2022 Valid CIPP-C test answers & IAPP Exam PDF [Q96-Q119]

Share

2022 Valid CIPP-C test answers & IAPP Exam PDF

Free IAPP CIPP-C Exam Questions and Answer from Training Expert DumpsQuestion


What if I fail the IAPP CIPP-C Certification Exam

If you fail the IAPP CIPP-C exam, then you will be given the option to retake the exam. You can choose to retake it after 24 hours or after 7 days, depending on which exam center you are taking your test at. If upon retaking the exam you still fail it, then you will lose your testing fees. However, if one year has gone by since your first attempt, and you still have not passed the exam then IAPP will refund your total cost of testing. IAPP CIPP-C exam dumps can be a guide to help you pass the exam. The IAPP CIPP-C simulation questions will also help you better understand the test itself. Post your first attempt to your local chapter of IAPP on the failure. Attempting to pass this exam is not difficult. There are guides available on the IAPP website that will help to prepare for the exam.

 

NEW QUESTION 96
Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

  • A. Retention periods for erasure and deletion of categories of personal data.
  • B. Categories of recipients to whom the personal data have been disclosed.
  • C. Incidents of personal data breaches, whether disclosed or not.
  • D. Data inventory or data mapping exercises that have been conducted.

Answer: A

 

NEW QUESTION 97
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
If Who-R-U adopts the We-Track-U pilot plan, why is it likely to be subject to the territorial scope of the GDPR?

  • A. Its plan would be in the context of the establishment of a controller in the Union.
  • B. It is engaging in commercial activities conducted in the Union.
  • C. It is monitoring the behavior of data subjects in the Union.
  • D. It would be offering goods or services to data subjects in the Union.

Answer: C

 

NEW QUESTION 98
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
Which of the following BEST describes the relationship between Liem, EcoMick and JaphSoft?

  • A. Liem and EcoMick are joint controllers because they carry out joint marketing activities.
  • B. Liem is a controller and EcoMick is a processor because Liem provides specific instructions regarding how the marketing campaigns should be rolled out.
  • C. JaphSoft is the sole processor because it processes personal data on behalf of its clients.
  • D. EcoMick and JaphSoft are is a controller and Liem is a processor because EcoMick is sharing its marketing data with Liem for contacts in Europe.

Answer: D

 

NEW QUESTION 99
If a multi-national company wanted to conduct background checks on all current and potential employees, including those based in Europe, what key provision would the company have to follow?

  • A. Background checks on European employees will stem from data protection and employment law, which can vary between member states.
  • B. Background checks are only authorized with prior notice and express consent from all employees including those based in Europe.
  • C. Background checks may not be allowed on European employees, but the company can create lists based on its legitimate interests, identifying individuals who are ineligible for employment.
  • D. Background checks on employees could be performed only under prior notice to all employees.

Answer: A

 

NEW QUESTION 100
SCENARIO
Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K.
brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner's Office ('ICO' - the U.K.'s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e.
the supervisory authority of EVERFIT's main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.
Assuming that multiple EVETFIT branches across several EU countries are acting as separate data controllers, and that each of those branches were responsible for mishandling Javier's request, how may Javier proceed in order to seek compensation?

  • A. He will have to sue each EVETFIT branch so that each branch provides proportionate compensation commensurate with its contribution to the damage or distress suffered by Javier.
  • B. He will have to sue the EVETFIT's head office in France, where EVETFIT has its main establishment.
  • C. He will be able to apply to the European Data Protection Board in order to determine which particular EVETFIT branch is liable for damages, based on the decision that was made by the board.
  • D. He will be able to sue any one of the relevant EVETFIT branches, as each one may be held liable for the entire damage.

Answer: B

 

NEW QUESTION 101
Which area of privacy is a lead supervisory authority's (LSA) MAIN concern?

  • A. Special categories of data
  • B. Cross-border processing
  • C. Data subject rights
  • D. Data access disputes

Answer: B

 

NEW QUESTION 102
SCENARIO
Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K.
brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner's Office ('ICO' - the U.K.'s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e.
the supervisory authority of EVERFIT's main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.
Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has formed its view on the matter?

  • A. Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.
  • B. Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism.
  • C. Submit a draft decision to other supervisory authorities for their opinion.
  • D. Request that members of the seconding supervisory authority and the host supervisory authority co-draft a decision.

Answer: A

 

NEW QUESTION 103
What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

  • A. A notice that the consumer's email address will be used for marketing purposes.
  • B. No prior permission required, but an opt-out requirement on all emails sent to consumers.
  • C. A pre-checked box stating that the consumer agrees to receive email marketing.
  • D. A prior opt-in consent for consumers unless they are already customers.

Answer: D

 

NEW QUESTION 104
What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

  • A. The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved
  • B. The processor will be considered to be a controller in respect of the processing concerned
  • C. The controller will be liable to pay an administrative fine
  • D. The processor will be liable to pay compensation to affected data subjects

Answer: D

 

NEW QUESTION 105
How does the GDPR now define "processing"?

  • A. Any use or disclosure of personal data compatible with the purpose for which the data was collected.
  • B. Any act involving the collecting and recording of personal data.
  • C. Any operation or set of operations performed by automated means on personal data or on sets of personal data.
  • D. Any operation or set of operations performed on personal data or on sets of personal data.

Answer: B

 

NEW QUESTION 106
What is the main reason some supporters of the European approach to privacy are skeptical about self-regulation of privacy practices?

  • A. Human rights maybe disregarded for the sake of privacy
  • B. A new business owner may not understand the regulations
  • C. Industries may not be strict enough in the creation and enforcement of rules
  • D. A large amount of money may have to be sent on improved technology and security

Answer: C

 

NEW QUESTION 107
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States, Canada and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well.
The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
What presents the BIGGEST potential privacy issue with the company's practices?

  • A. The information about the data processing involved has not been specified
  • B. The NFC portal can read any data stored in the action figures
  • C. The RFID tag in the action figures has the potential for misuse because of the toy's evolving capabilities
  • D. The cloud service provider is in a country that has not been deemed adequate

Answer: A

 

NEW QUESTION 108
Which mechanism, new to the GDPR, now allows for the possibility of personal data transfers to third countries under Article 42?

  • A. Approved certifications.
  • B. Binding corporate rules.
  • C. Standard contractual clauses.
  • D. Law enforcement requests.

Answer: A

 

NEW QUESTION 109
Which statement is correct when considering the right to privacy under Section 7 of the Canadian Charter of Rights and Freedoms?

  • A. The right to privacy is an absolute right
  • B. The right to freedom of expression under section 10 will always override the right to privacy
  • C. The right to privacy protects the right to hold opinions and to receive and impart ideas without interference
  • D. The Supreme Court of Canada has stated that the Privacy Act has "quasi-constitutional status", and that the values and rights set out in the Act are closely linked to those set out in the Constitution as being necessary to a free and democratic society.

Answer: D

Explanation:
Explanation
https://www.priv.gc.ca/en/about-the-opc/publications/guide_ind/

 

NEW QUESTION 110
WP29's "Guidelines on Personal data breach notification under Regulation 2016/679'' provides examples of ways to communicate data breaches transparently. Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?

  • A. A prominent advertisement in print media
  • B. A direct electronic message
  • C. A notice on a corporate blog
  • D. A postal notification

Answer: C

 

