IAPP CIPP-E Real 2026 Braindumps Mock Exam Dumps [Q110-Q127]

Share

IAPP CIPP-E Real 2026 Braindumps Mock Exam Dumps

CIPP-E Exam Questions | Real CIPP-E Practice Dumps


The CIPP-E certification exam covers a range of topics related to European data protection, including the GDPR, data protection laws in Europe, data protection principles and concepts, data subject rights, and the role of data protection officers (DPOs). CIPP-E exam is designed to be challenging and requires a deep understanding of the subject matter. Candidates must be able to demonstrate their knowledge of the GDPR and apply it to real-world scenarios.


IAPP CIPP-E exam is a highly respected certification program that tests an individual's knowledge of data protection and privacy laws and regulations in the EU. Certified Information Privacy Professional/Europe (CIPP/E) certification is designed for individuals who work in the field of data protection and privacy and provides them with a competitive edge in the job market. It is a challenging and rigorous exam that requires extensive preparation and study, but it is well worth the effort for those who wish to demonstrate their expertise in the field of data protection and privacy.

 

NEW QUESTION # 110
Please select4 of the 7 options below. No partial credit will be given.
Which of the following are considered core data protection principles under the GDPR?

  • A. Access and correction.
  • B. Data localization.
  • C. Storage limitation.
  • D. Integrity and confidentiality.
  • E. Individual participation.
  • F. Data minimization.
  • G. Purpose limitation.

Answer: C,D,F,G

Explanation:
Thecore data protection principlesare codified inArticle 5(1) GDPRand detailed in theCIPP/E Textbook (3rd ed.), Chapter 6 "Data Processing Principles". These principles are the backbone of GDPR compliance and apply to all processing activities.
* Purpose limitation (A): Data must be collected forspecified, explicit, and legitimate purposes, and not further processed in a way incompatible with those purposes (Art. 5(1)(b)).
* Data minimization (C): Data must beadequate, relevant, and limitedto what is necessary in relation to the purposes (Art. 5(1)(c)).
* Storage limitation (E): Data must not be kept longer than necessary for the purposes; retention periods must be defined (Art. 5(1)(e)).
* Integrity and confidentiality (G): Data must be processed securely, protecting against unauthorized access, accidental loss, destruction, or damage (Art. 5(1)(f)).
By contrast:
* Individual participation (B)is anOECD principle, not a GDPR principle.
* Access and correction (D)aredata subject rights(Arts. 15-16 GDPR), not principles.
* Data localization (F)is not part of the GDPR; in fact, GDPR allows international data transfers under Chapter V.
Thus, the correct fourcore GDPR principlesare:
#A. Purpose limitation, C. Data minimization, E. Storage limitation, G. Integrity and confidentiality.
#Reference:
* GDPR Article 5(1) - Principles relating to processing of personal data
* CIPP/E Textbook (3rd ed.), Chapter 6 "Data Processing Principles"


NEW QUESTION # 111
Which of the following is an example of direct marketing that would be subject to European data protection laws?

  • A. An updated privacy notice sent to an individual's personal email address.
  • B. A revision of contract terms conveyed to an individual by SMS from a marketing organization.
  • C. A charity fundraising event notice sent to an individual at her business address.
  • D. A service outage notification provided to an individual by recorded telephone message.

Answer: C


NEW QUESTION # 112
SCENARIO
Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.
Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain's locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.
What are ABC Hotel Chain and XYZ Travel Agency's roles in this relationship?

  • A. ABC Hotel Chain is the controller and XYZ Travel Agency is the processor.
  • B. ABC Hotel Chain and XYZ Travel Agency are independent controllers.
  • C. ABC Hotel Chain and XYZ Travel Agency are joint controllers.
  • D. XYZ Travel Agency is the controller and ABC Hotel Chain is the processor.

Answer: A


NEW QUESTION # 113
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
Who-R-U is NOT required to notify the local German DPA about the laptop theft because?

  • A. The data isn't considered personally identifiable financial information.
  • B. There is no evidence that the thieves have accessed the data on the laptop.
  • C. The company isn't a controller established in the Union.
  • D. The laptop belonged to a company located in Canada.

Answer: C

Explanation:
According to the GDPR, a data breach must be notified to the supervisory authority of the member state where the controller or processor is established, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons1. The GDPR defines a controller as "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data"2. The GDPR also specifies that a controller orprocessor is considered to be established in the Union if it has "an effective and real exercise of activity through stable arrangements" in the Union, regardless of its legal form or location of its headquarters3.
In this scenario, Who-R-U is not a controller established in the Union, because it does not have any stable arrangements in the Union that involve the processing of personal data. The company only offers its services to Canadians, and does not target or monitor individuals in the Union. The fact that it has purchased the naming rights for a building in Germany, which comes with a few offices, does not constitute an effective and real exercise of activity in the Union, as the offices do not include any technology or infrastructure for processing personal data, and are only used by executives while traveling internationally. Therefore, Who-R- U is not subject to the GDPR's data breach notification obligation, and is not required to notify the local German DPA about the laptop theft.
References:
Art. 33 GDPR - Notification of a personal data breach to the supervisory authority Art. 4 GDPR - Definitions Art. 3 GDPR - Territorial scope Guidelines 9/2022 on personal data breach notification under GDPR Guidelines 3/2018 on the territorial scope of the GDPR I hope this helps you understand the GDPR and data breach notification better. If you have any other questions, please feel free to ask me.#


NEW QUESTION # 114
How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?

  • A. The ePrivacy Directive allows individual EU member states to engage in such data retention.
  • B. The ePrivacy Directive harmonizes EU member states' rules concerning such data retention.
  • C. The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.
  • D. The Data Retention Directive's annulment makes such data retention now permissible.

Answer: B

Explanation:
The ePrivacy Directive is a European Union (EU) directive that aims to protect the confidentiality of electronic communications and prevent their indiscriminate interception or monitoring. It was adopted in 2002 and amended in 2009. It applies to all providers of electronic communication services, such as internet service providers, mobile network operators, and online platforms12.
One of the main objectives of the ePrivacy Directive is to ensure that the retention of communications traffic data for law enforcement purposes is subject to strict conditions and safeguards. Communications traffic data refers to any information relating to the transmission or routing of electronic communications, such as IP addresses, timestamps, and metadata3. Such data can be used by competent national authorities for the prevention, investigation, detection or prosecution of criminal offences and safeguarding national security4.
However, the ePrivacy Directive does not allow individual EU member states to engage in such data retention without harmonizing their rules. Article 6(1)(b) of the directive states that "Member States shall ensure that any measures taken by them in relation to the retention of traffic data are consistent with this Directive". Therefore, each EU member state must adopt a national law that complies with the requirements and limitations set by the directive12.
The Data Retention Directive (DRD) was a previous EU directive that aimed to establish a common framework for the retention of communications traffic data for law enforcement purposes across all EU member states. It was adopted in 2006 and amended in 2010. However, it was annulled by the Court of Justice of the European Union (CJEU) in 2014 on procedural grounds. The CJEU found that some provisions of the DRD were inconsistent with other EU directives and principles, such as Article 8(2) of the Charter of Fundamental Rights (CFR), which protects individuals from arbitrary interference with their privacy56.
The GDPR is a new EU regulation that implements some aspects of the DRD into national law through its provisions on processing personal data. However, it does not address directly the issue of communications traffic data retention for law enforcement purposes. Instead, it requires providers to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing personal data. These measures include encryption, pseudonymisation, access control, and accountability7 . The GDPR also grants individuals certain rights regarding their personal data, such as access, rectification, erasure, portability, and objection7 .
Therefore, under current EU law, there is no single legal basis for retaining communications traffic data for law enforcement purposes across all EU member states. Each member state must adopt its own national law that respects the principles and limitations established by the ePrivacy Directive.
References:
ePrivacy Directive
ePrivacy Regulation
What is Communications Traffic Data?
How is Communications Traffic Data Retained?
Data Retention Directive
Data Retention Directive annulled by CJEU
General Data Protection Regulation
What are your rights regarding your personal data?
Reference: https://www.law.kuleuven.be/citip/en/archive/copy_of_publications/440retention-of-traffic-data- dumortier-goemans2f90.pdf (9)


NEW QUESTION # 115
MagicClean is a web-based service located in the United States that matches home cleaning services to customers. It otters its services exclusively in the United States It uses a processor located in France to optimize its data. Is MagicClean subject to the GDPR?

  • A. No, because MagicClean is located m the United States only.
  • B. Yes, because MagicClean is processing data in the EU
  • C. No. because MagicClean is not offering services to EU data subjects.
  • D. Yes. because MagicClean's data processing agreement with the French processor is an establishment in the EU

Answer: C

Explanation:
According to Article 3 of the GDPR, the regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The regulation also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU. In this case, MagicClean is a controller not established in the EU, and it does not offer services to EU data subjects or monitor their behaviour. Therefore, MagicClean is not subject to the GDPR, even if it uses a processor located in France to optimize its data. The location of the processor does not determine the applicability of the GDPR, but the context of the activities of the controller or the processor and the relationship with the data subjects. References:
* Article 3 of the GDPR
* IAPP CIPP/E Study Guide, page 14


NEW QUESTION # 116
Article 58 of the GDPR describes the power of supervisory authorities. Which of the following is NOT among those granted?

  • A. Investigatory powers.
  • B. Authorization and advisory powers.
  • C. Corrective powers.
  • D. Legislative powers.

Answer: D


NEW QUESTION # 117
SCENARIO
Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K.
brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner's Office ('ICO' - the U.K.'s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e.
the supervisory authority of EVERFIT's main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article
60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.
Assuming that multiple EVETFIT branches across several EU countries are acting as separate data controllers, and that each of those branches were responsible for mishandling Javier's request, how may Javier proceed in order to seek compensation?

  • A. He will have to sue the EVETFIT's head office in France, where EVETFIT has its main establishment.
  • B. He will be able to sue any one of the relevant EVETFIT branches, as each one may be held liable for the entire damage.
  • C. He will have to sue each EVETFIT branch so that each branch provides proportionate compensation commensurate with its contribution to the damage or distress suffered by Javier.
  • D. He will be able to apply to the European Data Protection Board in order to determine which particular EVETFIT branch is liable for damages, based on the decision that was made by the board.

Answer: B

Explanation:
According to Article 82 of the GDPR1, any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered. Any controller involved in processing shall be liable for the damage caused by processing which infringes the GDPR. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject. Therefore, Javier can sue any one of the EVETFIT branches that were involved in processing his personal data without his consent and in violation of his rights, and he can claim full compensation from that branch. The branch that pays the compensation can then claim back from the other branches involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage. References: 1 Art. 82 GDPR - Right to compensation and liability
- General Data Protection Regulation (GDPR)


NEW QUESTION # 118
Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit organizations in a privacy group litigation or class action. These organizations are commonly known as?

  • A. Human rights organizations.
  • B. Civil society organizations.
  • C. Constitutional rights organizations.
  • D. Law firm organizations.

Answer: D


NEW QUESTION # 119
Article 29 Working Party has emphasized that the GDPR forbids "forum shopping", which occurs when companies do what?

  • A. Choose the data protection officer that is most sympathetic to their business concerns.
  • B. Select third-party processors on the basis of cost rather than quality of privacy protection.
  • C. Designate their main establishment in member state with the most flexible practices.
  • D. File appeals of infringement judgments with more than one EU institution simultaneously.

