Free IAPP CIPP-E Exam Questions

Question 1

SCENARIO

Please use the following to answer the next question: Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address. Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base. The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base.

The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre-registrations, it will develop EU-specific content and services. Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them. The final plan is to develop a brand presence in the EU.

The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs. On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.

Who-R-U is NOT required to notify the local German DPA about the laptop theft because?

A : company isn't a controller established in the Union.

B : laptop belonged to a company located in Canada.

C : data isn't considered personally identifiable financial information.

D : ere is no evidence that the thieves have accessed the data on the laptop.

Answer: A

Question 2

Jerry, the Chief Marketing Officer for a sports apparel and trophy company, sells products to schools and athletic clubs globally. Recently the company has decided to invest in a new line of customized sports equipment. Jerry plans to email his current customer base to offer them a discount on their first purchase of such equipment.

Jerry tells Kate, the Director of Privacy, about his plan. What is the best guidance Kate can provide to Jerry?

A : Permit Jerry to carry out his plan on the basis of marketing similar products to existing customers.

B : Require Jerry to send all current customers a second notice to allow them to opt-in to marketing emails

C : Permit Jerry to carry out his marketing plan on the basis of legitimate interest

D : Require Jerry to include an option to opt out of marketing emails in the future

Answer: D

Question 3

Bioface is a company based in the United States. It has no servers, personnel or assets in the European Union. By collecting photographs from social media and other web-based services, such as newspapers and blogs, it uses machine learning to develop a facial recognition algorithm. The algorithm identifies individuals in photographs who are not in its data set based the algorithm and its existing data.

The service collects photographs of data subjects in the European Union and will identify them if presented with their photographs. Bioface offers its service to government agencies and companies in the United States and Canada, but not to those in the European Union. Bioface does not offer the service to individuals.

Why is Bioface subject to the territorial scope of the General Data Protection Regulation?

A : collects data from European Union websites, which constitutes an establishment in the European Union.

B : offers services in the European Union by identifying data subjects in the European Union

C : collects data from subjects and uses it for automated processing.

D : It monitors the behavior of data subjects in the European Union.

Answer: A

Question 4

Through a combination of hardware failure and human error, the decryption key for a bank’s customer account transaction database has been lost. An investigation has determined that this was not the result of hacking or malfeasance, simply an unfortunate combination of circumstances. Which of the following accurately indicates the nature of this incident?

A : A data breach has not occurred because the loss was not the result of hacking.

B : A data breach has not occurred because no data was exposed to any unauthorized individual.

C : A data breach has occurred because the loss of the key has resulted in the data no longer being accessible.

D : A data breach has occurred because the loss of the key has resulted in the loss of confidentiality or integrity of the data.

Answer: D

Question 5

Which failing of Privacy Shield, cited by the CJEU as a reason for its invalidation, is the Trans-Atlantic Data Privacy Framework intended to address?

A : Data Subject Rights.

B : Right of Action.

C : Necessity.

D : Consent.

Answer: B