に管理するための知識とスキルを持っていることを示しています。この認定は、プライバシー分野でのキャリアを促進しようとしている専門家にとっても貴重な資産です。プライバシーの専門家に対する需要の高まりに伴い、CIPP/E認定を取得することで、キャリアの成長と進歩のための新しい機会を開くことができます。

 

CIPP-E試験問題集でPDF問題とテストエンジン:https://jp.fast2test.com/CIPP-E-premium-file.html

実際に出るCIPP-E試験問題集には正確で更新された問題:https://drive.google.com/open?id=1U3Obd5VUB4as2bDwh6SS-dNTRjkF8WWR


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어