Free IAPP CIPP-E Exam Questions

Question 1

Which of the following would most likely NOT be covered by the definition of "personal data" under the GDPR?

A : payment card number of a Dutch citizen

B : U.S. social security number of an American citizen living in France

C : unlinked aggregated data used for statistical purposes by an Italian company

D : identification number of a German candidate for a professional examination in Germany

Answer: D

Question 2

Through a combination of hardware failure and human error, the decryption key for a bank’s customer account transaction database has been lost. An investigation has determined that this was not the result of hacking or malfeasance, simply an unfortunate combination of circumstances. Which of the following accurately indicates the nature of this incident?

A : A data breach has not occurred because the loss was not the result of hacking.

B : A data breach has not occurred because no data was exposed to any unauthorized individual.

C : A data breach has occurred because the loss of the key has resulted in the data no longer being accessible.

D : A data breach has occurred because the loss of the key has resulted in the loss of confidentiality or integrity of the data.

Answer: D

Question 3

SCENARIO -

Please use the following to answer the next question:

ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO, Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage's global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments. The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized in New Delhi. Unable to reach Ruth's family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR, provided information to the doctors based on accommodation requests Ruth made when she started at ProStorage.

In support of Ruth's strategic goals of hiring more sales representatives, the Human Resources team is focused on improving its processes to ensure that new employees are sourced, interviewed, hired, and on boarded efficiently. To help with this, Mary identified two vendors, HRYourWay, a German based company, and InstaHR, an Australian based company. She decided to have both vendors go through ProStorage's vendor risk review process so she can work with Ruth to make the final decision. As part of the review process, Jackie, who is responsible for maintaining ProStorage's privacy program (including maintaining controller BCRs and conducting vendor risk assessments), reviewed both vendors but completed a transfer impact assessment only for InstaHR. After her review of both vendors, she determined that InstaHR satisfied more of the requirements as it boasted a more established privacy program and provided third-party attestations, whereas HRYourWay was a small vendor with minimal data protection operations. Thus, she recommended InstaHR.

ProStorage's marketing team also worked to meet the strategic goals of the company by focusing on industries where it needed to grow its market share. To help with this, the team selected as a partner UpFinance. a US based company with deep connections to financial industry customers. During ProStorage's diligence process, Jackie from the privacy team noted in the transfer impact assessment that UpFinance implements several data protection measures including end-lo-end encryption, with encryption keys held by the customer. Notably, UpFinance has not received any government requests in its 7 years of business. Still, Jackie recommended that the contract require UpFinance to notify ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data.

What transfer mechanism should Jackie recommend for using InstaHR?

A : Adequacy.

B : Binding corporate rules.

C : Explicit consent of employees.

D : Standard contractual clauses.

Answer: D

Question 4

A high-ranking employee has his laptop bag stolen in a train station. In addition to the laptop, the bag contained the employee’s ID card, confidential company documents (such as financial information and minutes of board meetings, including participants and their roles), company payment cards, and authorization tokens.

As the company's Data Protection Officer, what should be your first action?

A : Inform the appropriate supervisory authority of the breach.

B : Verify whether the laptop contained personal data and, if so, if it was encrypted.

C : Inform the meeting participants of the breach and provide them with next steps to be taken.

D : Request deactivation of the authorization tokens to avoid access to company data, and remotely wipe the laptop.

Answer: B

Question 5

Under Article 9 of the GDPR, which of the following categories of data is NOT expressly prohibited from data processing?

A : rsonal data revealing ethnic origin.

B : rsonal data revealing genetic information.

C : rsonal data revealing financial information.

D : Personal data revealing trade union membership.

Answer: C