2025年03月 IAPP CIPP-E実際にある問題と100%カバー率リアル試験問題 [Q134-Q159]

Share

2025年03月 IAPP CIPP-E実際にある問題と100%カバー率リアル試験問題

CIPP-E無料試験問題と解答PDF最新問題2025年03月


CIPP-E試験に備えるために、候補者はIAPPが提供するさまざまな研究資料とリソースを利用できます。これらには、学習ガイド、練習試験、およびオンライントレーニングコースが含まれます。さらに、IAPPは、候補者がGDPRの理解とビジネスや組織に対する実際的な意味を深めるのに役立つように設計されたさまざまな対面トレーニングプログラムとワークショップを提供しています。


IAPP CIPP-E認定試験は、情報プライバシーの分野における専門家の知識と専門知識を検証する業界に認識された認定です。この試験は、欧州連合(EU)のデータ保護に関連する法律および規制に関する候補者の理解を評価し、これらの法律を実際のシナリオに適用できるようにするように設計されています。

 

質問 # 134
SCENARIO
Please use the following to answer the next question:
Gentle Hedgehog Inc. is a privately owned website design agency incorporated in Italy. The company has numerous remote workers in different EU countries. Recently, the management of Gentle Hedgehog noticed a decrease in productivity of their sales team, especially among remote workers. As a result, the company plans to implement a robust but privacy-friendly remote surveillance system to prevent absenteeism, reward top performers, and ensure the best quality of customer service when sales people are interacting with customers.
Gentle Hedgehog eventually hires Sauron Eye Inc., a Chinese vendor of employee surveillance software whose European headquarters is in Germany. Sauron Eye's software provides powerful remote-monitoring capabilities, including 24/7 access to computer cameras and microphones, screen captures, emails, website history, and keystrokes. Any device can be remotely monitored from a central server that is securely installed at Gentle Hedgehog headquarters. The monitoring is invisible by default; however, a so-called Transparent Mode, which regularly and conspicuously notifies all users about the monitoring and its precise scope, also exists. Additionally, the monitored employees are required to use a built-in verification technology involving facial recognition each time they log in.
After fixing the privacy problems, how long may Gentle Hedgehog store the monitoring data, assuming that no valid data erasure request is received?
.

  • A. As long as provided by the EDPB guidelines for remote employee monitoring.
  • B. As long as a concerned employee does not request erasure of the data.
  • C. As long as required by the company's legitimate interests.
  • D. As long as stated in the privacy policy that all employees must follow when processing personal data.

