IAPP CIPP-E Exam Questions & Answers

A company wishes to transfer personal data to a country outside of the European Union/EEA In order to do so, they are planning an assessment of the country's laws and practices, knowing that these may impinge upon the transfer safeguards they intend to use

All of the following factors would be relevant for the company to consider EXCEPT'?

A. Any onward transfers, such as transfers of personal data to a sub-processor in the same or another third country.

B. The process of modernization in the third country concerned and their access to emerging technologies that rely on international transfers of personal data

C. The technical, financial, and staff resources available to an authority m the third country concerned that may access the personal data to be transferred

D. The contractual clauses between the data controller or processor established in the European Union/EEA and the recipient of the transfer established in the third country concerned

SCENARIO Please use the following to answer the next question:

Gentle Hedgehog Inc. is a privately owned website design agency incorporated in Italy. The company has numerous remote workers in different EU countries. Recently, the management of Gentle Hedgehog noticed a decrease in productivity

of their sales team, especially among remote workers. As a result, the company plans to implement a robust but privacy-friendly remote surveillance system to prevent absenteeism, reward top performers, and ensure the best quality of

customer service when sales people are interacting with customers.

Gentle Hedgehog eventually hires Sauron Eye Inc., a Chinese vendor of employee surveillance software whose European headquarters is in Germany. Sauron Eye s software provides powerful remote-monitoring capabilities, including 24/7

access to computer cameras and microphones, screen captures, emails, website history, and keystrokes. Any device can be remotely monitored from a central server that is securely installed at Gentle Hedgehog headquarters. The

monitoring is invisible by default; however, a so-called Transparent Mode, which regularly and conspicuously notifies all users about the monitoring and its precise scope, also exists. Additionally, the monitored employees are required to use

a built-in verification technology involving facial recognition each time they log in.

All monitoring data, including the facial recognition data, is securely stored in Microsoft Azure cloud servers operated by Sauron Eye, which are physically located in France.

What monitoring may be lawfully performed within the scope of Gentle Hedgehog's business?

A. Everything offered by Sauron Eye's software with the exception of camera and microphone monitoring.

B. Everything offered by Sauron Eye's software, assuming employees provide daily consent to the monitoring.

C. Only video calls conducted during business hours and emails that do not contain a “private” or “personal” tag.

D. Only emails, website browsing history and camera for internal video calls that are expressly marked as monitored.

What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

A. A prior opt-in consent for consumers unless they are already customers.

B. A pre-checked box stating that the consumer agrees to receive email marketing.

C. A notice that the consumer's email address will be used for marketing purposes.

D. No prior permission required, but an opt-out requirement on all emails sent to consumers.