• Home
  • Articles
  • [2021] Use Valid CIPP-C Exam - Actual Exam Question & Answer [Q39-Q59]

[2021] Use Valid CIPP-C Exam - Actual Exam Question & Answer [Q39-Q59]

Share

[2021] Use Valid CIPP-C Exam - Actual Exam Question & Answer

Test Engine to Practice CIPP-C Test Questions

NEW QUESTION 39
Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?

  • A. To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.
  • B. The European Commission can adopt, repeal or amend an existing adequacy decision.
  • C. The European Commission can adopt an adequacy decision for individual companies.
  • D. EU member states are vested with the power to accept or reject a European Commission adequacy decision.

Answer: C

 

NEW QUESTION 40
In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?

  • A. When paying a search engine company to give prominence to certain products and services within specific search results.
  • B. When emailing a customer to announce that his recent order should arrive earlier than expected.
  • C. When creating an untargeted pop-up ad on a website.
  • D. When calling a potential customer to notify her of an upcoming product sale.

Answer: C

 

NEW QUESTION 41
Read the following steps:
* Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices
* Monitor and analyze the apps and devices for compliance
* Manage application life cycles
* Monitor data sharing
An organization should perform these steps to do which of the following?

  • A. Pursue a GDPR-compliant Privacy by Design process.
  • B. Ensure cloud vendors are complying with internal data use policies.
  • C. Institute a GDPR-compliant employee monitoring process.
  • D. Maintain a secure Bring Your Own Device (BYOD) program.

Answer: D

 

NEW QUESTION 42
SCENARIO
Please use the following to answer the next question:
WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids' website states the following:
"WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child's personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child's personal information.
We will only share you and your child's personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers."
"We may retain you and your child's personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years."
"We are processing you and your child's personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your child's personal information; rectify or erase you or your child's personal information; the right to correction or erasure of you and/or your child's personal information; object to any processing of you and your child's personal information. You also have the right to complain to the supervisory authority about our data processing activities." What must the contract between WonderKids and the hosting service provider contain?

  • A. The requirement to implement technical and organizational measures to protect the data.
  • B. Controller-to-controller model contract clauses.
  • C. A non-disclosure agreement.
  • D. Audit rights for the data subjects.

Answer: A

 

NEW QUESTION 43
The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?

  • A. Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing.
  • B. Failure to provide the means for a data subject to rectify inaccuracies in personal data.
  • C. Failure to process personal information in a manner compatible with its original purpose.
  • D. Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default.

Answer: B

 

NEW QUESTION 44
SCENARIO
Please use the following to answer the next QUESTION:
Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.
This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. "It's going to be great," the developer, Deidre Hoffman, tells you, "if, that is, we actually get it working!" She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. "It's just three young people," she says, "but they do great work." She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. "They do good work, so I chose them." Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, "I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing. You worry too much, but that's why you're so good at your job!" Since it is too late to restructure the contract with the vendor or prevent the app from being deployed, what is the best step for you to take next?

  • A. Implement a more comprehensive suite of information security controls than the one used by the vendor
  • B. Develop security protocols for the vendor and mandate that they be deployed
  • C. Insist on an audit of the vendor's privacy procedures and safeguards
  • D. Ask the vendor for verifiable information about their privacy protections so weaknesses can be identified

Answer: D

 

NEW QUESTION 45
In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent?

  • A. When providing preventive or counselling services to the child.
  • B. When the data is to be processed for market research.
  • C. When providing the child with materials purely for educational use.
  • D. When a legitimate business interest makes obtaining consent impractical.

Answer: A

 

NEW QUESTION 46
An unforeseen power outage results in company Z's lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29's February, 2018 guidance, company Z should do which of the following?

  • A. Notify the supervisory authority about the loss of availability
  • B. Conduct a thorough audit of all security systems
  • C. Notify affected individuals that their data was unavailable for a period of time.
  • D. Document the loss of availability to demonstrate accountability

Answer: A

 

NEW QUESTION 47
SCENARIO
Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron's marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task.
At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron's legal department.
Registration Form
Vigotron's new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.) Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron's cloud provider, Stratculous. (Read more about Stratculous here.) Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer's name, email address or any other information gathered from the app to any third- party without a customer's consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer's legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)
* First name:
* Surname:
* Year of birth:
* Email:
* Physical Address (optional*):
* Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to [email protected] or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions
1.Jurisdiction. [...]
2.Applicable law. [...]
3.Limitation of liability. [...]
Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
What is one potential problem Vigotron's age policy might encounter under the GDPR?

  • A. Users are only required to be aged 13 or over to be considered adults.
  • B. Organizations that tie a service to marketing must seek consent for each purpose.
  • C. Organizations must make reasonable efforts to verify parental consent.
  • D. Age restrictions are more stringent when health data is involved.

Answer: D

 

NEW QUESTION 48
What is the key difference between the European Council and the Council of the European Union?

  • A. The European Council is comprised of the heads of each EU member state.
  • B. The Council of the European Union is helmed by a president.
  • C. The Council of the European Union has a degree of legislative power.
  • D. The European Council focuses primarily on issues involving human rights.

Answer: A

 

NEW QUESTION 49
Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric data. Which of the following is NOT one of these exceptions?

  • A. The processing is done by a non-profit organization and the results are disclosed outside the organization.
  • B. The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent.
  • C. The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State law to lift the prohibition.
  • D. The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a judicial capacity.

Answer: A

 

NEW QUESTION 50
A company in France suffers a robbery over the weekend owing to a faulty alarm system. When it is determined that the break-in involves the loss of a substantial amount of data, the company decides on a CCTV system to monitor for future incidents. Company technicians install cameras in the entrance of the building, hallways and offices. Footage is recorded continuously, and is monitored by the home office in the United States. What is the most realistic step the company could take to address their security concerns and comply with the personal data processing principles set out in Article 5 of the GDPR?

  • A. Seek informed consent from company employees.
  • B. Have cameras recording during work hours only.
  • C. Restrict camera placement to building entrances only.
  • D. Retain captured footage for no more than 30 days.

Answer: A

 

NEW QUESTION 51
An online company's privacy practices vary due to the fact that it offers a wide variety of services. How could it best address the concern that explaining them all would make the policies incomprehensible?

  • A. Provide only general information about its processing activities and offer a toll-free number for more information.
  • B. Use a layered privacy notice on its website and in its email communications.
  • C. Place a banner on its website stipulating that visitors agree to its privacy policy and terms of use by visiting the site.
  • D. Identify uses of data in a privacy notice mailed to the data subject.

Answer: D

 

NEW QUESTION 52
Which EU institution is vested with the competence to propose new data protection legislation on its own initiative?

  • A. The Canadian Commission
  • B. The Canadian Parliament
  • C. The Canadian Council
  • D. Office of the Privacy Commissioner of Canada

Answer: D

 

NEW QUESTION 53
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Ontario University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Ontario's Alumni portal.
Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Before Anna determines whether Frank's performance database is permissible, what additional information does she need?

  • A. More information about the extent of the information loss.
  • B. More information about Frank's data protection training.
  • C. More information about what students have been told and how the research will be used.
  • D. More information about the algorithm Frank used to mask student numbers.

Answer: C

 

NEW QUESTION 54
SCENARIO
Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K.
brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner's Office ('ICO' - the U.K.'s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e.
the supervisory authority of EVERFIT's main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.
Assuming that multiple EVETFIT branches across several EU countries are acting as separate data controllers, and that each of those branches were responsible for mishandling Javier's request, how may Javier proceed in order to seek compensation?

  • A. He will have to sue the EVETFIT's head office in France, where EVETFIT has its main establishment.
  • B. He will be able to sue any one of the relevant EVETFIT branches, as each one may be held liable for the entire damage.
  • C. He will have to sue each EVETFIT branch so that each branch provides proportionate compensation commensurate with its contribution to the damage or distress suffered by Javier.
  • D. He will be able to apply to the European Data Protection Board in order to determine which particular EVETFIT branch is liable for damages, based on the decision that was made by the board.

Answer: A

 

NEW QUESTION 55
SCENARIO
Please use the following to answer the next question:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customer's privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer's personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worry Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understood Cheryl's concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company's day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
What is the main problem with Cheryl's suggested method of communicating the new privacy policy?

  • A. The policy might not be implemented consistency across departments.
  • B. Employees would not be comfortable with a policy that is put into action overtime.
  • C. The policy would not be considered valid if not communicated in full.
  • D. Employees might not understand how the documents relate to the policy as a whole.

Answer: A

 

NEW QUESTION 56
Please use the following to answer the next question:
WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids' website states the following:
"WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child's personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child's personal information.
We will only share you and your child's personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers."
"We may retain you and your child's personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years."
"We are processing you and your child's personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your child's personal information; rectify or erase you or your child's personal information; the right to correction or erasure of you and/or your child's personal information; object to any processing of you and your child's personal information. You also have the right to complain to the supervisory authority about our data processing activities." What direct marketing information can WonderKids send by email without prior consent of the person booking the childcare?

  • A. Any marketing information at all.
  • B. No marketing information at all.
  • C. Marketing information for products or services similar to those purchased from WonderKids.
  • D. Marketing information related to other business operations of WonderKids.

Answer: D

 

NEW QUESTION 57
Which is TRUE about the scope and authority of data protection oversight authorities?

  • A. The Office of the Privacy Commissioner (OPC) of Canada has the right to impose financial sanctions on violators
  • B. All authority in the European Union rests with the Data Protection Commission (DPC)
  • C. No one agency officially oversees the enforcement of privacy regulations in the United States
  • D. The Asia-Pacific Economic Cooperation (APEC) Privacy Frameworks require all member nations to designate a national data protection authority

Answer: A

 

NEW QUESTION 58
Which of the following is an example of direct marketing that would be subject to European data protection laws?

  • A. A charity fundraising event notice sent to an individual at her business address.
  • B. An updated privacy notice sent to an individual's personal email address.
  • C. A service outage notification provided to an individual by recorded telephone message.
  • D. A revision of contract terms conveyed to an individual by SMS from a marketing organization.

Answer: A

 

NEW QUESTION 59
......

CIPP-C Actual Questions Answers PDF 100% Cover Real Exam Questions: https://www.pass4sures.top/Certified-Information-Privacy-Professional/CIPP-C-testking-braindumps.html

CIPP-C Real Exam Questions Test Engine Dumps Training With 180 Questions: https://drive.google.com/open?id=1q8oS9rCwMBMMtR9W0JfEY85Ti4LhOajF 

Related Articles

more
IAPP CIPP-C Certification Practice Exam