IAPP CIPP-E Exam With Confidence Using Practice Dumps

SCENARIO

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its

clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying

information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.

JaphSoft’s use of pseudonymization is NOT in compliance with the CDPR because?

SCENARIO

Please use the following to answer the next question:

Jane starts her new role as a Data Protection Officer (DPO) at a Malta-based

company that allows anyone to buy and sell cryptocurrencies via its online platform.

The company stores and processes the personal data of its customers in a

dedicated data center located in Malta (EU).

People wishing to trade cryptocurrencies are required to open an online account on

the platform. They then must successfully pass a Know Your Customer (KYC) due

diligence procedure aimed at preventing money laundering and ensuring

compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by

reading a disclaimer written in bold and ticking a checkbox on a separate page in

order to get their account approved on the platform.

All customers must likewise accept the terms of service of the platform. The terms

of service also include a privacy policy section, saying, among other things, that if a

customer fails the KYC process, its KYC data will be automatically shared with the

national anti-money laundering agency.

The KYC procedure requires customers to answer many questions, including

whether they have any criminal convictions, whether they use recreational drugs or

have problems with alcohol, and whether they have a terminal illness. While

providing this data, customers see a conspicuous message saying that this data is

meant only to prevent fraud and account takeover, and will be never shared with

private third parties.

The company regularly conducts external security testing of its online systems by

independent cybersecurity companies from the EU. At the final stage of testing, the

company provides cybersecurity assessors with access to its central database to

review security permissions, roles and policies. Personal data in the database is

encrypted; however, cybersecurity assessors usually have access to the decryption

keys obtained while running initial security testing. The assessors must strictly

follow the guidelines imposed by the company during the entire testing and auditing

process.

All customer data, including trading activities and all internal communications with

technical support, are permanently stored in a secured AWS S3 Glacier cloud data

storage, located in Ireland, for backup and compliance purposes. The data is

securely transferred to the cloud and then is properly encrypted while at rest by

using AWS-native encryption mechanisms. These mechanisms give AWS the

necessary technical means to encrypt and decrypt the data when such is required

by the company. There is no data processing agreement between AWS and the

company.

Should Jane modify the required GDPR rights waiver for non-European residents?

When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach?