CIPP-E PDF問題集で2023年04月21日試験問題 有効なCIPP-E問題集 [Q70-Q95]

Share

CIPP-E PDF問題集で2023年04月21日試験問題 有効なCIPP-E問題集

究極のCIPP-E準備ガイドで無料最新のIAPP練習テスト問題集

質問 70
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location.
During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Building Block have provided them before implementing the security measures?

  • A. Information about how the measures are in the best interests of the company.
  • B. Information about what is specified in the employment contract.
  • C. Information about how providing consent could affect them as employees.
  • D. Information about who employees should contact with any queries.

正解: B

 

質問 71
If a data subject puts a complaint before a DPA and receives no information about its progress or outcome, how long does the data subject have to wait before taking action in the courts?

  • A. 5 months.
  • B. 3 months.
  • C. 1 month.
  • D. 12 months.

正解: B

 

質問 72
What ruling did the Planet 49 CJEU judgment make regarding the issue of pre-ticked boxes?

  • A. They are allowed if recorded In the register of processing activities.
  • B. They are allowed if determined to be technically necessary.
  • C. They do not amount to valid consent under any circumstances.
  • D. They constitute valid consent if the processing is necessary for purposes of legitimate interest

正解: C

 

質問 73
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which practice should the company institute?

  • A. Insert contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union.
  • B. Include dual-factor authentication before each use by a child in order to ensure a minimum amount of security.
  • C. Include three-factor authentication before each use by a child in order to ensure the best level of security possible.
  • D. Encrypt the data in transit over the wireless Bluetooth connection.

正解: D

 

質問 74
What are the obligations of a processor that engages a sub-processor?

  • A. The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.
  • B. The processor must give the controller prior written notice and perform a preliminary audit of the sub- processor.
  • C. The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.
  • D. The processor must obtain the controller's specific written authorization and provide annual reports on the sub-processor's performance.

正解: A

 

質問 75
Under what circumstances might the "soft opt-in" rule apply in relation to direct marketing?

  • A. When an individual has not consented to the marketing.
  • B. Where an individual is given the ability to unsubscribe from marketing emails sent to him.
  • C. When an individual's details are obtained from their inquiries about buying a product.
  • D. Where an individual's details have been obtained from a bought-in marketing list.

正解: C

 

質問 76
Company X has entrusted the processing of their payroll data to Provider Y.
Provider Y stores this encrypted data on its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify?

  • A. The supervisory authority
  • B. Company X
  • C. The public
  • D. Law enforcement

正解: D

 

質問 77
If a multi-national company wanted to conduct background checks on all current and potential employees, including those based in Europe, what key provision would the company have to follow?

  • A. Background checks may not be allowed on European employees, but the company can create lists based on its legitimate interests, identifying individuals who are ineligible for employment.
  • B. Background checks on European employees will stem from data protection and employment law, which can vary between member states.
  • C. Background checks on employees could be performed only under prior notice to all employees.
  • D. Background checks are only authorized with prior notice and express consent from all employees including those based in Europe.

正解: B

 

質問 78
SCENARIO
Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady's business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady's company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box's chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box's home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box's Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady's business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.
Under the General Data Protection Regulation (GDPR), what is the most likely reason Serge may have grounds to object to the use of his quotation?

  • A. Because of the misrepresentation of personal data as an endorsement.
  • B. Because of the misapplication of the household exception in relation to a social networking service (SNS).
  • C. Because of the juxtaposition of the quotation with others' quotations.
  • D. Because of the use of personal data outside of the social networking service (SNS).

正解: B

 

質問 79
According to the European Data Protection Board, which of the following concepts or practices does NOT follow from the principles relating to the processing of personal data under EU data protection law?

  • A. Frequent pseudonymization key rotation.
  • B. Access control management.
  • C. Error propagation avoidance along the processing chain.
  • D. Data ownership allocation.

正解: A

 

質問 80
How is the GDPR's position on consent MOST likely to affect future app design and implementation?

  • A. Users will be given granular types of consent for particular types of processing.
  • B. App developers' responsibilities as data controllers will increase.
  • C. App developers will expand the amount of data necessary to collect for an app's functionality.
  • D. Users will see fewer advertisements when using apps.

正解: A

 

質問 81
Which sentence BEST summarizes the concepts of "fairness," "lawfulness" and "transparency", as expressly required by Article 5 of the GDPR?

  • A. Fairness refers to the collection of data from diverse subjects; lawfulness refers to the need for legal rules to be uniform; transparency refers to giving individuals access to their data.
  • B. Fairness and transparency refer to the communication of key information before collecting data; lawfulness refers to compliance with government regulations.
  • C. Fairness refers to limiting the amount of data collected from individuals; lawfulness refers to the approval of company guidelines by the state; transparency solely relates to communication of key information before collecting data.
  • D. Fairness refers to the security of personal data; lawfulness and transparency refers to the analysis of ordinances to ensure they are uniformly enforced.

正解: B

解説:
Explanation

 

質問 82
What is the most frequently used mechanism for legitimizing cross-border data transfer?

  • A. Approved Code of Conduct.
  • B. Binding Corporate Rules.
  • C. Standard Contractual Clauses.
  • D. Derogations.

正解: C

解説:
Reference https://www.dataguidance.com/opinion/international-eu-us-cross-border-data-transfers

 

質問 83
Which sentence best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?

  • A. All employees are subject to the rules in their entirety, regardless of where the work is taking place.
  • B. Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.
  • C. All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.
  • D. Employees must sign an ad hoc contractual agreement each time personal data is exported.