Answer: C

Explanation:
The GDPR aims to harmonize the data protection rules across the EU and to ensure consistent and effective enforcement of those rules. However, the GDPR also recognizes that there may be some differences in the interpretation and application of the law among the member states, depending on their national legislation, culture and practices. Therefore, the GDPR introduces the concept of the "main establishment" of a controller or processor, which is the place where the decisions on the purposes and means of the processing of personal data are taken in theEU1. The main establishment determines which national supervisory authority will act as the lead authority for the cross-border processing activities of that controller or processor, and which national law will apply in case of a dispute or a complaint2. The Article 29 Working Party, which is an advisory body composed of representatives of the national supervisory authorities,the European Data Protection Supervisor and the European Commission, has issued guidelines on how to identify the main establishment of a controller or processor under the GDPR3. The guidelines emphasize that the main establishment must reflect the reality of the processing activities and the effective and real exercise of management power over those activities. The guidelines also warn against the practice of "forum shopping", which occurs when a controller or processor designates its main establishment in a member state with the most flexible or lenient data protection regime, regardless of the actual location of the decision-making or the data processing. The guidelines state that such a practice is forbidden under the GDPR, and that the supervisory authorities will closely monitor and verify the criteria used by the controllers or processors to determine their main establishment. If the supervisory authorities find that the main establishment does not correspond to the factual situation, they may challenge the designation and apply the relevant corrective measures4. References: 1 Art. 4 (16) GDPR - Definitions - General Data Protection Regulation (GDPR)
2 Art. 56-58 GDPR - Cooperation and consistency - General Data Protection Regulation (GDPR)3 Guidelines
3/2018 on the territorial scope of the GDPR (Article 3) - European Data Protection Board4 Ibid, p. 14-15.
Reference: https://gdprinformer.com/gdpr-articles/forum-shopping-illegal-gdpr


NEW QUESTION # 120
Pursuant to Article 17 and EDPB Guidelines S'2019 on RTBF criteria in search engines cases, all of the following would be valid grounds for data subject delisting requests EXCEPT?

  • A. The personal data is no longer necessary in relation to the search engine provider's processing
  • B. The personal dale has been collected in relation to the offer of Information society services (ISS) to a child.
  • C. The data subject withdraws consent and there is no other legal basis for the processing.
  • D. The processing s necessary for exercising the right of freedom of expression and information

Answer: D

Explanation:
According to Article 17 of the GDPR, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing; the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
However, Article 17(3) provides that the right to erasure does not apply to the extent that processing is necessary for exercising the right of freedom of expression and information. Therefore, this would not be a valid ground for data subject delisting requests. References:
Article 17 of the GDPR
EDPB Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)


NEW QUESTION # 121
SCENARIO
Please use the following to answer the next question:
Why was Jackie correct in not completing a transfer impact assessment for HRYourWay?

  • A. HRYourWay is not located in a third country.
  • B. ProStorage will obtain consent for all transfers.
  • C. ProStorage can rely on its Binding Corporate Rules
  • D. HRYourWay was ultimately not selected

Answer: A

Explanation:
According to the GDPR, a transfer of personal data to a third country or an international organisation may take place only if the conditions laid down in Chapter V of the GDPR are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation1. A third country is any country outside of the European Union (EU) and the European Economic Area (EEA)2. Therefore, a transfer impact assessment is only required when personal data is transferred to a third country or an international organisation that does not provide an adequate level of data protection, as recognised by the European Commission3. HRYourWay is a German based company, and Germany is a member state of the EU and the EEA. Thus, HRYourWay is not located in a third country, and no transfer impact assessment is needed for transferring personal data to it. The other options are incorrect, as they are not relevant to the question of whether a transfer impact assessment is required or not. Reference:
GDPR, Chapter V
GDPR, Article 4 (24)
GDPR, Article 45


NEW QUESTION # 122
What is true if an employee makes an access request to his employer for any personal data held about him?

