Summer Special 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: bestdeal

Free IAPP CIPP-E Practice Exam with Questions & Answers | Set: 7

Questions 61

A Spanish electricity customer calls her local supplier with Questions: about the company’s upcoming merger. Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the

merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information?

Options:
A.

Verify that the request is applicable to the data collected before the GDPR entered into force.

B.

Verify that the purpose of the request from the customer is in line with the GDPR.

C.

Verify that the personal data has not already been sent to the customer.

D.

Verify that the identity of the customer can be proven by other means.

IAPP CIPP-E Premium Access
Questions 62

Which area of privacy is a lead supervisory authority’s (LSA) MAIN concern?

Options:
A.

Data subject rights

B.

Data access disputes

C.

Cross-border processing

D.

Special categories of data

Questions 63

SCENARIO

Please use the following to answer the next question:

Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in

Greece (5), Italy (15) and Spain (1), have registered their most profitable results

ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based

in ARRA's main Italian establishment, has organized a team event for its 420

employees and their families at its hotel in Spain.

Upon arrival at the hotel, each employee and family member is given an electronic

wristband at the reception desk. The wristband serves a number of functions:

. Allows access to the "party zone" of the hotel, and emits a buzz if the user

approaches any unauthorized areas

. Allows up to three free drinks for each person of legal age, and emits a

buzz once this limit has been reached

. Grants a unique ID number for participating in the games and contests that

have been planned.

Along with the wristband, each guest receives a QR code that leads to the online

privacy notice describing the use of the wristband. The page also contains an

unchecked consent checkbox. In the case of employee family members under the

age of 16, consent must be given by a parent.

Among the various activities planned for the event, ARRA Hotels' HR office has

autonomously set up a photocall area, separate from the main event venue, where

employees can come and have their pictures taken in traditional carnival costume.

The photos will be posted on ARRA Hotels' main website for general marketing

purposes.

On the night of the event, an employee from one of ARRA's Greek hotels is

displeased with the results of the photos in which he appears. He intends to file a

complaint with the relevant supervisory authority in regard to the following:

. The lack of any privacy notice in the separate photocall area

The unlawful cross-border processing of his personal data

. The unacceptable aesthetic outcome of his photos

Assuming that there is a cross-border processing of personal data, which of the

following criteria would NOT be useful to the lead supervisory authority responsible

for the Greek employee's complaint when trying to determine the location of the

controller's main establishment?

Options:
A.

Where the controller is registered as a company.

B.

Where the processor is registered as a company.

C.

Where decisions about the processing activities are made.

D.

Where the director with responsibility for processing activities is located.

Questions 64

Which sentence best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?

Options:
A.

Employees must sign an ad hoc contractual agreement each time personal data is exported.

B.

All employees are subject to the rules in their entirety, regardless of where the work is taking place.

C.

All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.

D.

Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.

Questions 65

Higher fines are assessed for GDPR violations due to which of the following?

Options:
A.

Failure to notify a supervisory authority and data subjects of a personal data breach

B.

Violations of a data controller's obligations to obtain a child's consent

C.

Failure to appoint a data protection officer.

D.

Violations of a data subject"s rights

Questions 66

Which of the following is NOT recognized as a common characteristic of cloud computing services?

Options:
A.

The service's infrastructure is shared among the supplier's customers and can be located in a number of countries.

B.

The supplier determines the location, security measures, and service standards applicable to the processing.

C.

The supplier allows customer data to be transferred around the infrastructure according to capacity.

D.

The supplier assumes the vendor's business risk associated with data processed by the supplier.

Questions 67

SCENARIO

Please use the following to answer the next question:

Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from Bedrock Insurance.

Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.

Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.

In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.

Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.

In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s wholly owned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates for business purposes.

Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.

After Louis has exercised his right to restrict the use of his data, under what conditions would Accidentable have grounds for refusing to comply?

Options:
A.

If Accidentable is entitled to use of the data as an affiliate of Bedrock.

B.

If Accidentable also uses the data to conduct public health research.

C.

If the data becomes necessary to defend Accidentable’s legal rights.

D.

If the accuracy of the data is not an aspect that Louis is disputing.

Questions 68

What is the MAIN reason GDPR Article 4(22) establishes the concept of the “concerned supervisory authority”?

Options:
A.

To encourage the consistency of local data processing activity.

B.

To give corporations a choice about who their supervisory authority will be.

C.

To ensure the GDPR covers controllers that do not have an establishment in the EU but have a representative in a member state.

D.

To ensure that the interests of individuals residing outside the lead authority’s jurisdiction are represented.

Questions 69

A dynamic Internet Protocol (IP) address is considered persona! data when it is combined with what?

Options:
A.

Other data held by the processor.

B.

Other data held by the controller

C.

Other data held by recipients of the data.

D.

Other data held by Internet Service Providers (ISPs).

Questions 70

SCENARIO

Please use the following to answer the next question:

Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.

Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.

Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated

Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.

Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.

Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.

Based on the scenario, what is the main reason that Brady should be concerned with Hermes Designs’ handling of customer personal data?

Options:
A.

The data is sensitive.

B.

The data is uncategorized.

C.

The data is being used for a new purpose.

D.

The data is being processed via a new means.

Exam Code: CIPP-E
Certification Provider: IAPP
Exam Name: Certified Information Privacy Professional/Europe (CIPP/E)
Last Update: Jul 15, 2025
Questions: 295

IAPP Free Exams

IAPP Free Exams
Prepare effectively for IAPP certification exams with free study resources and practice tests from Examstrack.