Pass CIPP-E Exam Guide

Certified Information Privacy Professional/Europe (CIPP/E) Questions and Answers

Question 21

SCENARIO

Please use the following to answer the next question:

TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business.

During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories – age, income, ethnicity – that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for these services.

Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company’s system of access control must be reconsidered.

If TripBliss Inc. decides not to report the incident to the supervisory authority, what would be their BEST defense?

Options:

The resulting obligation to notify data subjects would involve disproportionate effort.

The incident resulted from the actions of a third-party that were beyond their control.

The destruction of the stolen data makes any risk to the affected data subjects unlikely.

The sensitivity of the categories of data involved in the incident was not substantial enough.

Answer:

Explanation:

According to the GDPR, data controllers must report personal data breaches to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it (Art 33 of GDPR). However, the notification is not required if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Art 33(1) of GDPR). In this case, TripBliss Inc. could argue that the stolen data was securely erased by Leon before it could be disclosed to anyone else, and therefore the risk of harm to the data subjects was minimal. TripBliss Inc. would have to provide evidence of the secure deletion of the data and the absence of any copies or backups. Alternatively, TripBliss Inc. could also invoke the exception of disproportionate effort to avoid notifying the data subjects directly, but only if they have made a public communication or similar measure to inform them in an equally effective manner (Art 34(3)(b) of GDPR). The other options are not valid defenses, as they do not affect the likelihood of risk to the data subjects. The incident was not caused by a third-party, but by an employee of Techiva, who was acting as a data processor on behalf of TripBliss Inc. As the data controller, TripBliss Inc. is responsible for ensuring that the data processor provides sufficient guarantees to implement appropriate technical and organisational measures to comply with the GDPR (Art 28 of GDPR). The sensitivity of the data categories is not relevant for the notification obligation, as any personal data breach could pose a risk to the data subjects, depending on the circumstances. The GDPR does not provide a threshold for the sensitivity of the data, but rather requires a case-by-case assessment of the potential impact of the breach. References:

GDPR, Art 33, Art 34, Art 28

Free CIPP/E Study Guide, p. 15

European Data Protection Law & Practice, p. 123-124

Personal data breach notification under the GDPR

Question 22

Since blockchain transactions are classified as pseudonymous, are they considered to be within the material scope of the GDPR or outside of it?

Options:

Outside the material scope of the GDPR, because transactions do not include personal data about data subjects m the European Union.

Within the material scope of the GDPR but outside of the territorial scope, because blockchains are decentralized.

Within the material scope of the GDPR to the extent that transactions include data subjects in the European Union.

Outside the material scope of the GDPR, because transactions are for personal or household purposes

Question 23

SCENARIO

Please use the following to answer the next question:

ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage

In support of Ruth's strategic goals of hiring more sales representatives, the Human

Resources team is focused on improving its processes to ensure that new

employees are sourced, interviewed, hired, and onboarded efficiently. To help with

this, Mary identified two vendors, HRYourWay, a German based company, and

InstaHR, an Australian based company. She decided to have both vendors go

through ProStorage's vendor risk review process so she can work with Ruth to

make the final decision. As part of the review process, Jackie, who is responsible

for maintaining ProStorage's privacy program (including maintaining controller

BCRs and conducting vendor risk assessments), reviewed both vendors but

completed a transfer impact assessment only for InstaHR. After her review of both

vendors, she determined that InstaHR satisfied more of the requirements as it

boasted a more established privacy program and provided third-party attestations,

whereas HRYourWay was a small vendor with minimal data protection operations.

Thus, she recommended InstaHR.

ProStorage's marketing team also worked to meet the strategic goals of the

company by focusing on industries where it needed to grow its market share. To

help with this, the team selected as a partner UpFinance, a US based company

with deep connections to financial industry customers. During ProStorage's

diligence process, Jackie from the privacy team noted in the transfer impact

assessment that UpFinance implements several data protection measures

including end-to-end encryption, with encryption keys held by the customer.

Notably, UpFinance has not received any government requests in its 7 years of

business. Still, Jackie recommended that the contract require UpFinance to notify

ProStorage if it receives a government request for personal data UpFinance

processes on its behalf prior to disclosing such data.

Why is the additional measure recommended by Jackie sufficient foe using UpFinance?

Options:

UpFinance is an established 7-year-old business.

UpFinance is in a highly regulated financial industry

UpFinance is based in a country without surveillance laws.

UpFinance implements sufficient data protection measures

Question 24

A worker in a European Union (EU) member state has ceased his employment with a company. What should the employer most likely do in regard to the worker’s personal data?

Options:

Destroy sensitive information and store the rest per applicable data protection rules.

Store all of the data in case the departing worker makes a subject access request.

Securely store the data that is required to be kept under local law.

Provide the employee the reasons for retaining the data.

Summer Special - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: top65certs

Certified Information Privacy Professional/Europe (CIPP/E) Questions and Answers

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

CompTIA

Fortinet

Microsoft

Salesforce