  • A. The employer can decline the request if the information is only held electronically.
  • B. The employer must supply any information held about an employee unless an exemption applies.
  • C. The employer must supply all the information held about the employee.
  • D. The employer can automatically decline the request if it contains personal data about a third person.

Answer: B

Explanation:
Explanation


NEW QUESTION # 123
SCENARIO
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.
Based on the GDPR's position on the use of personal data for direct marketing purposes, which of the following is true about Louis's rights as a data subject?

  • A. Louis has the right to object to the use of his data, unless his data is required by Bedrock for the purpose of exercising a legal claim.
  • B. Louis does not have the right to object to the use of his data if Bedrock can demonstrate compelling legitimate grounds for the processing.
  • C. Louis has the right to object at any time to the use of his data and Bedrock must honor his request to cease use.
  • D. Louis does not have the right to object to the use of his data because he previously consented to it.

Answer: C

Explanation:
Louis has the right to object at any time to the use of his data and Bedrock must honor his request to cease use.
The GDPR states that "where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing" and that "where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes."3 This right applies regardless of whether the data subject has previously consented to the use of his or her data, or whether the data are required for a legal claim or a legitimate interest. The data subject must be informed of this right clearly and separately from any other information at the time of the first communication with him or her, and must be provided with an easy way to exercise it.2 Therefore, Louis can object to the use of his data by Bedrock and Accidentable for direct marketing purposes, and they must stop processing his data for such purposes as soon as they receive his objection. Louis can also withdraw his consent for any other processing of his data that he has previously agreed to, such as sharing his data with Bedrock's affiliates.4


NEW QUESTION # 124
A well-known video production company, based in Spain but specializing in documentaries filmed worldwide, has just finished recording several hours of footage featuring senior citizens in the streets of Madrid. Under what condition would the company NOT be required to obtain the consent of everyone whose image they use for their documentary?

  • A. If the company limits the footage to data subjects solely of legal age.
  • B. If obtaining consent is deemed to involve disproportionate effort.
  • C. If the company's status as a documentary provider allows it to claim legitimate interest.
  • D. If obtaining consent is deemed voluntary by local legislation.

Answer: C

Explanation:
According to the GDPR, consent is one of the six lawful bases for processing personal data, but not the only one. The other five are: contract, legal obligation, vital interests, public task and legitimate interests. Legitimate interests can be invoked by controllers who process personal data for their own benefit or for the benefit of third parties, as long as such processing does not override the rights and freedoms of the data subjects, especially if they are children. The GDPR also recognizes that processing personal data for journalistic purposes or the purposes of academic, artistic or literary expression may be necessary for the exercise of the right to freedom of expression and information, which is a legitimate interest. Therefore, the company may not need to obtain the consent of everyone whose image they use for their documentary, if they can demonstrate that their processing is necessary for the purposes of their journalistic, artistic or literary expression, and that they have taken into account the reasonable expectations of the data subjects and the potential impact on their privacy. The company should also comply with any relevant national laws or codes of conduct that may apply to such processing. Reference:
GDPR, Article 6(1)(a)-(f)
GDPR, Recital 47
GDPR, Article 85


NEW QUESTION # 125
Assuming that the "without undue delay" provision is followed, what is the time limit for complying with a data access request?

  • A. Within 40 days of receipt, which may be extended by up to 40 additional days
  • B. Within one month of receipt, which may be extended by up to an additional month
  • C. Within one month of receipt, which may be extended by an additional two months
  • D. Within 40 days of receipt

Answer: B

Explanation:
Reference https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/individual-rights/right-of-access/


NEW QUESTION # 126
A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a global data transfer solution. Which of the following statements would help the company make an effective decision?

  • A. Binding Corporate Rules are especially recommended for small and medium companies.
  • B. The data exporter does not need to be located in the EU for the standard Contractual Clauses.
  • C. The company will need the prior authorization of all EU data protection authorities for concluding Standard Contractual Clauses.
  • D. Binding Corporate Rules provide a global solution for all the entities of a company that are bound by the intra-group agreement.

