Free IAPP CIPP-E Exam Questions

Question 1

SCENARIO

Please use the following to answer the next question:

Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.

Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.

After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased. Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.

To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

A : essed potential privacy risks by conducting a data protection impact assessment.

B : nsulted with the relevant data protection authority about potential privacy violations.

C : tributed a more comprehensive notice to employees and received their express consent.

D : nsulted with the Information Security team to weigh security measures against possible server impacts.

Answer: C

Question 2

What is the key difference between the European Council and the Council of the European Union?

A : Council of the European Union is helmed by a president.

B : Council of the European Union has a degree of legislative power.

C : European Council focuses primarily on issues involving human rights.

D : European Council is comprised of the heads of each EU member state.

Answer: D

Question 3

Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users’ ethnic origin, nationality, and gender.Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users’ ethnic origin, nationality, and gender.

A : Processing necessary for scientific or statistical purposes.

B : Processing necessary for reasons of substantial public interest.

C : Processing necessary for purposes of preventive or occupational medicine.

D : Processing necessary for the defense of legal claims in potential negligence cases.

Answer: C

Question 4

SCENARIO -

Please use the following to answer the next question:

Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in Greece (5), Italy (15) and Spain (1), have registered their most profitable results ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based in ARRA's main Italian establishment, has organized a team event for its 420 employees and their families at its hotel in Spain.

Upon arrival at the hotel, each employee and family member is given an electronic wristband at the reception desk. The wristband serves a number of functions:

• Allows access to the "party zone" of the hotel, and emits a buzz if the user approaches any unauthorized areas

• Allows up to three free drinks for each person of legal age, and emits a buzz once this limit has been reached

• Grants a unique ID number for participating in the games and contests that have been planned.

Along with the wristband, each guest receives a QR code that leads to the online privacy notice describing the use of the wristband. The page also contains an unchecked consent checkbox. In the case of employee family members under the age of 16, consent must be given by a parent.

Among the various activities planned for the event, ARRA Hotels' HR office has autonomously set up a photocall area, separate from the main event venue, where employees can come and have their pictures taken in traditional carnival costume. The photos will be posted on ARRA Hotels' main website for general marketing purposes.

On the night of the event, an employee from one of ARRA's Greek hotels is displeased with the results of the photos in which he appears. He intends to file a complaint with the relevant supervisory authority in regard to the following:

• The lack of any privacy notice in the separate photocall area

• The unlawful cross-border processing of his personal data

• The unacceptable aesthetic outcome of his photos

Which of the following is NOT necessarily considered a factor in identifying whether the processing could be considered a "cross-border processing"?

A : The total number of the data subjects interested.

B : The potential harm for the data subjects affected.

C : The limitation of rights of the data subjects concerned.

D : The exposure of the information of the data subjects involved.

Answer: A

Question 5

According to the Personal Data Protection Commission’s (PDPC) “Guide to basic data anonymization techniques,” recently adopted by the Spanish Data Protection Agency, which of the following is NOT a valid basic anonymization technique?

A : Swapping

B : Generalization

C : Data Adjustment.

D : Attribute Suppression.

Answer: C