[Nov-2021 Newly Released] CIPP-C Exam Questions For You To Pass [Q42-Q62]

[Nov-2021 Newly Released] CIPP-C Exam Questions For You To Pass

IAPP CIPP-C Exam: Basic Questions With Answers 

NEW QUESTION 42
How is the GDPR's position on consent MOST likely to affect future app design and implementation?

• A. Users will be given granular types of consent for particular types of processing.
• B. App developers' responsibilities as data controllers will increase.
• C. Users will see fewer advertisements when using apps.
• D. App developers will expand the amount of data necessary to collect for an app's functionality.

Answer: A

NEW QUESTION 43
In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent?

• A. When a legitimate business interest makes obtaining consent impractical.
• B. When the data is to be processed for market research.
• C. When providing preventive or counselling services to the child.
• D. When providing the child with materials purely for educational use.

Answer: C

NEW QUESTION 44
SCENARIO
Looking back at your first two years as the Director of Personal Information Protection and Compliance for the Berry Country Regional Medical Center in Thorn Bay, Ontario, Canada, you see a parade of accomplishments, from developing state-of-the-art simulation based training for employees on privacy protection to establishing an interactive medical records system that is accessible by patients as well as by the medical personnel. Now, however, a question you have put off looms large: how do we manage all the data-not only records produced recently, but those still on hand from years ago? A data flow diagram generated last year shows multiple servers, databases, and work stations, many of which hold files that have not yet been incorporated into the new records system. While most of this data is encrypted, its persistence may pose security and compliance concerns. The situation is further complicated by several long-term studies being conducted by the medical staff using patient information. Having recently reviewed the major Canadian privacy regulations, you want to make certain that the medical center is observing them.
You also recall a recent visit to the Records Storage Section, often termed "The Dungeon" in the basement of the old hospital next to the modern facility, where you noticed a multitude of paper records. Some of these were in crates marked by years, medical condition or alphabetically by patient name, while others were in undifferentiated bundles on shelves and on the floor. The back shelves of the section housed data tapes and old hard drives that were often unlabeled but appeared to be years old. On your way out of the dungeon, you noticed just ahead of you a small man in a lab coat who you did not recognize. He carried a batch of folders under his arm, apparently records he had removed from storage.
Which data lifecycle phase needs the most attention at this Ontario medical center?

• A. Disclosure
• B. Use
• C. Retention
• D. Collection

Answer: C

NEW QUESTION 45
Read the following steps:
* Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices
* Monitor and analyze the apps and devices for compliance
* Manage application life cycles
* Monitor data sharing
An organization should perform these steps to do which of the following?

• A. Maintain a secure Bring Your Own Device (BYOD) program.
• B. Pursue a GDPR-compliant Privacy by Design process.
• C. Ensure cloud vendors are complying with internal data use policies.
• D. Institute a GDPR-compliant employee monitoring process.

Answer: A

NEW QUESTION 46
An employee of company ABCD has just noticed a memory stick containing records of client data, including their names, addresses and full contact details has disappeared. The data on the stick is unencrypted and in clear text. It is uncertain what has happened to the stick at this stage, but it likely was lost during the travel of an employee. What should the company do?

• A. Immediately notify all the customers of the company that their information has been accessed by an unauthorized person.
• B. Notify as soon as possible the data protection supervisory authority that a data breach may have taken place.
• C. Launch an investigation and if nothing is found within one month, notify the data protection supervisory authority.
• D. Invoke the "disproportionate effort" exception under Article 33 to postpone notifying data subjects until more information can be gathered.

Answer: B

NEW QUESTION 47
A U.S.-based online shop uses sophisticated software to track the browsing behavior of its European customers and predict future purchases. It also shares this information with third parties. Under the GDPR, what is the online shop's PRIMARY obligation while engaging in this kind of profiling?

• A. It must solicit informed consent through a notice on its website
• B. It must be able to demonstrate a prior business relationship with the customers
• C. It must prove that it uses sufficient security safeguards to protect customer data
• D. It must seek authorization from the European supervisory authorities

Answer: A

NEW QUESTION 48
In which case would a controller who has undertaken a DPIA most likely need to consult with a supervisory authority?

• A. Where the DPIA identifies high risks to individuals' rights and freedoms that the controller can take steps to reduce.
• B. Where the DPIA identifies that personal data needs to be transferred to other countries outside of the EEA.
• C. Where the DPIA identifies that the processing being proposed collects the sensitive data of EU citizens.
• D. Where the DPIA identifies risks that will require insurance for protecting its business interests.

Answer: A

NEW QUESTION 49
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Ontario University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Ontario's Alumni portal.
Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Which of the University's records does Anna NOT have to include in her record of processing activities?

• A. Student records
• B. Frank's performance database
• C. Staff and alumni records
• D. Department for Education records

Answer: B

NEW QUESTION 50
There are three domains of security covered by Article 32 of the GDPR that apply to both the controller and the processor. These include all of the following EXCEPT?

• A. Consent management and withdrawal.
• B. Remedial security.
• C. Preventative security.
• D. Incident detection and response.

Answer: A

NEW QUESTION 51
SCENARIO
Looking back at your first two years as the Director of Personal Information Protection and Compliance for the Berry Country Regional Medical Center in Thorn Bay, Ontario, Canada, you see a parade of accomplishments, from developing state-of-the-art simulation based training for employees on privacy protection to establishing an interactive medical records system that is accessible by patients as well as by the medical personnel. Now, however, a question you have put off looms large: how do we manage all the data-not only records produced recently, but those still on hand from years ago? A data flow diagram generated last year shows multiple servers, databases, and work stations, many of which hold files that have not yet been incorporated into the new records system. While most of this data is encrypted, its persistence may pose security and compliance concerns. The situation is further complicated by several long-term studies being conducted by the medical staff using patient information. Having recently reviewed the major Canadian privacy regulations, you want to make certain that the medical center is observing them.
You also recall a recent visit to the Records Storage Section, often termed "The Dungeon" in the basement of the old hospital next to the modern facility, where you noticed a multitude of paper records. Some of these were in crates marked by years, medical condition or alphabetically by patient name, while others were in undifferentiated bundles on shelves and on the floor. The back shelves of the section housed data tapes and old hard drives that were often unlabeled but appeared to be years old. On your way out of the dungeon, you noticed just ahead of you a small man in a lab coat who you did not recognize. He carried a batch of folders under his arm, apparently records he had removed from storage.
Which regulation most likely applies to the data stored by Berry Country Regional Medical Center?

• A. Personal Information Protection and Electronic Documents Act
• B. Health Insurance Portability and Accountability Act
• C. The European Union Directive 95/46/EC
• D. The Health Records Act 2001

Answer: A

NEW QUESTION 52
A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an article about the prank at the time, and the article is still available on the newspaper's website.
Unfortunately, the prank is the top search result when a user searches on the victim's name. The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article. What else must SearchCo do?

• A. Fully erase the URL to the content, as opposed to delist which is mainly based on data subject's name.
• B. Identify other controllers who are processing the same information and inform them of the delisting request.
• C. Notify the newspaper that its article it is delisting the article.
• D. Prevent the article from being listed in search results no matter what search terms are entered into the search engine.

Answer: C

NEW QUESTION 53
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
Under the GDPR, Liem and EcoMick's contract with MarketIQ must include all of the following provisions EXCEPT?

• A. Notification regarding third party requests for access to Liem and EcoMick's personal data.
• B. Assistance to Liem and EcoMick in their compliance with data protection impact assessments.
• C. Returning or deleting personal data after the end of the provision of the services.
• D. Processing the personal data upon documented instructions regarding data transfers outside of the EEA.

Answer: B

NEW QUESTION 54
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
If Who-R-U decides to track locations using its app, what must it do to comply with the GDPR?

• A. Provide a transparent notice to users.
• B. Anonymize the data and add latency so it avoids disclosing real time locations.
• C. Get consent from the app users.
• D. Obtain a court order because location data is a special category of personal data.

Answer: C

NEW QUESTION 55
SCENARIO
Please use the following to answer the next question:
Zandelay Fashion ('Zandelay') is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company's compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.
The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.
In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company's customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures. Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.
Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay's business plan and associated processing activities.
What must Zandelay provide to the supervisory authority during the prior consultation?

• A. Certificates that prove Martin's professional qualities and expert knowledge of data protection law.
• B. An explanation of the purposes and means of the intended processing.
• C. An evaluation of the complexity of the intended processing.
• D. Records showing that customers have explicitly consented to the intended profiling activities.

Answer: B

NEW QUESTION 56
A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a global data transfer solution. Which of the following statements would help the company make an effective decision?

• A. The data exporter does not need to be located in the EU for the standard Contractual Clauses.
• B. Binding Corporate Rules are especially recommended for small and medium companies.
• C. The company will need the prior authorization of all EU data protection authorities for concluding Standard Contractual Clauses.
• D. Binding Corporate Rules provide a global solution for all the entities of a company that are bound by the intra-group agreement.

Answer: D

NEW QUESTION 57
Which of the following entities would most likely be exempt from complying with the GDPR?

• A. A North American company servicing customers in South Africa that uses a cloud storage system made by a European company.
• B. A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers.
• C. A company that stores all customer data in Australia and is headquartered in a European Union (EU) member state.
• D. A South American company that regularly collects European customers' personal data.

Answer: B

NEW QUESTION 58
Which entities must comply with the Telemarketing Sales Rule?

• A. For-profit and not-for-profit organizations when selling additional services to establish customers
• B. For-profit organizations calling businesses when a binding contract exists between them
• C. For-profit organizations and for-profit telefunders regarding charitable solicitations
• D. Nonprofit organizations calling on their own behalf

Answer: A

NEW QUESTION 59
Which area of privacy is a lead supervisory authority's (LSA) MAIN concern?

• A. Cross-border processing
• B. Data subject rights
• C. Special categories of data
• D. Data access disputes

Answer: A

NEW QUESTION 60
Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article 3?

• A. Personal data of EU residents being processed by a non-EU business that targets EU customers.
• B. Personal data of EU citizens being processed by a controller or processor based outside the EU.
• C. The behavior of suspected terrorists being monitored by EU law enforcement bodies.
• D. The behavior of EU citizens outside the EU being monitored by non-EU law enforcement bodies.

Answer: B

NEW QUESTION 61
Why is advisable to avoid consent as a legal basis for an employer to process employee data?

• A. Employee data can only be processed if there is an approval from the data protection officer.
• B. Consent may not be valid if the employee feels compelled to provide it.
• C. An employer might have difficulty obtaining consent from every employee.
• D. Data protection laws do not apply to processing of employee data.

Answer: A

NEW QUESTION 62
......

New 2021 Realistic Free IAPP CIPP-C Exam Dump Questions & Answer: https://www.test4cram.com/CIPP-C_real-exam-dumps.html

CIPP-C Practice Test Engine: Try These 180 Exam Questions: https://drive.google.com/open?id=1RcBoikMeahkZGyK7kFP0Qo78H5W5KpDS