2021 CIPP-C Premium Files Test pdf - Free Dumps Collection [Q81-Q104]

Share

2021 CIPP-C Premium Files Test pdf - Free Dumps Collection

 Get ready to pass the CIPP-C Exam right now using our Certified Information Privacy Professional  Exam Package

NEW QUESTION 81
Many businesses print their employees' photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted?

  • A. Because use of biometric data to confirm the unique identification of data subjects benefits from an exemption.
  • B. Because employees are deemed to have given their explicit consent when they agree to be photographed by their employer.
  • C. Because photographs qualify as biometric data only when they undergo a "specific technical processing".
  • D. Because photographic ID is a physical security measure which is "necessary for reasons of substantial public interest".

Answer: C

Explanation:
Explanation
Reference https://ess.csa.canon.com/rs/206-CLL-191/images/IAPP-Top-10-Operational-Impacts-of- GDPR.pdf?TC=DM&CN=CSA_OMNIA_Partners&CS=CSA&CR=T1_Gov%20GenNonProfit (11)

 

NEW QUESTION 82
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States, Canada and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well.
The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
What presents the BIGGEST potential privacy issue with the company's practices?

  • A. The RFID tag in the action figures has the potential for misuse because of the toy's evolving capabilities
  • B. The cloud service provider is in a country that has not been deemed adequate
  • C. The information about the data processing involved has not been specified
  • D. The NFC portal can read any data stored in the action figures

Answer: C

 

NEW QUESTION 83
How does the GDPR now define "processing"?

  • A. Any use or disclosure of personal data compatible with the purpose for which the data was collected.
  • B. Any operation or set of operations performed on personal data or on sets of personal data.
  • C. Any operation or set of operations performed by automated means on personal data or on sets of personal data.
  • D. Any act involving the collecting and recording of personal data.

Answer: D

 

NEW QUESTION 84
What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

  • A. The processor will be considered to be a controller in respect of the processing concerned
  • B. The processor will be liable to pay compensation to affected data subjects
  • C. The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved
  • D. The controller will be liable to pay an administrative fine

Answer: B

 

NEW QUESTION 85
SCENARIO
Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own business for two years.
Brady's business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady's company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box's chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box's home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box's Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady's business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles.
Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.
Based on current trends in European privacy practices, which aspect of Brady Box' Online Behavioral Advertising (OBA) is most likely to be insufficient if the company becomes established in Europe?

  • A. The level of security within the website.
  • B. The contract with the third-party advertising network.
  • C. The need to have the contents of the advertising approved.
  • D. The lack of the option to opt in.

Answer: D

 

NEW QUESTION 86
According to Article 14 of the GDPR, how long does a controller have to provide a data subject with necessary privacy information, if that subject's personal data has been obtained from other sources?

  • A. As soon as possible after obtaining the personal data.
  • B. Within a reasonable period after obtaining the personal data, but no later than one month.
  • C. As soon as possible after the first communication with the data subject.
  • D. Within a reasonable period after obtaining the personal data, but no later than eight weeks.

Answer: A

 

NEW QUESTION 87
What must a data controller do in order to make personal data pseudonymous?

  • A. Separately hold any information that would allow linking the data to the data subject.
  • B. Encrypt the data in order to prevent any unauthorized access or modification.
  • C. Use the data only in aggregated form for research purposes.
  • D. Remove all indirect data identifiers and dispose of them securely.

Answer: A

 

NEW QUESTION 88
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B.
Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
* Name
* Address
* Date of Birth
* Payroll number
* National Insurance number
* Sick pay entitlement
* Maternity/paternity pay entitlement
* Holiday entitlement
* Pension and benefits contributions
* Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

  • A. Avoiding the use of another company's data to improve their own services.
  • B. Vetting companies' measures with the appropriate supervisory authority.
  • C. Hiring companies whose measures are consistent with recommendations of accrediting bodies.
  • D. Requesting advice and technical support from Company A's IT team.

Answer: C

 

NEW QUESTION 89
What is one reason the European Union has enacted more comprehensive privacy laws than the United States?

  • A. To allow the free movement of data between member countries
  • B. To allow separate industries to set privacy standards
  • C. To ensure there is adequate funding for enforcement
  • D. To ensure adequate enforcement of existing laws

Answer: A

 

NEW QUESTION 90
SCENARIO
Please use the following to answer the next QUESTION:
Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.
This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. "It's going to be great," the developer, Deidre Hoffman, tells you, "if, that is, we actually get it working!" She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. "It's just three young people," she says, "but they do great work." She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. "They do good work, so I chose them." Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, "I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing. You worry too much, but that's why you're so good at your job!" You want to point out that normal protocols have not been followed in this matter. Which process in particular has been neglected?

  • A. Vendor due diligence or vetting
  • B. Privacy breach prevention
  • C. Forensic inquiry
  • D. Data mapping

Answer: A

 

NEW QUESTION 91
Which statement is correct when considering the right to privacy under Section 7 of the Canadian Charter of Rights and Freedoms?

  • A. The right to privacy protects the right to hold opinions and to receive and impart ideas without interference
  • B. The Supreme Court of Canada has stated that the Privacy Act has "quasi-constitutional status", and that the values and rights set out in the Act are closely linked to those set out in the Constitution as being necessary to a free and democratic society.
  • C. The right to privacy is an absolute right
  • D. The right to freedom of expression under section 10 will always override the right to privacy

Answer: B

Explanation:
Explanation
https://www.priv.gc.ca/en/about-the-opc/publications/guide_ind/

 

NEW QUESTION 92
SCENARIO
Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K.
brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner's Office ('ICO' - the U.K.'s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e.
the supervisory authority of EVERFIT's main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.
Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has formed its view on the matter?

