Free IAPP CIPP-E Exam Questions

Question 1

When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach?

A : Documenting due diligence steps taken in the pre-contractual stage.

B : nducting a risk assessment to analyze possible outsourcing threats.

C : quiring that the processor directly notify the appropriate supervisory authority.

D : intaining evidence that the processor was the best possible market choice available.

Answer: A

Question 2

According to the GDPR, Article 4(14), biometric data is defined as:

"Personal data resulting from specific technical processing relating to the ___ characteristics of a natural person."

Which term could NOT be placed in the above definition?

A : Physiological.

B : Physical.

C : Intellectual.

D : Behavioral

Answer: C

Question 3

According to the European Data Protection Board, if a controller that is not established in the EU but still subject to the GDPR becomes aware of a personal data breach, which supervisory authority or authorities must be notified?

A : Only the supervisory authority of the EU member state in which the controller's EU representative (pursuant to Article 27) is established.

B : Only one lead supervisory authority, as a controller benefits from the one-stop shop mechanism under the GDPR’s enforcement regime.

C : Every supervisory authority of the EU member states where the controller is offering goods or services.

D : Every supervisory authority for which affected data subjects reside in their EU member state.

Answer: A

Question 4

SCENARIO -

Please use the following to answer the next question:

Gentle Hedgehog Inc. is a privately owned website design agency incorporated in Italy. The company has numerous remote workers in different EU countries. Recently, the management of Gentle Hedgehog noticed a decrease in productivity of their sales team, especially among remote workers. As a result, the company plans to implement a robust but privacy-friendly remote surveillance system to prevent absenteeism, reward top performers, and ensure the best quality of customer service when sales people are interacting with customers.

Gentle Hedgehog eventually hires Sauron Eye Inc., a Chinese vendor of employee surveillance software whose European headquarters is in Germany. Sauron Eye s software provides powerful remote-monitoring capabilities, including 24/7 access to computer cameras and microphones, screen captures, emails, website history, and keystrokes. Any device can be remotely monitored from a central server that is securely installed at Gentle Hedgehog headquarters. The monitoring is invisible by default; however, a so-called Transparent Mode, which regularly and conspicuously notifies all users about the monitoring and its precise scope, also exists. Additionally, the monitored employees are required to use a built-in verification technology involving facial recognition each time they log in.

All monitoring data, including the facial recognition data, is securely stored in Microsoft Azure cloud servers operated by Sauron Eye, which are physically located in France.

What monitoring may be lawfully performed within the scope of Gentle Hedgehog’s business?

A : Everything offered by Sauron Eye's software with the exception of camera and microphone monitoring.

B : Everything offered by Sauron Eye's software, assuming employees provide daily consent to the monitoring

C : Only video calls conducted during business hours and emails that do not contain a “private” or “personal” tag.

D : Only emails, website browsing history and camera for internal video calls that are expressly marked as monitored.

Answer: D

Question 5

Which of the following would most likely NOT be covered by the definition of "personal data" under the GDPR?

A : payment card number of a Dutch citizen

B : U.S. social security number of an American citizen living in France

C : unlinked aggregated data used for statistical purposes by an Italian company

D : identification number of a German candidate for a professional examination in Germany

Answer: D