Free IAPP CIPP-E Exam Questions

Question 1

SCENARIO -

Please use the following to answer the next question:

Gentle Hedgehog Inc. is a privately owned website design agency incorporated in Italy. The company has numerous remote workers in different EU countries. Recently, the management of Gentle Hedgehog noticed a decrease in productivity of their sales team, especially among remote workers. As a result, the company plans to implement a robust but privacy-friendly remote surveillance system to prevent absenteeism, reward top performers, and ensure the best quality of customer service when sales people are interacting with customers.

Gentle Hedgehog eventually hires Sauron Eye Inc., a Chinese vendor of employee surveillance software whose European headquarters is in Germany. Sauron Eye s software provides powerful remote-monitoring capabilities, including 24/7 access to computer cameras and microphones, screen captures, emails, website history, and keystrokes. Any device can be remotely monitored from a central server that is securely installed at Gentle Hedgehog headquarters. The monitoring is invisible by default; however, a so-called Transparent Mode, which regularly and conspicuously notifies all users about the monitoring and its precise scope, also exists. Additionally, the monitored employees are required to use a built-in verification technology involving facial recognition each time they log in.

All monitoring data, including the facial recognition data, is securely stored in Microsoft Azure cloud servers operated by Sauron Eye, which are physically located in France.

What monitoring may be lawfully performed within the scope of Gentle Hedgehog’s business?

A : Everything offered by Sauron Eye's software with the exception of camera and microphone monitoring.

B : Everything offered by Sauron Eye's software, assuming employees provide daily consent to the monitoring

C : Only video calls conducted during business hours and emails that do not contain a “private” or “personal” tag.

D : Only emails, website browsing history and camera for internal video calls that are expressly marked as monitored.

Answer: D

Question 2

What should a controller do after a data subject opts out of a direct marketing activity?

A : thout exception, securely delete all personal data relating to the data subject.

B : thout undue delay, provide information to the data subject on the action that will be taken.

C : frain from processing personal data relating to the data subject for the relevant type of communication.

D : ke reasonable steps to inform third-party recipients that the data subject's personal data should be deleted and no longer processed.

Answer: C

Question 3

SCENARIO -

Please use the following to answer the next question:

Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in Greece (5), Italy (15) and Spain (1), have registered their most profitable results ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based in ARRA's main Italian establishment, has organized a team event for its 420 employees and their families at its hotel in Spain.

Upon arrival at the hotel, each employee and family member is given an electronic wristband at the reception desk. The wristband serves a number of functions:

• Allows access to the "party zone" of the hotel, and emits a buzz if the user approaches any unauthorized areas

• Allows up to three free drinks for each person of legal age, and emits a buzz once this limit has been reached

• Grants a unique ID number for participating in the games and contests that have been planned.

Along with the wristband, each guest receives a QR code that leads to the online privacy notice describing the use of the wristband. The page also contains an unchecked consent checkbox. In the case of employee family members under the age of 16, consent must be given by a parent.

Among the various activities planned for the event, ARRA Hotels' HR office has autonomously set up a photocall area, separate from the main event venue, where employees can come and have their pictures taken in traditional carnival costume. The photos will be posted on ARRA Hotels' main website for general marketing purposes.

On the night of the event, an employee from one of ARRA's Greek hotels is displeased with the results of the photos in which he appears. He intends to file a complaint with the relevant supervisory authority in regard to the following:

• The lack of any privacy notice in the separate photocall area

• The unlawful cross-border processing of his personal data

• The unacceptable aesthetic outcome of his photos

Which of the following is NOT necessarily considered a factor in identifying whether the processing could be considered a "cross-border processing"?

A : The total number of the data subjects interested.

B : The potential harm for the data subjects affected.

C : The limitation of rights of the data subjects concerned.

D : The exposure of the information of the data subjects involved.

Answer: A

Question 4

Through a combination of hardware failure and human error, the decryption key for a bank’s customer account transaction database has been lost. An investigation has determined that this was not the result of hacking or malfeasance, simply an unfortunate combination of circumstances. Which of the following accurately indicates the nature of this incident?

A : A data breach has not occurred because the loss was not the result of hacking.

B : A data breach has not occurred because no data was exposed to any unauthorized individual.

C : A data breach has occurred because the loss of the key has resulted in the data no longer being accessible.

D : A data breach has occurred because the loss of the key has resulted in the loss of confidentiality or integrity of the data.

Answer: D

Question 5

Many businesses print their employees' photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GOPR. Why would such practice be permitted?

A : cause use of biometric data to confirm the unique identification of data subjects benefits from an exemption.

B : Because photographs qualify as biometric data only when they undergo a "specific technical processing".

C : cause employees are deemed to have given their explicit consent when they agree to be photographed by their employer.

D : cause photographic ID is a physical security measure which is "necessary for reasons of substantial public interest".

Answer: B