IAPP CIPP-E Exam Dumps

What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention108?

A. Both govern international transfers of personal data
B. Both govern the manual processing of personal data
C. Both only apply to European Union countries
D. Both require notification of processing activities to a supervisory authority

Answer: D

Please use the following to answer the next question:You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range ofdolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Althougthe manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong,it has entered into a number of local distribution contracts. The toys produced by the company can be found inall popular toy stores throughout Europe, the United States and Asia. A large portion of the company’srevenue is due to international sales.The company now wishes to launch a new range of connected toys, ones that can talk and interact withchildren. The CEO of the company is touting these toys as the next big thing, due to the increased possibilitiesoffered: The figures can answer children’s Questions: on various subjects, such as mathematical calculationsor the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone ortablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well.The figures can also be associated with other figures (from the same manufacturer) and interact with eachother for an enhanced play experience.When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer isgenerated on cloud servers and sent back to the figure. The answer is given through the figure’s integratedspeakers, making it appear as though that the toy is actually responding to the child’s QUESTION. Thepackaging of the toy does not provide technical details on how this works, nor does it mention that this featurerequires an internet connection. The necessary data processing for this has been outsourced to a data centerlocated in South Africa. However, your company has not yet revised its consumer-facing privacy policy toindicate this.In parallel, the company is planning to introduce a new range of game systems through which consumers canplay the characters they acquire in the course of playing the game. The system will come bundled with a portalthat includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the actionfigure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it isalso possible to earn additional ones by accomplishing game goals. The only information stored in the tagrelates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring thefigure to locations outside of the home and have the character’s abilities remain intact.To ensure GDPR compliance, what should be the company’s position on the issue of consent?

A. The child, as the user of the action figure, can provide consent himself, as long as no information isshared for marketing purposes.
B. Written authorization attesting to the responsible use of children’s data would need to be obtained fromthe supervisory authority.
C. Consent for data collection is implied through the parent’s purchase of the action figure for the child.
D. Parental consent for a child’s use of the action figures would have to be obtained before any data couldbe collected.

Answer: D

Assuming that the “without undue delay” provision is followed, what is the time limit for complying with adata access request?

A. Within 40 days of receipt
B. Within 40 days of receipt, which may be extended by up to 40 additional days
C. Within one month of receipt, which may be extended by up to an additional month
D. Within one month of receipt, which may be extended by an additional two months

Answer: C

Please use the following to answer the next question:Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago.Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentableoffering to help him recover compensation for personal injury. Louis has heard about insurance companiesselling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his informationfrom Bedrock Insurance.Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell himtheir full range of their insurance policies.Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked tofind that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer formany years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his NoClaims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes toask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock tostop using his personal data for marketing purposes.Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No ClaimsCertificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible.Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could beused for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. Itangers Louis when he recalls the wording of the contract, which was filled with legal jargon and veryconfusing.In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes toAccidentable to ask for the name of the organization that supplied his details to them. He warns Accidentablethat he plans to complain to the data protection authority, because he thinks their company has been using hisdata unlawfully. His letter states that he does not want his data being used by them in any way.Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s whollyowned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louissubmitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, asLouis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates forbusiness purposes.Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all hisinformation be erased from their computer system.Which statement accurately summarizes Bedrock’s obligation in regard to Louis’s data portability request?

A. Bedrock does not have a duty to transfer Louis’s data to Zantrum if doing so is legitimately not technically feasible.
B. Bedrock does not have to transfer Louis’s data to Zantrum because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.
C. Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because the duty applies wherever personal data are processed by automated means and necessary for the performance of acontract with the customer.
D. Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because it has an bligation to develop commonly used, machine-readable and interoperable formats so that all customerdata can be ported to other insurers on request.

Answer: B

What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

A. A prior opt-in consent for consumers unless they are already customers.
B. A pre-checked box stating that the consumer agrees to receive email marketing.
C. A notice that the consumer’s email address will be used for marketing purposes.
D. No prior permission required, but an opt-out requirement on all emails sent to consumers.

Answer: A