New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Certified Information Privacy Professional CIPP-E Book

Page: 18 / 19
Total 268 questions

Certified Information Privacy Professional/Europe (CIPP/E) Questions and Answers

Question 69

Which aspect of the GDPR will likely have the most impact on the consistent implementation of data protection

laws throughout the European Union?

Options:

A.

That it essentially functions as a one-stop shop mechanism

B.

That it takes the form of a Regulation as opposed to a Directive

C.

That it makes notification of large-scale data breaches mandatory

D.

That it makes appointment of a data protection officer mandatory

Question 70

When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach?

Options:

A.

Documenting due diligence steps taken in the pre-contractual stage.

B.

Conducting a risk assessment to analyze possible outsourcing threats.

C.

Requiring that the processor directly notify the appropriate supervisory authority.

D.

Maintaining evidence that the processor was the best possible market choice available.

Question 71

SCENARIO

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its

clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information

is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying

information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.

For what reason would JaphSoft be considered a controller under the GDPR?

Options:

A.

It determines how long to retain the personal data collected.

B.

It has been provided access to personal data in the MarketIQ database.

C.

It uses personal data to improve its products and services for its client-base through machine learning.

D.

It makes decisions regarding the technical and organizational measures necessary to protect the personal data.

Question 72

It a company receives an anonymous email demanding ransom for the stolen personal data of its clients, what must the company do next, per GDPR requirements'3

Options:

A.

Notify the police and Tile a criminal complaint about the incident

B.

Start an investigation to understand the incident's possible scope, duration and nature

C.

Send a notification to the competent supervisory authority describing the incident.

D.

Send an email about the incident to all clients and ask them to change their passwords

Page: 18 / 19
Total 268 questions