Exam2pass
0 items Sign In or Register
  • Home
  • IT Exams
  • Guarantee
  • FAQs
  • Reviews
  • Contact Us
  • Demo
Exam2pass > IAPP > IAPP Certifications > CIPP-E > CIPP-E Online Practice Questions and Answers

CIPP-E Online Practice Questions and Answers

Questions 4

Article 29 Working Party has emphasized that the GDPR forbids "forum shopping", which occurs when companies do what?

A. Choose the data protection officer that is most sympathetic to their business concerns.

B. Designate their main establishment in member state with the most flexible practices.

C. File appeals of infringement judgments with more than one EU institution simultaneously.

D. Select third-party processors on the basis of cost rather than quality of privacy protection.

Buy Now

Correct Answer: B

Reference: https://gdprinformer.com/gdpr-articles/forum-shopping-illegal-gdpr

Questions 5

Bioface is a company based in the United States. It has no servers, personnel or assets in the European Union. By collecting photographs from social media and other web-based services, such as newspapers and blogs, it uses machine learning to develop a facial recognition algorithm. The algorithm identifies individuals in photographs who are not in its data set based the algorithm and its existing data. The service collects photographs of data subjects in the European Union and will identify them if presented with their photographs. Bioface offers its service to government agencies and companies in the United States and Canada, but not to those in the European Union. Bioface does not offer the service to individuals.

Why is Bioface subject to the territorial scope of the General Data Protection Regulation?

A. It collects data from European Union websites, which constitutes an establishment in the European Union.

B. It offers services in the European Union by identifying data subjects in the European Union.

C. It collects data from subjects and uses it for automated processing.

D. It monitors the behavior of data subjects in the European Union.

Buy Now

Correct Answer: D

Questions 6

SCENARIO

Please use the following to answer the next question:

ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO, Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage's global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments. The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized in New Delhi. Unable to reach Ruth's family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR, provided information to the doctors based on accommodation requests Ruth made when she started at ProStorage.

In support of Ruth's strategic goals of hiring more sales representatives, the Human Resources team is focused on improving its processes to ensure that new employees are sourced, interviewed, hired, and on boarded efficiently. To help with this, Mary identified two vendors, HRYourWay, a German based company, and InstaHR, an Australian based company. She decided to have both vendors go through ProStorage's vendor risk review process so she can work with Ruth to make the final decision. As part of the review process, Jackie, who is responsible for maintaining ProStorage's privacy program (including maintaining controller BCRs and conducting vendor risk assessments), reviewed both vendors but completed a transfer impact assessment only for InstaHR. After her review of both vendors, she determined that InstaHR satisfied more of the requirements as it boasted a more established privacy program and provided third-party attestations, whereas HRYourWay was a small vendor with minimal data protection operations. Thus, she recommended InstaHR.

ProStorage's marketing team also worked to meet the strategic goals of the company by focusing on industries where it needed to grow its market share. To help with this, the team selected as a partner UpFinance. a US based company with deep connections to financial industry customers. During ProStorage's diligence process, Jackie from the privacy team noted in the transfer impact assessment that UpFinance implements several data protection measures including end-loend encryption, with encryption keys held by the customer. Notably, UpFinance has not received any government requests in its 7 years of business. Still, Jackie recommended that the contract require UpFinance to notify ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data.

What transfer mechanism did ProStorage most likely rely on to transfer Ruth's medical information to the hospital?

A. Ruth's implied consent.

B. Protecting the vital interest of Ruth

C. Performance of a contract with Ruth.

D. Protecting against legal liability from Ruth.

Buy Now

Correct Answer: B

Questions 7

A U.S. company's website sells widgets. Which of the following factors would NOT in itself subject the company to the GDPR?

A. The widgets are offered in EU and priced in euro.

B. The website is in English and French, and is accessible in France.

C. An affiliate office is located in France but the processing is in the U.S.

D. The website places cookies to monitor the EU website user behavior.

Buy Now

Correct Answer: B

Questions 8

The Planet 49 CJEU Judgement applies to?

A. Cookies used only by third parties.

B. Cookies that are deemed technically necessary.

C. Cookies regardless of whether the data accessed is personal or not.

D. Cookies where the data accessed is considered as personal data only.

Buy Now

Correct Answer: C

Reference: https://www.twobirds.com/en/news/articles/2019/global/planet49-cjeu-rules-on-cookie-consent

Questions 9

What must be included in a written agreement between the controller and processor in relation to processing conducted on the controller's behalf?

A. An obligation on the processor to report any personal data breach to the controller within 72 hours.

B. An obligation on both parties to report any serious personal data breach to the supervisory authority.

C. An obligation on both parties to agree to a termination of the agreement if the other party is responsible for a personal data breach.

D. An obligation on the processor to assist the controller in complying with the controller's obligations to notify the supervisory authority about personal data breaches.

Buy Now

Correct Answer: D

Questions 10

SCENARIO

Please use the following to answer the next question:

Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover

compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.

Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.

Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When

his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.

In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes. Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that

Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing. In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim.

Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.

Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.

After Louis has exercised his right to restrict the use of his data, under what conditions would Accidentable have grounds for refusing to comply?

A. If Accidentable is entitled to use of the data as an affiliate of Bedrock.

B. If Accidentable also uses the data to conduct public health research.

C. If the data becomes necessary to defend Accidentable's legal rights.

D. If the accuracy of the data is not an aspect that Louis is disputing.

Buy Now

Correct Answer: C

Questions 11

Under what circumstances might the "soft opt-in" rule apply in relation to direct marketing?

A. When an individual has not consented to the marketing.

B. When an individual's details are obtained from their inquiries about buying a product.

C. Where an individual's details have been obtained from a bought-in marketing list.

D. Where an individual is given the ability to unsubscribe from marketing emails sent to him.

Buy Now

Correct Answer: B

Questions 12

SCENARIO

Please use the following to answer the next question:

BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information ?name, location, and prior purchase history ?with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.

Prior to sharing its customer list, BHealthy conducted a review of Natural Insight's security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy's data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight's machine learning algorithms.

In which case would Natural Insight's use of BHealthy's data for improvement of its algorithms be considered data processor activity?

A. If Natural Insight uses BHealthy's data for improving price point predictions only for BHealthy.

B. If Natural Insight receives express contractual instructions from BHealthy to use its data for improving its algorithms.

C. If Natural Insight agrees to be fully liable for its use of BHealthy's customer information in its product improvement activities.

D. If Natural Insight satisfies the transparency requirement by notifying BHealthy's customers of its plans to use their information for its product improvement activities.

Buy Now

Correct Answer: B

Questions 13

SCENARIO

Please use the following to answer the next question:

Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in Greece (5), Italy (15) and Spain (1), have registered their most profitable results ever. To celebrate this achievement, ARRA Hotels' Human Resources

office, based in ARRA's main Italian establishment, has organized a team event for its 420 employees and their families at its hotel in Spain.

Upon arrival at the hotel, each employee and family member is given an electronic wristband at the reception desk. The wristband serves a number of functions:

1.

Allows access to the "party zone" of the hotel, and emits a buzz if the user approaches any unauthorized areas

2.

Allows up to three free drinks for each person of legal age, and emits a buzz once this limit has been reached

3.

Grants a unique ID number for participating in the games and contests that have been planned.

Along with the wristband, each guest receives a QR code that leads to the online privacy notice describing the use of the wristband. The page also contains an unchecked consent checkbox. In the case of employee family members under the age of 16, consent must be given by a parent. Among the various activities planned for the event, ARRA Hotels' HR office has autonomously set up a photocall area, separate from the main event venue, where employees can come and have their pictures taken in traditional carnival

costume. The photos will be posted on ARRA Hotels' main website for general marketing purposes.

On the night of the event, an employee from one of ARRA's Greek hotels is displeased with the results of the photos in which he appears. He intends to file a complaint with the relevant supervisory authority in regard to the following:

1.

The lack of any privacy notice in the separate photocall area

2.

The unlawful cross-border processing of his personal data

3.

The unacceptable aesthetic outcome of his photos

Which of the following principles has likely been violated in the processing of the photocall photos containing personal data?

A. Adequacy.

B. Lawfulness.

C. Transparency.

D. Data minimization.

Buy Now

Correct Answer: C

Exam Code: CIPP-E
Exam Name: Certified Information Privacy Professional/Europe (CIPP/E)
Last Update: Jul 01, 2026
Questions: 307

PDF (Q&A)

$45.99
ADD TO CART

VCE

$49.99
ADD TO CART

PDF + VCE

$59.99
ADD TO CART

Exam2Pass----The Most Reliable Exam Preparation Assistance

There are tens of thousands of certification exam dumps provided on the internet. And how to choose the most reliable one among them is the first problem one certification candidate should face. Exam2Pass provide a shot cut to pass the exam and get the certification. If you need help on any questions or any Exam2Pass exam PDF and VCE simulators, customer support team is ready to help at any time when required.

Home | Guarantee & Policy |  Privacy & Policy |  Terms & Conditions |  How to buy |  FAQs |  About Us |  Contact Us |  Demo |  Reviews

2026 Copyright @ exam2pass.com All trademarks are the property of their respective vendors. We are not associated with any of them.