Free IAPP CIPP-E Exam Questions

Question 1

SCENARIO

Please use the following to answer the next question:

Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.

Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.

After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased. Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.

To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

A : essed potential privacy risks by conducting a data protection impact assessment.

B : nsulted with the relevant data protection authority about potential privacy violations.

C : tributed a more comprehensive notice to employees and received their express consent.

D : nsulted with the Information Security team to weigh security measures against possible server impacts.

Answer: C

Question 2

Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users’ ethnic origin, nationality, and gender.Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users’ ethnic origin, nationality, and gender.

A : Processing necessary for scientific or statistical purposes.

B : Processing necessary for reasons of substantial public interest.

C : Processing necessary for purposes of preventive or occupational medicine.

D : Processing necessary for the defense of legal claims in potential negligence cases.

Answer: C

Question 3

SCENARIO Please use the following to answer the next question: Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.

Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:

• Name • Address

• Date of Birth

• Payroll number

• National Insurance number

• Sick pay entitlement

• Maternity/paternity pay entitlement

• Holiday entitlement

• Pension and benefits contributions

• Trade union contributions

Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.

Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.

Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B. This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.

Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.

The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

A : ring companies whose measures are consistent with recommendations of accrediting bodies.

B : questing advice and technical support from Company A's IT team.

C : oiding the use of another company's data to improve their own services.

D : tting companies' measures with the appropriate supervisory authority.

Answer: A

Question 4

A grade school is planning to use facial recognition to track student attendance. Which of the following may provide a lawful basis for this processing?

A : school places a notice near each camera.

B : school gets explicit consent from the students.

C : ocessing is necessary for the legitimate interests pursed by the school.

D : tate law requires facial recognition to verify attendance.

Answer: A

Question 5

An employee of company ABCD has just noticed a memory stick containing records of client data, including their names, addresses and full contact details has disappeared. The data on the stick is unencrypted and in clear text. It is uncertain what has happened to the stick at this stage, but it likely was lost during the travel of an employee. What should the company do?

A : tify as soon as possible the data protection supervisory authority that a data breach may have taken place.

B : unch an investigation and if nothing is found within one month, notify the data protection supervisory authority.

C : voke the "disproportionate effort" exception under Article 33 to postpone notifying data subjects until more information can be gathered.

D : mediately notify all the customers of the company that their information has been accessed by an unauthorized person.

Answer: A