Free IAPP CIPP-E Exam Questions

Question 1

Which sentence best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?

A : ployees must sign an ad hoc contractual agreement each time personal data is exported.

B : All employees are subject to the rules in their entirety, regardless of where the work is taking place.

C : l employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.

D : ployees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.

Answer: C

Question 2

According to the European Data Protection Board, if a controller that is not established in the EU but still subject to the GDPR becomes aware of a personal data breach, which supervisory authority or authorities must be notified?

A : Only the supervisory authority of the EU member state in which the controller's EU representative (pursuant to Article 27) is established.

B : Only one lead supervisory authority, as a controller benefits from the one-stop shop mechanism under the GDPR’s enforcement regime.

C : Every supervisory authority of the EU member states where the controller is offering goods or services.

D : Every supervisory authority for which affected data subjects reside in their EU member state.

Answer: A

Question 3

Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users’ ethnic origin, nationality, and gender.Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users’ ethnic origin, nationality, and gender.

A : Processing necessary for scientific or statistical purposes.

B : Processing necessary for reasons of substantial public interest.

C : Processing necessary for purposes of preventive or occupational medicine.

D : Processing necessary for the defense of legal claims in potential negligence cases.

Answer: C

Question 4

Through a combination of hardware failure and human error, the decryption key for a bank’s customer account transaction database has been lost. An investigation has determined that this was not the result of hacking or malfeasance, simply an unfortunate combination of circumstances. Which of the following accurately indicates the nature of this incident?

A : A data breach has not occurred because the loss was not the result of hacking.

B : A data breach has not occurred because no data was exposed to any unauthorized individual.

C : A data breach has occurred because the loss of the key has resulted in the data no longer being accessible.

D : A data breach has occurred because the loss of the key has resulted in the loss of confidentiality or integrity of the data.

Answer: D

Question 5

Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users’ ethnic origin, nationality, and gender.Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users’ ethnic origin, nationality, and gender.

A : Processing necessary for scientific or statistical purposes.

B : Processing necessary for reasons of substantial public interest.

C : Processing necessary for purposes of preventive or occupational medicine.

D : Processing necessary for the defense of legal claims in potential negligence cases.

Answer: C