  • A. Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism.
  • B. Request that members of the seconding supervisory authority and the host supervisory authority co-draft a decision.
  • C. Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.
  • D. Submit a draft decision to other supervisory authorities for their opinion.

Answer: C

 

NEW QUESTION 93
What are the obligations of a processor that engages a sub-processor?

  • A. The processor must obtain the controller's specific written authorization and provide annual reports on the sub-processor's performance.
  • B. The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.
  • C. The processor must give the controller prior written notice and perform a preliminary audit of the sub- processor.
  • D. The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.

Answer: D

 

NEW QUESTION 94
A well-known video production company, based in Spain but specializing in documentaries filmed worldwide, has just finished recording several hours of footage featuring senior citizens in the streets of Madrid. Under what condition would the company NOT be required to obtain the consent of everyone whose image they use for their documentary?

  • A. If the company limits the footage to data subjects solely of legal age.
  • B. If obtaining consent is deemed voluntary by local legislation.
  • C. If the company's status as a documentary provider allows it to claim legitimate interest.
  • D. If obtaining consent is deemed to involve disproportionate effort.

Answer: B

 

NEW QUESTION 95
SCENARIO
Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron's marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task.
At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron's legal department.
Registration Form
Vigotron's new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.) Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron's cloud provider, Stratculous. (Read more about Stratculous here.) Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer's name, email address or any other information gathered from the app to any third- party without a customer's consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer's legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)
* First name:
* Surname:
* Year of birth:
* Email:
* Physical Address (optional*):
* Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to [email protected] or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions
1.Jurisdiction. [...]
2.Applicable law. [...]
3.Limitation of liability. [...]
Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
If a user of the M-Health app were to decide to withdraw his consent, Vigotron would first be required to do what?

  • A. Cease processing any data collected through use of the app.
  • B. Erase any data collected from the time the app was first used.
  • C. Provide the user with logs of data collected through use of the app.
  • D. Inform any third parties of the user's withdrawal of consent.

Answer: A

 

NEW QUESTION 96
A mobile device application that uses cookies will be subject to the consent requirement of which of the following?

  • A. The E-Commerce Directive
  • B. The Data Retention Directive
  • C. The EU Cybersecurity Directive
  • D. The ePrivacy Directive

Answer: D

 

NEW QUESTION 97
What should a controller do after a data subject opts out of a direct marketing activity?

  • A. Without exception, securely delete all personal data relating to the data subject.
  • B. Without undue delay, provide information to the data subject on the action that will be taken.
  • C. Take reasonable steps to inform third-party recipients that the data subject's personal data should be deleted and no longer processed.
  • D. Refrain from processing personal data relating to the data subject for the relevant type of communication.

Answer: D

 

NEW QUESTION 98
Under what circumstances would the GDPR apply to personal data that exists in physical form, such as information contained in notebooks or hard copy files?

  • A. Only where the personal data is produced as a physical output of specific automated processing activities, such as printing, labelling, or stamping.
  • B. Only where the personal data is treated by automated means in some way, such as computerized distribution or filing.
  • C. Only where the personal data is handled in a sufficiently structured manner so as to form part of a filing system.
  • D. Only where the personal data is to be subjected to specific computerized processing, such as image scanning or optical character recognition.

Answer: C

 

NEW QUESTION 99
Under what circumstances might the "soft opt-in" rule apply in relation to direct marketing?

  • A. Where an individual is given the ability to unsubscribe from marketing emails sent to him.
  • B. Where an individual's details have been obtained from a bought-in marketing list.
  • C. When an individual has not consented to the marketing.
  • D. When an individual's details are obtained from their inquiries about buying a product.

Answer: D

 

NEW QUESTION 100
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Ontario University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Ontario's Alumni portal.
Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Anna will find that a risk analysis is NOT necessary in this situation as long as?

  • A. The algorithms that Frank uses for the processing are technologically sound
  • B. The processing will not negatively affect the rights of the data subjects
  • C. The data subjects gave their unambiguous consent for the original processing
  • D. The data subjects are no longer current students of Frank's

Answer: C

 

NEW QUESTION 101
Assuming that the "without undue delay" provision is followed, what is the time limit for complying with a data access request?

  • A. Within 40 days of receipt
  • B. Within one month of receipt, which may be extended by up to an additional month
  • C. Within 40 days of receipt, which may be extended by up to 40 additional days
  • D. Within one month of receipt, which may be extended by an additional two months

Answer: B

 

NEW QUESTION 102
A law enforcement subpoenas the ACME telecommunications company for access to text message records of a person suspected of planning a terrorist attack. The company had previously encrypted its text message records so that only the suspect could access this data.
What law did ACME violate by designing the service to prevent access to the information by a law enforcement agency?

  • A. SCA
  • B. ECPA
  • C. CALEA
  • D. USA Freedom Act

Answer: C

 

NEW QUESTION 103
Which was NOT one of the five priority areas listed by the Federal Trade Commission in its 2012 report,
''Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers"?

  • A. Do Not Track
  • B. International data transfers
  • C. Promoting enforceable self-regulatory codes
  • D. Large platform providers

Answer: B

 

NEW QUESTION 104
......

Master 2021 Latest The Questions Certified Information Privacy Professional and Pass CIPP-C  Real Exam!: https://www.dumpsquestion.com/CIPP-C-exam-dumps-collection.html

A fully updated 2021 CIPP-C Exam Dumps exam guide from training expert DumpsQuestion: https://drive.google.com/open?id=17gSHELvpkG9X66ksvkGlD0fTXEre9Q6W