正解:D

解説:
The General Data Protection Regulation (GDPR) does not prohibit surveillance of employees in the workplace. Still, it requires employers to follow special rules to ensure that the rights and freedoms of employees are protected when processing their personal data. The GDPR applies to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU.
The GDPR requires that any processing of personal data must be lawful, fair and transparent, and based on one of the six legal grounds specified in the regulation. The most relevant legal grounds for employee surveillance are the legitimate interests of the employer, the performance of a contract with the employee, or the compliance with a legal obligation. The GDPR also requires that any processing of personal data must be limited to what is necessary for the purposes for which they are processed, and that the data subjects must be informed of the purposes and the legal basis of the processing, as well as their rights and the safeguards in place to protect their data.
The GDPR also imposes specific obligations and restrictions on the processing of special categories of personal data, such as biometric data, which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or which are processed for the purpose of uniquely identifying a natural person. The processing of such data is prohibited, unless one of the ten exceptions listed in the regulation applies. The most relevant exceptions for employee surveillance are the explicit consent of the data subject, the necessity for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, or the necessity for reasons of substantial public interest.
The GDPR also sets out the rules and requirements for the transfer of personal data to third countries or international organisations, which do not ensure an adequate level of data protection. The transfer of such data is only allowed if the controller or processor has provided appropriate safeguards, such as binding corporate rules, standard contractual clauses, codes of conduct or certification mechanisms, and if the data subjects have enforceable rights and effective legal remedies.
The GDPR also establishes the principle of storage limitation, which requires that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. The GDPR does not specify a precise time limit for the storage of personal data, but leaves it to the controller to determine the appropriate retention period, taking into account the nature, scope, context and purposes of the processing, as well as the risks for the rights and freedoms of data subjects. The GDPR also allows for the further storage of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to appropriate safeguards.
Based on the scenario, after fixing the privacy problems, Gentle Hedgehog may store the monitoring data as long as stated in the privacy policy that all employees must follow when processing personal data. This option is the most consistent with the GDPR's principles and requirements, as it:
Is based on a valid legal ground for the processing of personal data, namely the legitimate interests of the employer to ensure the productivity, quality and security of the work performed by the employees, as well as the performance of a contract with the employees and the compliance with a legal obligation to prevent fraud and protect confidential information.
Is limited to what is necessary for the purposes of the monitoring, as it only covers the work-related activities and communications of the employees, and excludes the private or personal ones.
Is transparent to the employees, as it informs them of the monitoring and its precise scope, and gives them the opportunity to object or opt out of the monitoring.
Does not involve the processing of special categories of personal data, such as biometric data or data revealing political opinions or trade union membership, which are not necessary or proportionate for the purposes of the monitoring, and which do not fall under any of the exceptions listed in the regulation.
Does not involve the transfer of personal data to a third country, such as China, which does not provide an adequate level of data protection, and which may pose additional risks for the rights and freedoms of the employees.
Respects the principle of storage limitation, as it specifies the retention period of the personal data, and deletes or anonymises the data when they are no longer needed for the purposes of the monitoring.
The other options listed in the question are not valid conditions for storing the monitoring data, as they:
Are not based on a valid legal ground for the processing of personal data, as they either rely on the consent of the employees, which is not freely given, informed and specific, or on the compliance with a legal obligation, which does not apply to the storage of personal data.
Are not limited to what is necessary for the purposes of the monitoring, as they involve the storage of personal data for longer than required by the legitimate interests of the employer, the performance of a contract with the employees, or the legal obligation to prevent fraud and protect confidential information.
Are not transparent to the employees, as they do not inform them of the retention period of the personal data, and do not give them the opportunity to request the erasure of the data.
Do not respect the principle of storage limitation, as they do not specify the retention period of the personal data, and do not delete or anonymise the data when they are no longer needed for the purposes of the monitoring.
Reference:
GDPR, Articles 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 44, 45, 46, 47, 48, and 49.
EDPB Guidelines 3/2019 on processing of personal data through video devices, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, and 14.
EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, pages 19, 20, 21, 22, 23, 24, 25, 26, 27, and 28.
EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, and 28.
EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, pages 4, 5, 6, 7, 8, 9, 10, 11, and 12.
Data protection: GDPR and employee surveilance | Feature | Law Gazette, paragraphs 1, 2, 3, 4, 5, 6, 7, and 8.


質問 # 135
According to the European Data Protection Board, controllers responding to a data subject access request can refuse to provide a copy of personal data under certain conditions. Which of the following is NOT one of these conditions?

  • A. If the controller is unable to use end-to-end encrypted emails for responding to such requests.
  • B. If the data subject access request was sent to an employee that is not involved in the processing of such requests.
  • C. If the personal data was processed in the past but is no longer at the controller's disposal at the time of the request.
  • D. If there is such a large amount of data that the controller cannot identify the data subject of the request.

正解:A

解説:
The right of access is one of the fundamental rights of data subjects under the GDPR. It allows data subjects to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and certain information about the processing. The controller must provide a copy of the personal data undergoing processing to the data subject, unless the data subject requests otherwise. The right of access is not absolute and may be subject to limitations, restrictions or exceptions, in accordance with the GDPR and the national laws of the member states.
The EDPB has issued draft guidelines on the right of access, which provide more detailed guidance on how to handle data subject access requests and what are the possible grounds for refusing to provide a copy of the personal data. According to the draft guidelines, the controller can refuse to provide a copy of the personal data in the following situations:
If the data subject access request was sent to an employee that is not involved in the processing of such requests. In this case, the controller must inform the data subject of the appropriate contact point for submitting the request and must not consider the request as received until it reaches the designated person or unit. This does not mean that the controller can ignore or delay the request, but rather that the controller must ensure that the request is forwarded to the responsible person or unit as soon as possible.
If there is such a large amount of data that the controller cannot identify the data subject of the request. In this case, the controller can ask the data subject to provide additional information to enable the identification of the data subject, such as a unique identifier, a reference number, a specific time period, a location or a context of the processing. The controller must not ask for more information than is necessary and must not use the information for any other purpose than verifying the identity of the data subject.
If the personal data was processed in the past but is no longer at the controller's disposal at the time of the request. In this case, the controller must inform the data subject that the personal data are no longer available and explain the reasons why the personal data have been erased, anonymised, archived or otherwise disposed of. The controller must also provide the data subject with any relevant information about the retention period, the archiving policy, the anonymisation process or the disposal method of the personal data.
The controller cannot refuse to provide a copy of the personal data in the following situation:
If the controller is unable to use end-to-end encrypted emails for responding to such requests. In this case, the controller must still provide a copy of the personal data to the data subject, but must ensure that the communication is secure and that the personal data are protected from unauthorised or unlawful access, disclosure, alteration or destruction. The controller can use alternative means of communication, such as secure online platforms, password-protected files, encrypted devices or postal mail, depending on the preferences and circumstances of the data subject. The controller must also inform the data subject of the risks involved in the chosen communication method and obtain the data subject's consent before sending the personal data.
Reference:
GDPR, Articles 12, 13, 14, 15, 23 and 34.
EDPB Guidelines 01/2022 on data subject rights - Right of access Version 2, pages 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 and 16.


質問 # 136
A company in France suffers a robbery over the weekend owing to a faulty alarm system. When it is determined that the break-in involves the loss of a substantial amount of data, the company decides on a CCTV system to monitor for future incidents. Company technicians install cameras in the entrance of the building, hallways and offices. Footage is recorded continuously, and is monitored by the home office in the United States. What is the most realistic step the company could take to address their security concerns and comply with the personal data processing principles set out in Article 5 of the GDPR?

  • A. Retain captured footage for no more than 30 days.
  • B. Seek informed consent from company employees.
  • C. Restrict camera placement to building entrances only.
  • D. Have cameras recording during work hours only.

正解:C

解説:
According to Article 5 of the GDPR, personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality')1. The company's decision to install cameras in the entrance of the building, hallways and offices may violate this principle, as it may expose the personal data of the employees and visitors to unnecessary risks, such as hacking, misuse or disclosure. Moreover, the company must also comply with the other principles of data processing, such as lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy and storage limitation1. The company must have a legitimate and specific purpose for installing the cameras, and must inform the data subjects about the processing of their personal data. The company must also ensure that the cameras collect only the minimum amount of data necessary for the purpose, and that the data are accurate and kept for no longer than necessary. The company must also respect the rights and freedoms of the data subjects, and provide them with the means to exercise their rights, such as the right to access, rectify, erase, restrict, object or port2.
The most realistic step the company could take to address their security concerns and comply with the personal data processing principles set out in Article 5 of the GDPR is to restrict the camera placement to building entrances only. This would limit the scope and impact of the data processing, and reduce the risks to the personal data of the employees and visitors. The company would still need to inform the data subjects about the processing, and ensure that the footage is securely stored and transferred, especially if it is monitored by the home office in the United States, which is a third country that may not offer adequate protection for personal data3. The company would also need to consider the possibility of obtaining the consent of the data subjects, or relying on another legal basis for the processing, such as the legitimate interests of the company or the performance of a contract4. Reference:
Article 5 of the GDPR
[Article 12-23 of the GDPR]
[Article 44-50 of the GDPR]
[Article 6 of the GDPR]


質問 # 137
In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?

  • A. When paying a search engine company to give prominence to certain products and services within specific search results.
  • B. When emailing a customer to announce that his recent order should arrive earlier than expected.
  • C. When creating an untargeted pop-up ad on a website.
  • D. When calling a potential customer to notify her of an upcoming product sale.

正解:B

解説:
Reference https://www.privacytrust.com/guidance/gdpr-vs-eprivacy-regulation.html


質問 # 138
Which of the following was the first to implement national law for data protection in 1973?

  • A. France
  • B. Sweden
  • C. Germany
  • D. United Kingdom

正解:B


質問 # 139
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA.
Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
As a result of Sam's actions, the Gummy Bear Company potentially violated Articles 33 and 34 of the GDPR and will be required to do what?

  • A. Analyze and evaluate all of its breach notification obligations.
  • B. Notify its Data Protection Authority about the data breach.
  • C. Notify all of its customers that reside in the European Union.
  • D. Analyze and evaluate the liability for customers in Ireland.

正解:B


質問 # 140
Assuming that the "without undue delay" provision is followed, what is the time limit for complying with a data access request?

  • A. Within one month of receipt, which may be extended by an additional two months
  • B. Within one month of receipt, which may be extended by up to an additional month
  • C. Within 40 days of receipt, which may be extended by up to 40 additional days
  • D. Within 40 days of receipt

正解:B


質問 # 141
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canad a. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
The Customer for Life plan may conflict with which GDPR provision?

  • A. Article 16, which provides data subjects with a rights to rectification.
  • B. Article 7, which requires consent to be as easy to withdraw as it is to give.
  • C. Article 6, which requires processing to be lawful.
  • D. Article 20, which gives data subjects a right to data portability.

正解:B


質問 # 142
SCENARIO
Please use the following to answer the next question:
Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in Greece (5), Italy (15) and Spain (1), have registered their most profitable results ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based in ARRA's main Italian establishment, has organized a team event for its 420 employees and their families at its hotel in Spain.
Upon arrival at the hotel, each employee and family member is given an electronic wristband at the reception desk. The wristband serves a number of functions:
. Allows access to the "party zone" of the hotel, and emits a buzz if the user approaches any unauthorized areas
. Allows up to three free drinks for each person of legal age, and emits a buzz once this limit has been reached
. Grants a unique ID number for participating in the games and contests that have been planned.
Along with the wristband, each guest receives a QR code that leads to the online privacy notice describing the use of the wristband. The page also contains an unchecked consent checkbox. In the case of employee family members under the age of 16, consent must be given by a parent.
Among the various activities planned for the event, ARRA Hotels' HR office has autonomously set up a photocall area, separate from the main event venue, where employees can come and have their pictures taken in traditional carnival costume.
The photos will be posted on ARRA Hotels' main website for general marketing purposes.
On the night of the event, an employee from one of ARRA's Greek hotels is displeased with the results of the photos in which he appears. He intends to file a complaint with the relevant supervisory authority in regard to the following:
. The lack of any privacy notice in the separate photocall area
The unlawful cross-border processing of his personal data
. The unacceptable aesthetic outcome of his photos
Why would consent NOT be considered an adequate legal basis for accessing the party zone?

  • A. The consent is not freely given.
  • B. The consent is not completely unambiguous.
  • C. The consent is not in writing.
  • D. The consent is not sufficiently informed.

正解:A

解説:
Consent is one of the legal bases for processing personal data under the GDPR, but it must meet certain conditions to be valid. According to Article 4(11) of the GDPR, consent means "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her." In this scenario, consent would not be considered an adequate legal basis for accessing the party zone, because it is not freely given. Freely given consent means that the data subject has a genuine and free choice to agree or disagree to the processing, and that there is no detriment, coercion, or significant negative consequences if the data subject does not consent. However, in this case, the consent is conditional on accessing the party zone, which is the main purpose of the event. Therefore, the data subject does not have a real choice, and may feel pressured or obliged to consent in order to participate in the event. This violates the principle of free consent, and could invalidate the consent as a legal basis.
Reference:
* GDPR Article 4 - Definitions1
* GDPR Article 7 - Conditions for consent2
* Guidelines 05/2020 on consent under Regulation 2016/6793


質問 # 143
A news website based m (he United Slates reports primarily on North American events The website is accessible to any user regardless of location, as the website operator does not block connections from outside of the U.S. The website offers a pad subscription that requires the creation of a user account; this subscription can only be paid in U.S. dollars.
Which of the following explains why the website operator, who is the responsible for all processing related to account creation and subscriptions, is NOT required to comply with the GDPR?

  • A. Payments cannot be made in a European Union currency.
  • B. The website cannot block connections from outside the U.S. that use a Virtual Private Network (VPN) to simulate a US location.
  • C. The website is not available in several official languages of European Un on Member States
  • D. The controller does not have an establishment in the European Union.