NEW QUESTION 111
SCENARIO
Looking back at your first two years as the Director of Personal Information Protection and Compliance for the Berry Country Regional Medical Center in Thorn Bay, Ontario, Canada, you see a parade of accomplishments, from developing state-of-the-art simulation based training for employees on privacy protection to establishing an interactive medical records system that is accessible by patients as well as by the medical personnel. Now, however, a question you have put off looms large: how do we manage all the data-not only records produced recently, but those still on hand from years ago? A data flow diagram generated last year shows multiple servers, databases, and work stations, many of which hold files that have not yet been incorporated into the new records system. While most of this data is encrypted, its persistence may pose security and compliance concerns. The situation is further complicated by several long-term studies being conducted by the medical staff using patient information. Having recently reviewed the major Canadian privacy regulations, you want to make certain that the medical center is observing them.
You also recall a recent visit to the Records Storage Section, often termed "The Dungeon" in the basement of the old hospital next to the modern facility, where you noticed a multitude of paper records. Some of these were in crates marked by years, medical condition or alphabetically by patient name, while others were in undifferentiated bundles on shelves and on the floor. The back shelves of the section housed data tapes and old hard drives that were often unlabeled but appeared to be years old. On your way out of the dungeon, you noticed just ahead of you a small man in a lab coat who you did not recognize. He carried a batch of folders under his arm, apparently records he had removed from storage.
Which regulation most likely applies to the data stored by Berry Country Regional Medical Center?

  • A. The European Union Directive 95/46/EC
  • B. The Health Records Act 2001
  • C. Personal Information Protection and Electronic Documents Act
  • D. Health Insurance Portability and Accountability Act

Answer: C

 

NEW QUESTION 112
Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?

  • A. The name/s of relevant government agencies involved and the steps needed for revising the data.
  • B. The contact information of the controller and a description of the retention policy.
  • C. The identity and contact details of the controller and the reasons the data is being collected.
  • D. The authority by which the controller is collecting the data and the third parties to whom the data will be sent.

Answer: C

 

NEW QUESTION 113
How is the GDPR's position on consent MOST likely to affect future app design and implementation?

  • A. App developers' responsibilities as data controllers will increase.
  • B. Users will see fewer advertisements when using apps.
  • C. App developers will expand the amount of data necessary to collect for an app's functionality.
  • D. Users will be given granular types of consent for particular types of processing.

Answer: D

 

NEW QUESTION 114
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/C) all had in common but largely failed to achieve in Canada?

  • A. The creation of legally binding data protection principles
  • B. The establishment of a list of legitimate data processing criteria
  • C. The restriction of cross-border data flow
  • D. The synchronization of approaches to data protection

Answer: C

 

NEW QUESTION 115
In what way does the "Red Flags Rule" under the Fair and Accurate Credit Transactions Act (FACTA) relate to the owner of a grocery store who uses a money wire service?

  • A. it requires the owner to implement an identity theft warning system
  • B. it is not usually enforced in the case of a small financial institution
  • C. it does not apply because the owner is not a creditor
  • D. it mandates the use of updated technology for securing credit records

Answer: D

 

NEW QUESTION 116
In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent?

  • A. When providing preventive or counselling services to the child.
  • B. When a legitimate business interest makes obtaining consent impractical.
  • C. When providing the child with materials purely for educational use.
  • D. When the data is to be processed for market research.

Answer: A

 

NEW QUESTION 117
More than half of U.S. states require telemarketers to?

  • A. Obtain written consent from potential customers
  • B. identify themselves at the beginning of a call
  • C. Register with the state before conducting business
  • D. Provide written contracts for customer transactions

Answer: D

 

NEW QUESTION 118
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
Why would the consent provided by Ms. Iman NOT be considered valid in regard to JaphSoft?

  • A. She did not read the privacy notice stating that her personal data would be shared.
  • B. She was not told which controller would be processing her personal data.
  • C. She has never made any purchases from JaphSoft and has no relationship with the company.
  • D. She only viewed the visual representations of the privacy notice Liem provided.

Answer: A

 

NEW QUESTION 119
......


You can read the IAPP CIPP-C Exam certified salary

The average salary of IAPP CIPP-C certified professional in the different countries is given below:

  • Brazil - $54,866
  • Australia - $99,854
  • Canada- $111,248
  • Hong Kong - $111,278

 

Top IAPP CIPP-C Courses Online: https://www.dumpsquestion.com/CIPP-C-exam-dumps-collection.html

CIPP-C Practice Dumps - Verified By DumpsQuestion Updated 180 Questions: https://drive.google.com/open?id=17gSHELvpkG9X66ksvkGlD0fTXEre9Q6W