Answer: D

Explanation:
According to the GDPR, transfers of personal data to third countries or international organisations are only allowed if the controller or processor complies with the conditions laid down in Chapter V of the GDPR1. One of these conditions is the existence of an adequacy decision by the European Commission, which means that the third country or international organisation ensures an adequate level of protection for the personal data2. However, if there is no adequacy decision, the controller or processor must provide appropriate safeguards for the data transfer, such as binding corporate rules (BCR) or standard contractual clauses (SCC)3.
Binding corporate rules (BCR) are internal rules adopted by a group of undertakings or enterprises engaged in a joint economic activity, which define its global policy with regard to the international transfers of personal data within the same corporate group or business partners located in third countries4. BCR must include all the general data protection principles and enforceable rights to ensure appropriate safeguards for the data transfers. They must be legally binding and enforced by every member concerned of the group5. BCR must be approved by the competent supervisory authority in accordance with the consistency mechanism provided by the GDPR6.
Standard contractual clauses (SCC) are sets of contractual terms and conditions that the controller or processor and the recipient of the data agree to apply to the data transfer. SCC are adopted by the European Commission or by a supervisory authority in accordance with the consistency mechanism and are available in the Official Journal of the European Union7. SCC must offer sufficient safeguards on data protection for the data to be transferred internationally8.
In the given scenario, option C is the statement that would help the company make an effective decision between BCR and SCC, as it highlights the main advantage of BCR over SCC, which is the global and comprehensive solution that BCR provide for all the entities of a company that are bound by the intra-group agreement. BCR are especially suitable for large and complex organisations that have frequent and high- volume data transfers within the same corporate group or business partners located in third countries. BCR also offer more flexibility and legal certainty than SCC, as they are tailored to the specific needs and structure of the group and do not require individual contracts for each data transfer.
The other options (A, B, and D) are either incorrect or misleading statements that would not help the company make an effective decision between BCR and SCC. Option A is incorrect, as BCR are not recommended for small and medium companies, but rather for large and complex ones, as explained above. Option B is misleading, as it implies that the data exporter can be located outside the EU for the SCC, which is true, but not relevant for the comparison with BCR, as the data exporter can also be located outside the EU for the BCR, as long as it is subject to the GDPR by virtue of Article 3(2). Option D is also misleading, as it implies that the company will need the prior authorization of all EU data protection authorities for concluding SCC, which is false, as the company will only need the prior authorization of the competent supervisory authority in the Member State where the data exporter is established, unless the SCC are modified or supplemented by additional clauses or safeguards. References:
* 1: [Article 44 of the GDPR]
* 2: [Article 45 of the GDPR]
* 3: [Article 46 of the GDPR]
* 4: [Article 4 (20) of the GDPR]
* 5: [Article 47 of the GDPR]
* 6: [Article 63 of the GDPR]
* 7: [Article 93 of the GDPR]
* 8: [Article 46 (2) and (d) of the GDPR]
* : [Binding Corporate Rules (BCR)]
* : [Article 3 (2) of the GDPR]
* : [Article 46 (3) (a) and (b) of the GDPR]
* : [Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)]
* : [Binding Corporate Rules (BCR) - European Commission]
* : [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679]
* : [https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection
/binding-corporate-rules-bcr_en]
* : [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679]
* : [https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection
/binding-corporate-rules-bcr_en]


NEW QUESTION # 127
......

Verified CIPP-E Exam Dumps Q&As - Provide CIPP-E with Correct Answers: https://www.actual4cert.com/CIPP-E-real-questions.html

Pass Your CIPP-E Dumps Free Latest IAPP Practice Tests: https://drive.google.com/open?id=1n0x2GJzxynjntgbwgg6aWHHSY3__une-