正解:A

解説:
The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not1. This means that the GDPR applies to any controller or processor that has a branch, office, subsidiary, or other stable arrangement in the EU, even if the data processing occurs outside the EU. However, the GDPR also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union1. This means that the GDPR applies to any controller or processor that targets or tracks EU data subjects, even if they do not have a presence in the EU. In this case, the website operator is not required to comply with the GDPR because it does not have an establishment in the EU (option B), and it does not offer goods or services or monitor the behaviour of EU data subjects. The website operator reports primarily on North American events, does not block connections from outside the U.S., and only accepts payments in U.S. dollars, which indicate that it does not intend to target or track EU data subjects. Therefore, option B is the correct answer. Reference: Art. 3 GDPR - Territorial scope, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), [What does territorial scope mean under the GDPR?]


質問 # 144
What is true if an employee makes an access request to his employer for any personal data held about him?

  • A. The employer must supply all the information held about the employee.
  • B. The employer can automatically decline the request if it contains personal data about a third person.
  • C. The employer can decline the request if the information is only held electronically.
  • D. The employer must supply any information held about an employee unless an exemption applies.

正解:D

解説:
According to the UK GDPR, employees have the right to access and receive a copy of their personal data, and other supplementary information, from their employer. This is known as a data subject access request (DSAR). Employers must respond to a DSAR without delay and within one month of receipt of the request, unless the request is complex or excessive. Employers should perform a reasonable search for the requested information and provide it in an accessible, concise and intelligible format. Employers can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. Some of the exemptions that may apply in the employment context are: legal privilege, management forecasting, confidential references, negotiations, regulatory functions, and criminal convictions and offences. Employers should disclose the information securely and inform the employee of their rights and the source of the data. Reference:
Right of access | ICO
Subject access request Q and As for employers | ICO
Data Subject Access Request (Employers' Guide) | DavidsonMorris


質問 # 145
Under what circumstances might the "soft opt-in" rule apply in relation to direct marketing?

  • A. Where an individual is given the ability to unsubscribe from marketing emails sent to him.
  • B. When an individual has not consented to the marketing.
  • C. When an individual's details are obtained from their inquiries about buying a product.
  • D. Where an individual's details have been obtained from a bought-in marketing list.

正解:C

解説:
The "soft opt-in" rule is an exception to the general requirement of obtaining consent before sending electronic mail marketing to individuals. It applies when the following conditions are met12:
the sender has obtained the contact details of the recipient in the context of the sale or negotiations for the sale of a product or service to that recipient; the sender only sends direct marketing relating to its own similar products or services; and the recipient has been given a simple opportunity to refuse or opt out of the marketing, both when the details were initially collected and in every subsequent message.
The option B matches these conditions, as it implies that the individual has shown an interest in buying a product from the sender, and that the sender can use the individual's details to send marketing about similar products, as long as the individual can easily opt out. The other options do not qualify for the "soft opt-in" rule, as they either involve no consent, no prior relationship, or no opt-out mechanism. Reference: Electronic mail marketing | ICO, Direct marketing rules and exceptions under the GDPR


質問 # 146
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well.
The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which practice should the company institute?

  • A. Insert contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union.
  • B. Include dual-factor authentication before each use by a child in order to ensure a minimum amount of security.
  • C. Encrypt the data in transit over the wireless Bluetooth connection.
  • D. Include three-factor authentication before each use by a child in order to ensure the best level of security possible.

正解:C


質問 # 147
For which of the following operations would an employer most likely be justified in requesting the data subject's consent?

  • A. Assessing a potential employee's job application.
  • B. Processing an employee's health certificate in order to provide sick leave.
  • C. Posting an employee's bicycle race photo on the company's social media.
  • D. Operating a CCTV system on company premises.

正解:C


質問 # 148
According to Article 14 of the GDPR, how long does a controller have to provide a data subject with necessary privacy information, if that subject's personal data has been obtained from other sources?

