Online Access Free CIPP-E Exam Questions

A homeowner has installed a motion-detecting surveillance system that films his front doc and entryway. The camera does not film any public areas only areas that are the property of the homeowner. The system has seen declared to the authorities per the homeowner's country law, and a placard indicating the area is being video monitored is visible when entering the property Why can the homeowner NOT depend on the household exemption with regards to the processing of the video images recorded by the surveillance camera system?

• A.The GDPR specifically excludes surveillance camera images from the household exemption
• B.The surveillance camera system can potentially film individuals who enter its filming perimeter
• C.The homeowner has not specified which security measures ore in place as part of the surveillance camera system
• D.The surveillance camera system can potentially capture biometric information of the homeowner's family, which would be considered a processing of special categories of personal data.

Assuming that the "without undue delay" provision is followed, what is the time limit for complying with a data access request?

• A.Within one month of receipt, which may be extended by up to an additional month
• B.Within 40 days of receipt, which may be extended by up to 40 additional days
• C.Within one month of receipt, which may be extended by an additional two months
• D.Within 40 days of receipt

The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?

• A.Failure to provide the means for a data subject to rectify inaccuracies in personal data.
• B.Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default.
• C.Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing.
• D.Failure to process personal information in a manner compatible with its original purpose.

Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the company encrypt all personal data at rest. Which GDPR principle is she following?

• A.Accuracy
• B.Lawfulness, fairness and transparency
• C.Storage Limitation
• D.Integrity and confidentiality

SCENARIO
Please use the following to answer the next question:
T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.
T-Craze also opened various office locations throughout Europe to help expand its business. While Germany Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.
The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.
What is the best option for the lead regulator when responding to the Spanish supervisory authority's notice that it plans to take action regarding Sofia's complaint?

• A.Reject, because GDPR does not allow other supervisory authorities to take action if there is a lead authority.
• B.Accept, because it did not receive any complaints.
• C.Reject, because Right Target's processing was conducted throughout Europe.
• D.Accept, because GDPR permits non-lead authorities to take action for such complaints.