Free IAPP CIPP-E Exam Questions

Question 1

Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users’ ethnic origin, nationality, and gender.Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users’ ethnic origin, nationality, and gender.

A : Processing necessary for scientific or statistical purposes.

B : Processing necessary for reasons of substantial public interest.

C : Processing necessary for purposes of preventive or occupational medicine.

D : Processing necessary for the defense of legal claims in potential negligence cases.

Answer: C

Question 2

According to the European Data Protection Board, if a controller that is not established in the EU but still subject to the GDPR becomes aware of a personal data breach, which supervisory authority or authorities must be notified?

A : Only the supervisory authority of the EU member state in which the controller's EU representative (pursuant to Article 27) is established.

B : Only one lead supervisory authority, as a controller benefits from the one-stop shop mechanism under the GDPR’s enforcement regime.

C : Every supervisory authority of the EU member states where the controller is offering goods or services.

D : Every supervisory authority for which affected data subjects reside in their EU member state.

Answer: A

Question 3

Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?

A : me and contact details of each controller on behalf of which the processor is acting

B : tegories of processing carried out on behalf of each controller for which the processor is acting.

C : tails of transfers of personal data to a third country carried out on behalf of each controller for which the processor is acting.

D : tails of any data protection impact assessment conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting.

Answer: C

Question 4

Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users’ ethnic origin, nationality, and gender.Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users’ ethnic origin, nationality, and gender.

A : Processing necessary for scientific or statistical purposes.

B : Processing necessary for reasons of substantial public interest.

C : Processing necessary for purposes of preventive or occupational medicine.

D : Processing necessary for the defense of legal claims in potential negligence cases.

Answer: C

Question 5

Company X has entrusted the processing of their payroll data to Provider Y. Provider 'I stores this encrypted data on its server. The IT department of Provider 'I finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider 'I have the obligation to notify?

A : public

B : mpany X

C : w enforcement

D : The supervisory authority

Answer: B