  • A. As soon as possible after obtaining the personal data.
  • B. Within a reasonable period after obtaining the personal data, but no later than eight weeks.
  • C. As soon as possible after the first communication with the data subject.
  • D. Within a reasonable period after obtaining the personal data, but no later than one month.

正解:A


質問 # 149
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester's Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Anna will find that a risk analysis is NOT necessary in this situation as long as?

  • A. The data subjects gave their unambiguous consent for the original processing
  • B. The processing will not negatively affect the rights of the data subjects
  • C. The data subjects are no longer current students of Frank's
  • D. The algorithms that Frank uses for the processing are technologically sound

正解:C

解説:
A risk analysis is a process of identifying, assessing and mitigating the potential threats and vulnerabilities that may affect the personal data processing activities of an organization. A risk analysis is not a one-time activity, but a continuous and dynamic process that requires regular monitoring and updating. A risk analysis is also not a substitute for compliance with the GDPR, but a tool to help ensure compliance by identifying and addressing the legal obligations and best practices.
According to the GDPR, an organization must conduct a data protection impact assessment (DPIA) before starting any new or significantly increased processing activity that may pose a high risk to the rights and freedoms of the data subjects. A DPIA is a systematic and documented process that aims to identify, evaluate and mitigate the risks associated with such processing activities. A DPIA must be carried out by or on behalf of the controller (the person or entity that determines the purposes and means of processing) or by another person acting on their behalf.
In this scenario, Frank is conducting a DPIA for his new processing activity of analyzing his students' performance data in relation to Department for Education expectations. This processing activity poses a high risk to the rights and freedoms of his students, as it involves collecting, storing, using and transferring their personal data without their explicit consent or knowledge. Therefore, Frank must conduct a DPIA before starting this processing activity.
However, there are some exceptions to this requirement. One of them is when the processing activity involves personal data that are no longer relevant for the original purpose for which they were collected or otherwise processed. In this case, Frank can use existing personal data without conducting a DPIA, as long as he ensures that they are adequate, relevant and limited to what is necessary for his new purpose.
Therefore, in this situation, Anna will find that a risk analysis is NOT necessary in this situation as long as the data subjects are no longer current students of Frank's. This means that Frank can use his existing student records without conducting a DPIA, as long as he ensures that they are adequate, relevant and limited to what is necessary for his new purpose.
Reference:
Risks and data protection impact assessments (DPIAs) | ICO
What Are GDPR Risk Assessments and Why Are They Important?
GDPR Compliance Risk Assessment Best Practices | Accountable
Why risk assessments are essential for GDPR compliance


質問 # 150
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canad a. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
Who-R-U is NOT required to notify the local German DPA about the laptop theft because?

  • A. There is no evidence that the thieves have accessed the data on the laptop.
  • B. The company isn't a controller established in the Union.
  • C. The data isn't considered personally identifiable financial information.
  • D. The laptop belonged to a company located in Canada.

正解:B


質問 # 151
SCENARIO
Please use the following to answer the next question:
BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information - name, location, and prior purchase history - with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.
Prior to sharing its customer list, BHealthy conducted a review of Natural Insight's security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy's data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight's machine learning algorithms.
What is the nature of BHealthy and Natural Insight's relationship?

  • A. Natural Insight is the controller because it determines the security measures to implement to protect data it processes; BHealthy is a co-controller because it engaged Natural Insight to determine pricing for the new sunscreens.
  • B. Natural Insight is a controller because it is separately determine the purpose of processing when it uses BHealthy's customer information to improve its machine learning algorithms.
  • C. Natural Insight is BHealthy's processor because the companies entered into data processing terms.
  • D. Natural Insight is BHealthy's processor because BHealthy is sharing its customer information with Natural Insight.

正解:C


質問 # 152
Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?

  • A. Details of any data protection impact assessment conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting.
  • B. Name and contact details of each controller on behalf of which the processor is acting.
  • C. Details of transfers of personal data to a third country carried out on behalf of each controller for which the processor is acting.
  • D. Categories of processing carried out on behalf of each controller for which the processor is acting.

正解:C

解説:
Reference https://gdpr-info.eu/art-30-gdpr/


質問 # 153
An employee of company ABCD has just noticed a memory stick containing records of client data, including their names, addresses and full contact details has disappeared. The data on the stick is unencrypted and in clear text. It is uncertain what has happened to the stick at this stage, but it likely was lost during the travel of an employee. What should the company do?

