• Home
  • Articles
  • 2022 Realistic Verified Free IAPP CIPP-E Exam Questions [Q78-Q99]

2022 Realistic Verified Free IAPP CIPP-E Exam Questions [Q78-Q99]

Share

2022 Realistic Verified Free IAPP CIPP-E Exam Questions

CIPP-E Real Exam Questions and Answers FREE

NEW QUESTION 78
SCENARIO
Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron's marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron's legal department.
Registration Form
Vigotron's new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.) Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your dat a. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron's cloud provider, Stratculous. (Read more about Stratculous here.) Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer's name, email address or any other information gathered from the app to any third- party without a customer's consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer's legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.) First name:
Surname:
Year of birth:
Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to [email protected] or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions
1. Jurisdiction. [...]
2. Applicable law. [...]
3. Limitation of liability. [...]
Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
If a user of the M-Health app were to decide to withdraw his consent, Vigotron would first be required to do what?

  • A. Erase any data collected from the time the app was first used.
  • B. Provide the user with logs of data collected through use of the app.
  • C. Cease processing any data collected through use of the app.
  • D. Inform any third parties of the user's withdrawal of consent.

Answer: C

 

NEW QUESTION 79
In 2016's Guidance, the United Kingdom's Information Commissioner's Office (ICO) reaffirmed the importance of using a "layered notice" to provide data subjects with what?

  • A. An explanation of the security measures used when personal data is transferred to a third party.
  • B. A privacy notice explaining the consequences for opting out of the use of cookies on a website.
  • C. A privacy notice containing brief information whilst offering access to further detail.
  • D. An efficient means of providing written consent in member states where they are required to do so.

Answer: A

 

NEW QUESTION 80
Which of the following was the first to implement national law for data protection in 1973?

  • A. United Kingdom
  • B. France
  • C. Sweden
  • D. Germany

Answer: C

 

NEW QUESTION 81
Which of the following describes a mandatory requirement for a group of undertakings that wants to appoint a single data protection officer?

  • A. The data protection officer must be easily accessible from each establishment where the undertakings are located.
  • B. The group of undertakings must be comprised of organizations of similar sizes and functions.
  • C. The group of undertakings must obtain approval from a supervisory authority.
  • D. The data protection officer must be located in the country where the data controller has its main establishment.

Answer: A

 

NEW QUESTION 82
SCENARIO
Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron's marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron's legal department.
Registration Form
Vigotron's new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.) Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your dat a. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron's cloud provider, Stratculous. (Read more about Stratculous here.) Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer's name, email address or any other information gathered from the app to any third- party without a customer's consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer's legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.) First name:
Surname:
Year of birth:
Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to [email protected] or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions
1. Jurisdiction. [...]
2. Applicable law. [...]
3. Limitation of liability. [...]
Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
Emily sends the draft to Sam for review. Which of the following is Sam most likely to point out as the biggest problem with Emily's consent provision?

  • A. It is not legal to include fields requiring information regarding health status without consent.
  • B. Direct marketing requires explicit consent, whereas the registration form only provides for a right to object
  • C. Processing health data requires explicit consent, but the form does not ask for explicit consent.
  • D. The provision of the fitness app should be made conditional on the consent to the data processing for direct marketing.

Answer: B

 

NEW QUESTION 83
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location.
During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

  • A. Assessed potential privacy risks by conducting a data protection impact assessment.
  • B. Consulted with the relevant data protection authority about potential privacy violations.
  • C. Distributed a more comprehensive notice to employees and received their express consent.
  • D. Consulted with the Information Security team to weigh security measures against possible server impacts.

Answer: C

 

NEW QUESTION 84
An online company's privacy practices vary due to the fact that it offers a wide variety of services. How could it best address the concern that explaining them all would make the policies incomprehensible?

  • A. Place a banner on its website stipulating that visitors agree to its privacy policy and terms of use by visiting the site.
  • B. Use a layered privacy notice on its website and in its email communications.
  • C. Identify uses of data in a privacy notice mailed to the data subject.
  • D. Provide only general information about its processing activities and offer a toll-free number for more information.

Answer: C

 

NEW QUESTION 85
According to the GDPR, what is the main task of a Data Protection Officer (DPO)?

  • A. To monitor compliance with other local or European data protection provisions.
  • B. To create procedures for notification of personal data breaches to competent supervisory authorities.
  • C. To create and maintain records of processing activities.
  • D. To conduct Privacy Impact Assessments on behalf of the controller or processor.

Answer: D

 

NEW QUESTION 86
Which change was introduced by the 2009 amendments to the e-Privacy Directive 2002/58/EC?

  • A. A mandatory notification for personal data breaches applicable to all data controllers.
  • B. A mandatory notification for personal data breaches applicable to electronic communication providers.
  • C. A voluntary notification for personal data breaches applicable to all data controllers.
  • D. A voluntary notification for personal data breaches applicable to electronic communication providers.

Answer: B

 

NEW QUESTION 87
Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?

  • A. To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.
  • B. The European Commission can adopt, repeal or amend an existing adequacy decision.
  • C. The European Commission can adopt an adequacy decision for individual companies.
  • D. EU member states are vested with the power to accept or reject a European Commission adequacy decision.

Answer: C

Explanation:
Explanation/Reference: https://www.futurelearn.com/courses/general-data-protection-regulation/0/steps/32449

 

NEW QUESTION 88
Under what circumstances might the "soft opt-in" rule apply in relation to direct marketing?

  • A. When an individual's details are obtained from their inquiries about buying a product.
  • B. Where an individual is given the ability to unsubscribe from marketing emails sent to him.
  • C. When an individual has not consented to the marketing.
  • D. Where an individual's details have been obtained from a bought-in marketing list.

