Summer Special - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: top65certs

Sure Pass Exam CIPP-E PDF

Page: 17 / 22
Total 295 questions

Certified Information Privacy Professional/Europe (CIPP/E) Questions and Answers

Question 65

Assuming that the “without undue delay” provision is followed, what is the time limit for complying with a data access request?

Options:

A.

Within 40 days of receipt

B.

Within 40 days of receipt, which may be extended by up to 40 additional days

C.

Within one month of receipt, which may be extended by up to an additional month

D.

Within one month of receipt, which may be extended by an additional two months

Question 66

Start-up company MagicAI is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT Team decides to collect data about users' ethnic origin, nationality, and gender.

Which would be the most appropriate legal basis for this processing under the GDPR, Article 9 (Processing of special categories of personal data)?

Options:

A.

Processing necessary for scientific or statistical purposes.

B.

Processing necessary for reasons of substantial public interest.

C.

Processing necessary for purposes of preventive or occupational medicine.

D.

Processing necessary for the defense of legal claims in potential negligence cases.

Question 67

An organization receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal data. Under what condition can the organization charge the data subject a fee for processing the request?

Options:

A.

Only where the organization can show that it is reasonable to do so because more than one request was made.

B.

Only to the extent this is allowed under the restrictions on data subjects’ rights introduced under Art 23 of GDPR.

C.

Only where the administrative costs of taking the action requested exceeds a certain threshold.

D.

Only if the organization can demonstrate that the request is clearly excessive or misguided.

Question 68

In which of the following cases, cited as an example by a WP29 guidance, would conducting a single data protection impact assessment to address multiple processing operations be allowed?

Options:

A.

A medical organization that wants to begin genetic testing to support earlier research for which they have performed a DPIA.

B.

A data controller who plans to use a new technology product that has already undergone a DPIA by the product’s provider.

C.

A marketing team that wants to collect mailing addresses of customers for whom they already have email addresses.

D.

A railway operator who plans to evaluate the same video surveillance in all the train stations of his company.

Page: 17 / 22
Total 295 questions