Free IAPP CIPP-E Exam Questions

Question 1

A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an article about the prank at the time, and the article is still available on the newspaper's website. Unfortunately, the prank is the top search result when a user searches on the victim's name. The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article. What else must SearchCo do?

A : tify the newspaper that its article it is delisting the article.

B : lly erase the URL to the content, as opposed to delist which is mainly based on data subject's name.

C : Identify other controllers who are processing the same information and inform them of the delisting request.

D : Prevent the article from being listed in search results no matter what search terms are entered into the search engine.

Answer: A

Question 2

A grade school is planning to use facial recognition to track student attendance. Which of the following may provide a lawful basis for this processing?

A : school places a notice near each camera.

B : school gets explicit consent from the students.

C : ocessing is necessary for the legitimate interests pursed by the school.

D : tate law requires facial recognition to verify attendance.

Answer: A

Question 3

Which of the following would most likely NOT be covered by the definition of "personal data" under the GDPR?

A : payment card number of a Dutch citizen

B : U.S. social security number of an American citizen living in France

C : unlinked aggregated data used for statistical purposes by an Italian company

D : identification number of a German candidate for a professional examination in Germany

Answer: D

Question 4

SCENARIO

Please use the following to answer the next question: Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address. Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base. The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base.

The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre-registrations, it will develop EU-specific content and services. Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them. The final plan is to develop a brand presence in the EU.

The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs. On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.

Who-R-U is NOT required to notify the local German DPA about the laptop theft because?

A : company isn't a controller established in the Union.

B : laptop belonged to a company located in Canada.

C : data isn't considered personally identifiable financial information.

D : ere is no evidence that the thieves have accessed the data on the laptop.

Answer: A

Question 5

SCENARIO -

Please use the following to answer the next question:

Jane starts her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta (EU).

People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a Know Your Customer (KYC) due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and ticking a checkbox on a separate page in order to get their account approved on the platform.

All customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a customer fails the KYC process, its KYC data will be automatically shared with the national anti-money laundering agency.

The KYC procedure requires customers to answer many questions, including whether they have any criminal convictions, whether they use recreational drugs or have problems with alcohol, and whether they have a terminal illness. While providing this data, customers see a conspicuous message saying that this data is meant only to prevent fraud and account takeover, and will be never shared with private third parties.

The company regularly conducts external security testing of its online systems by independent cybersecurity companies from the EU. At the final stage of testing, the company provides cybersecurity assessors with access to its central database to review security permissions, roles and policies. Personal data in the database is encrypted; however, cybersecurity assessors usually have access to the decryption keys obtained while running initial security testing. The assessors must strictly follow the guidelines imposed by the company during the entire testing and auditing process.

All customer data, including trading activities and all internal communications with technical support, are permanently stored in a secured AWS S3 Glacier cloud data storage, located in Ireland, for backup and compliance purposes. The data is securely transferred to the cloud and then is properly encrypted while at rest by using AWS-native encryption mechanisms. These mechanisms give AWS the necessary technical means to encrypt and decrypt the data when such is required by the company. There is no data processing agreement between AWS and the company.

Should Jane modify the required GDPR rights waiver for non-European residents?

A : Yes, the waiver must not apply to any residents of countries with an adequacy decision from the EC.

B : Yes, this clause must be entirely removed as all customers, regardless of residence or nationality, shall enjoy the same individual rights granted under GDPR.

C : No, the non-EU residents are not protected by GDPR unless they are physically located in the EU.

D : No, but all non-EU residents must manually sign a separate waiver to ensure its lawfulness and enforceability under GDPR.

Answer: B