正解: A

 

質問 84
A data controller appoints a data protection officer. Which of the following conditions would NOT result in an infringement of Articles 37 to 39 of the GDPR?

  • A. If the data protection officer receives instructions from the data controller.
  • B. If the data protection officer also manages the marketing budget.
  • C. If the data protection officer is provided by the data processor.
  • D. If the data protection officer lacks ISO 27001 auditor certification.

正解: D

解説:
Reference https://www.itgovernance.eu/fr-lu/data-protection-officer-dpo-under-the-gdpr-lu

 

質問 85
When does the GDPR provide more latitude for a company to process data beyond its original collection purpose?

  • A. When the data has been pseudonymized.
  • B. When the data is protected by technological safeguards.
  • C. When the data serves legitimate interest of third parties.
  • D. When the data subject has failed to use a provided opt-out mechanism.
    Section: (none)
    Explanation

正解: C

 

質問 86
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location.
During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization.
The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Building Block have provided them before implementing the security measures?

  • A. Information about how the measures are in the best interests of the company.
  • B. Information about what is specified in the employment contract.
  • C. Information about how providing consent could affect them as employees.
  • D. Information about who employees should contact with any queries.

正解: B

 

質問 87
SCENARIO
Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady's business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady's company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box's chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box's home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box's Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady's business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.
Based on the scenario, what is the main reason that Brady should be concerned with Hermes Designs' handling of customer personal data?

  • A. The data is sensitive.
  • B. The data is being used for a new purpose.
  • C. The data is being processed via a new means.
  • D. The data is uncategorized.

正解: B

 

質問 88
SCENARIO
Please use the following to answer the next question:
Zandelay Fashion ('Zandelay') is a successful international online clothing retailer that employs approximately
650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company's compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.
The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.
In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company's customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.
Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay's business plan and associated processing activities.
What would MOST effectively assist Zandelay in conducting their data protection impact assessment?

  • A. Data breach documentation that data controllers are required to maintain.
  • B. Records of processing activities that data controllers are required to maintain.
  • C. Existing DPIA guides published by local supervisory authorities.
  • D. Information about DPIAs found in Articles 38 through 40 of the GDPR.

正解: D

 

質問 89
Please use the following to answer the next question:
Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.
After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents In relation to the emails Jack listed six members of the management team whose inboxes he required access.
The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester.
Under Article 82 of the GDPR ("Right to compensation and liability-), which party is liable for the damage caused by the data breach?

  • A. The pharmaceutical company is liable.
  • B. Jack and the pharmaceutical company are jointly liable.
  • C. Both parties are exempt, as the company is involved in human health research
  • D. Jack is liable

正解: B

 

質問 90
Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

  • A. Incidents of personal data breaches, whether disclosed or not.
  • B. Categories of recipients to whom the personal data have been disclosed.
  • C. Retention periods for erasure and deletion of categories of personal data.
  • D. Data inventory or data mapping exercises that have been conducted.

正解: C

解説:
Section: (none)
Explanation
Reference https://medium.com/golden-data/what-records-must-controllers-and-processors-keep-to-comply- with-eu-data-protection-law-3e8bac177695

 

質問 91
According to the GDPR, when should the processing of photographs be considered processing of special categories of personal data?

  • A. When processed with the intent to publish information regarding a natural person on publicly accessible media.
  • B. When processed with the intent to proceed to scientific or historical research projects.
  • C. When processed with the intent to uniquely identify or authenticate a natural person.
  • D. When processed with the intent to comply with a law.

正解: C

解説:
Reference https://www.privacy-regulation.eu/en/recital-51-GDPR.htm

 

質問 92
What is the key difference between the European Council and the Council of the European Union?

  • A. The European Council is comprised of the heads of each EU member state.
  • B. The Council of the European Union is helmed by a president.
  • C. The European Council focuses primarily on issues involving human rights.
  • D. The Council of the European Union has a degree of legislative power.

正解: A

解説:
Section: (none)
Explanation

 

質問 93
Please use the following to answer the next question:
Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta |EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.
The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a Which of the following must be a component of the anti-money-laundering data-sharing practice of the platform?

  • A. Customers snail receive a clear and conspicuous notice about such data sharing before submitting their data during the registration process.
  • B. The terms of service shall include the address of the anti-money laundering agency and contacts of the investigators who may access me data.
  • C. The terms of service shall also enumerate all applicable anti-money laundering few.
  • D. Customers shall have an opt-out feature to restrict data sharing with law enforcement agencies after the registration.

正解: B

 

質問 94
A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an article about the prank at the time, and the article is still available on the newspaper's website. Unfortunately, the prank is the top search result when a user searches on the victim's name. The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article. What else must SearchCo do?

  • A. Prevent the article from being listed in search results no matter what search terms are entered into the search engine.
  • B. Identify other controllers who are processing the same information and inform them of the delisting request.
  • C. Notify the newspaper that its article it is delisting the article.
  • D. Fully erase the URL to the content, as opposed to delist which is mainly based on data subject's name.

正解: C

 

質問 95
......

合格率 取得する秘訣はCIPP-E認定試験エンジンPDF:https://jp.fast2test.com/CIPP-E-premium-file.html

今すぐ試そう!高評価IAPP CIPP-E試験問題集:https://drive.google.com/open?id=1vvomHOCpuXbWkd2sYhhrnrW4kL4fSKFy


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어