Http://www.passcert.

com
 The safer , easier way to help you pass any IT exams.

Exam : CIPP-E

Title : Certified Information Privacy

Professional/Europe
(CIPP/E)

Version : DEMO

1 / 4
 The safer , easier way to help you pass any IT exams.

1.Read the following steps:

✑ Discover which employees are accessing cloud services and from which devices and apps Lock
down the data in those apps and devices
✑ Monitor and analyze the apps and devices for compliance
✑ Manage application life cycles
✑ Monitor data sharing
An organization should perform these steps to do which of the following?
A. Pursue a GDPR-compliant Privacy by Design process.
B. Institute a GDPR-compliant employee monitoring process.
C. Maintain a secure Bring Your Own Device (BYOD) program.
D. Ensure cloud vendors are complying with internal data use policies.
Answer: C
Explanation:
Reference: https://www.itproportal.com/features/heading-off-the-spectre-of-gdpr-compliance-with-secure-
byod/

2.What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?
A. The requirements affected individuals without exception.
B. The requirements were financially burdensome to EU businesses.
C. The requirements specified that data must be held within the EU.
D. The requirements had limitations on how national authorities could use data.
Answer: A
Explanation:
In 2014, the European Court of Justice (ECJ) declared the Data Retention Directive (2006/24/EC)
invalid. The Directive required communication service providers to retain certain categories of data
(related to electronic communications) for a period of between 6 months and 2 years, so as to ensure
that the data would be available for the purpose of the investigation, detection, and prosecution of
serious crime.
The ECJ found the directive to be invalid because it constituted a serious interference with fundamental
rights to respect for private life and to the protection of personal data. The Directive affected all
individuals without any exception, lacked clear criteria, and did not provide sufficient safeguards against
the risk of abuse and unlawful access. It did not require any relationship between the data whose
retention was provided for and a threat to public security, which meant even individuals not suspected of
any wrongdoing had their data retained.
Option B is incorrect because the decision was not primarily based on financial burdens to businesses.
Option C is incorrect as the decision did not relate to data localization or where data must be held.
Option D is incorrect because the Directive's problem was that it lacked sufficient limitations and
safeguards rather than having them.

3.Which of the following countries will continue to enjoy adequacy status under the GDPR, pending any
future European Commission decision to the contrary?
A. Greece
B. Norway
C. Australia

2 / 4
 The safer , easier way to help you pass any IT exams.

D. Switzerland
Answer: B
Explanation:
Norway is not a member of the European Union (EU) but is a member of the European Economic Area
(EEA). The EEA consists of the EU Member States plus Norway, Liechtenstein, and Iceland. These EEA
countries have incorporated the GDPR into their national laws, ensuring that the same level of data
protection is upheld. Therefore, data transfers between the EU and these EEA countries, including
Norway, occur seamlessly without the need for any specific adequacy decision by the European
Commission.
A. Greece is an EU Member State, so the concept of adequacy status does not apply. GDPR is directly
applicable in Greece as it is in all EU Member States.
C. Australia does not have an adequacy decision under the GDPR as of my last update in January 2022.
Data transfers to Australia would need to rely on other GDPR-approved mechanisms unless an
adequacy decision is made in the future.
D. Switzerland is not an EU or EEA member but has been recognized as providing an adequate level of
data protection. However, the wording of the question implies a country that enjoys adequacy status by
default due to its relationship with the EU/EEA, which makes Norway the better answer.

4.Which of the following describes a mandatory requirement for a group of undertakings that wants to
appoint a single data protection officer?
A. The group of undertakings must obtain approval from a supervisory authority.
B. The group of undertakings must be comprised of organizations of similar sizes and functions.
C. The data protection officer must be located in the country where the data controller has its main
establishment.
D. The data protection officer must be easily accessible from each establishment where the undertakings
are located.
Answer: D
Explanation:
Reference: https://www.privacy-regulation.eu/en/article-37-designation-of-the-data-protection-officer-
GDPR.htm

5.SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-
billion-dollar candy company operating in every continent. All of the company’s IT
servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project
Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a
PhD in computer software from a top university. Ben decided to join his father’s company, but is also
secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them
might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s
online web portal and requires customers in the European Union and elsewhere to provide additional
personal information in order to remain a customer. Project Ben begins collecting data about customers’
philosophical beliefs, political opinions and marital status.

3 / 4
 The safer , easier way to help you pass any IT exams.

If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate
database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly
asks each customer to give their consent by requiring them to check a box before accepting their
information. As Project Big is an important project, the company also hires a first year college student
named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland
over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside
in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the
company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it.
Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in
the company to follow, as it is important for the company to have in place a legal mechanism to transfer
data internally from the company’s operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a
major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the
lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the
entire global sales team, including the European Union, and send everything to her so that she can
review everyone’s information. Alice believes that Joe will be happy that she did the first levelreview, as it
will save the company a lot of money that would otherwise be paid to its outside law firm.
Ben’s collection of additional data from customers created several potential issues for the company,
which would most likely require what?
A. New corporate governance and code of conduct.
B. A data protection impact assessment.
C. A comprehensive data inventory.
D. Hiring a data protection officer.
Answer: B

4 / 4