Answer: B

 

NEW QUESTION 89
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A.
She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

  • A. Hiring companies whose measures are consistent with recommendations of accrediting bodies.
  • B. Vetting companies' measures with the appropriate supervisory authority.
  • C. Requesting advice and technical support from Company A's IT team.
  • D. Avoiding the use of another company's data to improve their own services.

Answer: A

 

NEW QUESTION 90
Under Article 9 of the GDPR, which of the following categories of data is NOT expressly prohibited from data processing?

  • A. Personal data revealing trade union membership.
  • B. Personal data revealing genetic data.
  • C. Personal data revealing ethnic origin.
  • D. Personal data revealing financial data.

Answer: D

 

NEW QUESTION 91
According to Article 84 of the GDPR, the rules on penalties applicable to infringements shall be laid down by?

  • A. The European Data Protection Board.
  • B. The local Data Protection Supervisory Authorities.
  • C. The EU Commission.
  • D. The Member States.

Answer: D

 

NEW QUESTION 92
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?

  • A. The creation of legally binding data protection principles
  • B. The establishment of a list of legitimate data processing criteria
  • C. The restriction of cross-border data flow
  • D. The synchronization of approaches to data protection

Answer: C

 

NEW QUESTION 93
Assuming that the "without undue delay" provision is followed, what is the time limit for complying with a data access request?

  • A. Within one month of receipt, which may be extended by up to an additional month
  • B. Within 40 days of receipt
  • C. Within one month of receipt, which may be extended by an additional two months
  • D. Within 40 days of receipt, which may be extended by up to 40 additional days

Answer: A

Explanation:
Explanation/Reference: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/individual-rights/right-of-access/

 

NEW QUESTION 94
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A.
She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
Under the GDPR, which of Company B's actions would NOT be likely to trigger a potential enforcement action?

  • A. Their engagement of Company C to improve their payroll service.
  • B. Their omission of data protection provisions in their contract with Company C.
  • C. Their decision to operate without a data protection officer.
  • D. Their failure to provide sufficient security safeguards to Company A's data.

Answer: A

 

NEW QUESTION 95
What type of data lies beyond the scope of the General Data Protection Regulation?

  • A. Pseudonymized
  • B. Encrypted
  • C. Masked
  • D. Anonymized

Answer: D

 

NEW QUESTION 96
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
What would be the MOST APPROPRIATE way for Building Block to handle the situation with the employee from Italy?

  • A. Since the employee was not informed that the security measures would be used for other purposes such as monitoring, the company could face difficulties in applying any disciplinary measures to this employee.
  • B. Since this was a serious infringement, but the employee was not appropriately informed about the consequences the new security measures, the company would be entitled to apply some disciplinary measures, but not dismissal.
  • C. Since the GDPR does not apply to this situation, the company would be entitled to apply any disciplinary measure authorized under Italian labor law.
  • D. Since the employee was the cause of a serious risk for the server performance and their data, the company would be entitled to apply disciplinary measures to this employee, including fair dismissal.

Answer: B

 

NEW QUESTION 97
As a result of the European Court of Justice's ruling in the case of Google v. Spain, search engines outside the EEA are also likely to be subject to the Regulation's right to be forgotten. This holds true if the activities of an EU subsidiary and its U.S. parent are what?

  • A. Supervised by the same Data Protection Officer.
  • B. Bound by a standard contractual clause.
  • C. Consistent with Privacy Shield requirements
  • D. Inextricably linked in their businesses.

Answer: D

 

NEW QUESTION 98
Article 5(1)(b) of the GDPR states that personal data must be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes." Based on Article 5(1)(b), what is the impact of a member state's interpretation of the word "incompatible"?

  • A. It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of personal data.
  • B. It sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data.
  • C. It dictates the level of security a processor must follow when using and storing personal data for two different purposes.
  • D. It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original intended purpose.

Answer: C

 

NEW QUESTION 99
......


What ways to study the IAPP Exam

There are two main types of resources for preparation of certification exams first there are the study guides and the books that are detailed and suitable for building knowledge from the ground up then there are video tutorial and lectures that can somehow ease the pain of through study and are comparatively less boring for some candidates yet these demand time and concentration from the learner. Smart Candidates who want to build a solid foundation in all exam topics and related technologies usually combine video lectures with study guides to reap the benefits of both but there is one crucial preparation tool as often overlooked by most candidates the practice exams. Practice exams are built to make students comfortable with the real exam environment. Statistics have shown that most students fail not due to that preparation but due to exam anxiety the fear of the unknown. DumpsQuestion expert team recommends you prepare some notes on these topics along with it don't forget to practice IAPP CIPP/E Exam exam dumps which been written by our expert team, Both these will help you a lot to clear this exam with good marks.


Prerequisites for CIPP-E Exam

The main requirement for the CIPP-E exam is that the candidate has a basic knowledge of data protection. It is an added advantage if the candidate has relevant work experience which has already introduced them to the skills and concepts needed in the industry.


For more info visit:

IAPP CIPP/E Exam Reference

 

Exam Dumps CIPP-E Practice Free Latest IAPP Practice Tests: https://www.dumpsquestion.com/CIPP-E-exam-dumps-collection.html

CIPP-E Exam Questions | Real CIPP-E Practice Dumps: https://drive.google.com/open?id=192_XwDOReNk8fOMxpOafJTfiWJM2TX3l

Related Articles

more
IAPP CIPP-E Certification Practice Exam

Copyright © 2026 DumpsQuestion NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy