Pass4Future also provide interactive practice exam software for preparing IAPP Certified Information Privacy Professional/Europe (CIPP-E) Exam effectively. You are welcome to explore sample free IAPP CIPP-E Exam questions below and also try IAPP CIPP-E Exam practice test software.
Do you know that you can access more real IAPP CIPP-E exam questions via Premium Access? ()
SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage
In support of Ruth's strategic goals of hiring more sales representatives, the Human
Resources team is focused on improving its processes to ensure that new
employees are sourced, interviewed, hired, and onboarded efficiently. To help with
this, Mary identified two vendors, HRYourWay, a German based company, and
InstaHR, an Australian based company. She decided to have both vendors go
through ProStorage's vendor risk review process so she can work with Ruth to
make the final decision. As part of the review process, Jackie, who is responsible
for maintaining ProStorage's privacy program (including maintaining controller
BCRs and conducting vendor risk assessments), reviewed both vendors but
completed a transfer impact assessment only for InstaHR. After her review of both
boasted a more established privacy program and provided third-party attestations,
whereas HRYourWay was a small vendor with minimal data protection operations.
Thus, she recommended InstaHR.
ProStorage's marketing team also worked to meet the strategic goals of the
company by focusing on industries where it needed to grow its market share. To
help with this, the team selected as a partner UpFinance, a US based company
with deep connections to financial industry customers. During ProStorage's
diligence process, Jackie from the privacy team noted in the transfer impact
assessment that UpFinance implements several data protection measures
including end-to-end encryption, with encryption keys held by the customer.
Notably, UpFinance has not received any government requests in its 7 years of
business. Still, Jackie recommended that the contract require UpFinance to notify
ProStorage if it receives a government request for personal data UpFinance
processes on its behalf prior to disclosing such data.
What transfer mechanism should Jackie recommend for using InstaHR?
Answer : D
According to the GDPR, any transfer of personal data to a third country or an international organisation must be based on an adequacy decision by the Commission, appropriate safeguards by the data exporter and importer, or derogations for specific situations1. In this scenario, InstaHR is an Australian based company that processes personal data on behalf of ProStorage, a Dutch based company.Australia is not recognised by the Commission as a country that provides an adequate level of data protection2, so the adequacy option is not available.Binding corporate rules (BCRs) are internal rules adopted by multinational groups of companies or organisations that define their global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries that do not provide an adequate level of protection3. However, BCRs are not applicable in this case, as InstaHR is not part of the same corporate group as ProStorage.Explicit consent of employees is a possible derogation for specific situations, but it is not a reliable or practical transfer mechanism, as it must be freely given, specific, informed and unambiguous, and it can be withdrawn at any time4. Therefore, the most suitable transfer mechanism for using InstaHR is standard contractual clauses (SCCs). SCCs are contractual clauses that have been pre-approved by the Commission and that provide appropriate safeguards for data protection when transferring personal data from the EU/EEA to third countries. SCCs are legally binding and enforceable by data subjects, and they impose obligations on both the data exporter and the data importer.SCCs are widely used by data controllers and processors as a transfer mechanism under the GDPR.Reference:1: Art.44 GDPR - General principle for transfers22: Adequacy decisions - European Commission13: Binding corporate rules - European Commission14: Article 7 of the GDPR.: Standard Contractual Clauses (SCC) - European Commission1.
SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage
In support of Ruth's strategic goals of hiring more sales representatives, the Human
Resources team is focused on improving its processes to ensure that new
employees are sourced, interviewed, hired, and onboarded efficiently. To help with
this, Mary identified two vendors, HRYourWay, a German based company, and
InstaHR, an Australian based company. She decided to have both vendors go
through ProStorage's vendor risk review process so she can work with Ruth to
make the final decision. As part of the review process, Jackie, who is responsible
for maintaining ProStorage's privacy program (including maintaining controller
BCRs and conducting vendor risk assessments), reviewed both vendors but
completed a transfer impact assessment only for InstaHR. After her review of both
boasted a more established privacy program and provided third-party attestations,
whereas HRYourWay was a small vendor with minimal data protection operations.
Thus, she recommended InstaHR.
ProStorage's marketing team also worked to meet the strategic goals of the
company by focusing on industries where it needed to grow its market share. To
help with this, the team selected as a partner UpFinance, a US based company
with deep connections to financial industry customers. During ProStorage's
diligence process, Jackie from the privacy team noted in the transfer impact
assessment that UpFinance implements several data protection measures
including end-to-end encryption, with encryption keys held by the customer.
Notably, UpFinance has not received any government requests in its 7 years of
business. Still, Jackie recommended that the contract require UpFinance to notify
ProStorage if it receives a government request for personal data UpFinance
processes on its behalf prior to disclosing such data.
Why is the additional measure recommended by Jackie sufficient foe using UpFinance?
Answer : D
According to Article 46 of the GDPR, in the absence of an adequacy decision by the European Commission, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. One of the possible appropriate safeguards is the use of standard data protection clauses adopted by the Commission or by a supervisory authority. However, Article 46(5) states that the possibility for the controller or processor to use standard data protection clauses adopted by the Commission or by a supervisory authority shall not affect the possibility for the controller or processor to rely upon other appropriate safeguards provided for in paragraph 2 of this Article, provided that they ensure that data subjects have enforceable and effective rights as regards the processing of their data. Therefore, in this case, Jackie's recommendation of requiring UpFinance to notify ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data is an additional measure that could be considered as an appropriate safeguard, especially since UpFinance implements several data protection measures, including end-to-end encryption, with encryption keys held by the customer, which would ensure a high level of security and confidentiality of the personal data transferred.Reference:
Article 46 of the GDPR
IAPP CIPP/E Study Guide, page 67
SCENARIO
Please use the following to answer the next question:
Why was Jackie correct in not completing a transfer impact assessment for HRYourWay?
Answer : B
According to the GDPR, a transfer of personal data to a third country or an international organisation may take place only if the conditions laid down in Chapter V of the GDPR are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation1.A third country is any country outside of the European Union (EU) and the European Economic Area (EEA)2.Therefore, a transfer impact assessment is only required when personal data is transferred to a third country or an international organisation that does not provide an adequate level of data protection, as recognised by the European Commission3. HRYourWay is a German based company, and Germany is a member state of the EU and the EEA. Thus, HRYourWay is not located in a third country, and no transfer impact assessment is needed for transferring personal data to it. The other options are incorrect, as they are not relevant to the question of whether a transfer impact assessment is required or not.Reference:
GDPR, Chapter V
GDPR, Article 4 (24)
GDPR, Article 45
A homeowner has installed a motion-detecting surveillance system that films his front doc and entryway. The camera does not film any public areas only areas that are the property of the homeowner. The system has seen declared to the authorities per the homeowner's country law, and a placard indicating the area is being video monitored is visible when entering the property
Why can the homeowner NOT depend on the household exemption with regards to the processing of the video images recorded by the surveillance camera system?
Answer : A
Which of the following is NOT one of the 4 principles developed by the European Al Alliance regarding the ethical use of Artificial Intelligence?
Answer : B
