Master IAPP CIPP-E Exam with Reliable Practice Questions
Upgrade to Premium
What is the primary purpose of Convention 108+, which amends the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data?
Correct : C
Convention 108+ is the modernised version of Convention 108, which was the first legally binding international instrument on data protection. The main purpose of Convention 108+ is to update and enhance the protection of personal data in light of the technological developments and the new challenges posed by the globalisation of data processing. Convention 108+ also aims to ensure the effective implementation and enforcement of data protection principles and rules, as well as to facilitate the free flow of data between the parties to the Convention.
* Convention 108+ : the modernised version of a landmark instrument1
* Convention 108 and Protocols - Data Protection - The Council of Europe2
* Convention 108 - Council of Europe3
Start a Discussions
SCENARIO
Please use the following to answer the next question:
Jane starts her new role as a Data Protection Officer (DPO) at a Malta-based
company that allows anyone to buy and sell cryptocurrencies via its online platform.
The company stores and processes the personal data of its customers in a
dedicated data center located in Malta (EU).
People wishing to trade cryptocurrencies are required to open an online account on
the platform. They then must successfully pass a Know Your Customer (KYC) due
diligence procedure aimed at preventing money laundering and ensuring
compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by
reading a disclaimer written in bold and ticking a checkbox on a separate page in
order to get their account approved on the platform.
All customers must likewise accept the terms of service of the platform. The terms
of service also include a privacy policy section, saying, among other things, that if a
customer fails the KYC process, its KYC data will be automatically shared with the
national anti-money laundering agency.
The KYC procedure requires customers to answer many questions, including
whether they have any criminal convictions, whether they use recreational drugs or
have problems with alcohol, and whether they have a terminal illness. While
providing this data, customers see a conspicuous message saying that this data is
meant only to prevent fraud and account takeover, and will be never shared with
private third parties.
The company regularly conducts external security testing of its online systems by
independent cybersecurity companies from the EU. At the final stage of testing, the
company provides cybersecurity assessors with access to its central database to
review security permissions, roles and policies. Personal data in the database is
encrypted; however, cybersecurity assessors usually have access to the decryption
keys obtained while running initial security testing. The assessors must strictly
follow the guidelines imposed by the company during the entire testing and auditing
process.
All customer data, including trading activities and all internal communications with
technical support, are permanently stored in a secured AWS S3 Glacier cloud data
storage, located in Ireland, for backup and compliance purposes. The data is
securely transferred to the cloud and then is properly encrypted while at rest by
using AWS-native encryption mechanisms. These mechanisms give AWS the
necessary technical means to encrypt and decrypt the data when such is required
by the company. There is no data processing agreement between AWS and the
company.
Should Jane modify the required GDPR rights waiver for non-European residents?
Correct : B
The GDPR applies to the processing of personal data of data subjects who are in the EU, regardless of their nationality or residence. This means that non-EU residents who are physically located in the EU are protected by the GDPR, and EU residents who are outside the EU are not. However, this does not mean that non-EU residents who are outside the EU can be asked to waive their GDPR rights by a company that is subject to the GDPR. The GDPR does not allow such waivers, as they would undermine the essence of the fundamental rights and freedoms of data subjects. The GDPR also requires that data subjects are provided with clear and transparent information about the processing of their personal data, and that they give their consent freely, specifically, informedly and unambiguously. A blanket waiver of GDPR rights does not meet these criteria, and would therefore be invalid and unenforceable.
* GDPR Article 3 - Territorial scope1
* GDPR Article 7 - Conditions for consent2
* GDPR Article 25 - Data protection by design and by default3
* GDPR Recital 171 - Relationship with previously concluded agreements4
Start a Discussions
Which failing of Privacy Shield, cited by the CJEU as a reason for its invalidation, is the Trans-Atlantic Data Privacy Framework intended to address?
Correct : C
One of the main reasons why the CJEU invalidated the Privacy Shield was that it found that the US surveillance programs were not limited to what is strictly necessary and proportionate, as required by the EU law. The CJEU also criticized the lack of effective judicial remedies for EU data subjects whose data was accessed by US authorities. The Trans-Atlantic Data Privacy Framework is intended to address these issues by introducing new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, and by creating a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities. The Framework also enhances the oversight and transparency of US surveillance practices.
Start a Discussions
Pursuant to the EDPB Guidelines 8/2022, all of the following criteria must be considered when identifying a lead supervisory authority of a controller EXCEPT?
Correct : C
According to the EDPB Guidelines 8/2022, the lead supervisory authority of a controller is the supervisory authority of the main or single establishment of the controller in the EEA. The main establishment is the place where the controller has its place of central administration in the EEA, unless decisions on the purposes and means of the processing are taken in another establishment in the EEA, and that establishment has the power to implement those decisions. The controller must be able to demonstrate that such an establishment exists. The supervisory authority of the main establishment is the lead supervisory authority, regardless of what the controller has identified as the authority to which data subjects can lodge complaints. Therefore, criterion C is not relevant for identifying the lead supervisory authority of a controller.
Start a Discussions
SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage
In support of Ruth's strategic goals of hiring more sales representatives, the Human
Resources team is focused on improving its processes to ensure that new
employees are sourced, interviewed, hired, and onboarded efficiently. To help with
this, Mary identified two vendors, HRYourWay, a German based company, and
InstaHR, an Australian based company. She decided to have both vendors go
through ProStorage's vendor risk review process so she can work with Ruth to
make the final decision. As part of the review process, Jackie, who is responsible
for maintaining ProStorage's privacy program (including maintaining controller
BCRs and conducting vendor risk assessments), reviewed both vendors but
completed a transfer impact assessment only for InstaHR. After her review of both
boasted a more established privacy program and provided third-party attestations,
whereas HRYourWay was a small vendor with minimal data protection operations.
Thus, she recommended InstaHR.
ProStorage's marketing team also worked to meet the strategic goals of the
company by focusing on industries where it needed to grow its market share. To
help with this, the team selected as a partner UpFinance, a US based company
with deep connections to financial industry customers. During ProStorage's
diligence process, Jackie from the privacy team noted in the transfer impact
assessment that UpFinance implements several data protection measures
including end-to-end encryption, with encryption keys held by the customer.
Notably, UpFinance has not received any government requests in its 7 years of
business. Still, Jackie recommended that the contract require UpFinance to notify
ProStorage if it receives a government request for personal data UpFinance
processes on its behalf prior to disclosing such data.
What transfer mechanism did ProStorage most likely rely on to transfer Ruth's
medical information to the hospital?
Correct : B
According to the GDPR, one of the legal bases for transferring personal data to a third country or an international organization is when the transfer is necessary for the protection of the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent (Article 49(1)). This exception applies only in very limited and exceptional situations, such as life-threatening medical emergencies. In this scenario, ProStorage most likely relied on this legal basis to transfer Ruth's medical information to the hospital in India, where she suffered a medical emergency and was hospitalized. Ruth was presumably unable to give her consent due to her health condition, and the transfer of her medical information was necessary to protect her vital interests, such as her life or health. Therefore, this transfer mechanism was more appropriate than the other options, which either require consent or are not relevant to the situation.
Start a Discussions