  • A. Launch an investigation and if nothing is found within one month, notify the data protection supervisory authority.
  • B. Invoke the "disproportionate effort" exception under Article 33 to postpone notifying data subjects until more information can be gathered.
  • C. Notify as soon as possible the data protection supervisory authority that a data breach may have taken place.
  • D. Immediately notify all the customers of the company that their information has been accessed by an unauthorized person.

正解:C


質問 # 154
Please use the following to answer the next question:
Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta (EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.
The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a Are the cybersecurity assessors required to sign a data processing agreement with the company in order to comply with the GDPR''

  • A. Yes. the assessors a-e considered to be joint data controllers and must sign a mutual data processing agreement.
  • B. Yes, the assessors are data processors and their processing of personal data must be governed by a separate contract or other legal act.
  • C. No. the assessors do not quality as data processors as they do not copy the data to their facilities.
  • D. No, the assessors do not quality as data processors as they only have access to encrypted data.

正解:B


質問 # 155
What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

  • A. A pre-checked box stating that the consumer agrees to receive email marketing.
  • B. A prior opt-in consent for consumers unless they are already customers.
  • C. A notice that the consumer's email address will be used for marketing purposes.
  • D. No prior permission required, but an opt-out requirement on all emails sent to consumers.

正解:B


質問 # 156
According to the GDPR, when should the processing of photographs be considered processing of special categories of personal data?

  • A. When processed with the intent to uniquely identify or authenticate a natural person.
  • B. When processed with the intent to comply with a law.
  • C. When processed with the intent to publish information regarding a natural person on publicly accessible media.
  • D. When processed with the intent to proceed to scientific or historical research projects.

正解:A

解説:
Reference:
According to the GDPR, the processing of photographs should not systematically be considered as processing of special categories of personal data, unless they are covered by the definition of biometric data1. Biometric data is defined as personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification or authentication of that natural person, such as facial images or dactyloscopic data2. Therefore, the processing of photographs is considered processing of special categories of personal data when it involves the use of specific technical means, such as facial recognition, that allow or confirm the unique identification or authentication of a natural person3. Reference: 1: Recital 51 of the GDPR2: Article 4(14) of the GDPR3: GDPR, Photographs, and Special Categories of Personal Data.


質問 # 157
Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?

  • A. The name/s of relevant government agencies involved and the steps needed for revising the data.
  • B. The authority by which the controller is collecting the data and the third parties to whom the data will be sent.
  • C. The identity and contact details of the controller and the reasons the data is being collected.
  • D. The contact information of the controller and a description of the retention policy.

正解:C

解説:
Reference https://gdpr-info.eu/art-13-gdpr/


質問 # 158
What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

  • A. A pre-checked box stating that the consumer agrees to receive email marketing.
  • B. A prior opt-in consent for consumers unless they are already customers.
  • C. A notice that the consumer's email address will be used for marketing purposes.
  • D. No prior permission required, but an opt-out requirement on all emails sent to consumers.

正解:B

解説:
Explanation/Reference: https://www.forbes.com/sites/forbescommunicationscouncil/2018/06/27/what-gdpr-means-for- email-marketing-to-eu-customers/#64020aa8374a


質問 # 159
......


認定情報プライバシープロフェッショナル/ヨーロッパ(CIPP/E)認定は、プライバシーの知識と専門知識を促進したい個人にとって不可欠な資格です。国際プライバシー専門家協会(IAPP)は、欧州連合の一般データ保護規則(GDPR)の習熟を実証したい専門家にCIPP/E認定試験を提供しています。認定試験は、GDPRとヨーロッパで活動している企業に対するその意味を深く理解するための優れた方法です。

 

IAPP CIPP-Eリアル2025年最新のブレーン問題集模擬試験問題集:https://jp.fast2test.com/CIPP-E-premium-file.html

最新CIPP-E試験問題集で最近更新された294問題:https://drive.google.com/open?id=1vvomHOCpuXbWkd2sYhhrnrW4kL4fSKFy


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어