
[2025] CIPP-E PDF Questions - Perfect Prospect To Go With Test4Cram Practice Exam
IAPP CIPP-E Pdf Questions - Outstanding Practice To your Exam
IAPP CIPP-E (Certified Information Privacy Professional/Europe (CIPP/E)) Certification Exam is a highly respected certification that demonstrates a deep understanding of European data protection laws and regulations. It is designed for individuals who work with the collection, use, and storage of personal information within the European Union. CIPP-E exam covers a wide range of topics, such as the General Data Protection Regulation (GDPR), the ePrivacy Directive, and the EU-US Privacy Shield.
NEW QUESTION # 156
An unforeseen power outage results in company Z's lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29's February, 2018 guidance, company Z should do which of the following?
- A. Notify the supervisory authority about the loss of availability
- B. Conduct a thorough audit of all security systems
- C. Document the loss of availability to demonstrate accountability
- D. Notify affected individuals that their data was unavailable for a period of time.
Answer: A
Explanation:
Explanation/Reference: https://www.google.com/url?
sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwihmsidxtTqAhXvQUEAHXRaAdYQFjABegQIARAB& url=https%3A%2F%2Fec.europa.eu%2Fnewsroom%2Farticle29%2Fdocument.cfm%3Fdoc_id%
3D49827&usg=AOvVaw2uhYsKyRzJ6lwhQyiMURJF (5)
NEW QUESTION # 157
SCENARIO
Please use the following to answer the next question:
Zandelay Fashion ('Zandelay') is a successful international online clothing retailer that employs approximately
650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company's compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.
The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.
In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company's customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures. Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.
Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay's business plan and associated processing activities.
What must Zandelay provide to the supervisory authority during the prior consultation?
- A. Records showing that customers have explicitly consented to the intended profiling activities.
- B. An explanation of the purposes and means of the intended processing.
- C. Certificates that prove Martin's professional qualities and expert knowledge of data protection law.
- D. An evaluation of the complexity of the intended processing.
Answer: B
NEW QUESTION # 158
An online company's privacy practices vary due to the fact that it offers a wide variety of services. How could it best address the concern that explaining them all would make the policies incomprehensible?
- A. Identify uses of data in a privacy notice mailed to the data subject.
- B. Use a layered privacy notice on its website and in its email communications.
- C. Place a banner on its website stipulating that visitors agree to its privacy policy and terms of use by visiting the site.
- D. Provide only general information about its processing activities and offer a toll-free number for more information.
Answer: A
Explanation:
Reference https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-bureau- consumer-protection-preliminary-ftc-staff-report-protecting-consumer/101201privacyreport.pdf
NEW QUESTION # 159
Which of the following was the first legally binding international instrument in the area of data protection?
- A. General Data Protection Regulation.
- B. Universal Declaration of Human Rights.
- C. EU Directive on Privacy and Electronic Communications.
- D. Convention 108.
Answer: D
Explanation:
Reference:
Convention 108, also known as the "Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" was adopted by the Council of Europe in 1981. It was the first legally binding international instrument on data protection and required signatories to take steps in their domestic legislation to apply the principles it lays down in order to ensure respect in their territory for the fundamental human rights of all individuals with regard to processing of personal data1. The Convention covers both the public and private sectors, and applies to any type of data processing, whether automated or not. The Convention also provides for the establishment of independent supervisory authorities and the facilitation of transborder data flows2.
The other options are incorrect because:
B) The General Data Protection Regulation (GDPR) is a regulation of the European Union that came into force in 2018. It is not the first legally binding international instrument on data protection, but rather a successor of the EU Directive 95/46/EC, which was adopted in 1995 and implemented by the EU member states in their national laws3.
C) The Universal Declaration of Human Rights (UDHR) is a resolution of the United Nations General Assembly that was adopted in 1948. It is not a legally binding international instrument, but rather a declaration of common principles and values that guide the development of human rights law. The UDHR does not explicitly mention data protection, but rather recognizes the right to privacy as a fundamental human right in Article 124.
D) The EU Directive on Privacy and Electronic Communications (e-Privacy Directive) is a directive of the European Union that was adopted in 2002 and amended in 2009. It is not the first legally binding international instrument on data protection, but rather a specific instrument that complements the EU Directive 95/46/EC and the GDPR by providing additional rules for the protection of personal data in the context of electronic communications services5.
NEW QUESTION # 160
What is true if an employee makes an access request to his employer for any personal data held about him?
- A. The employer must supply any information held about an employee unless an exemption applies.
- B. The employer must supply all the information held about the employee.
- C. The employer can automatically decline the request if it contains personal data about a third person.
- D. The employer can decline the request if the information is only held electronically.
Answer: A
NEW QUESTION # 161
A company has collected personal data tor direct marketing purpose on the basis of consent. It is now considering using this data to develop new products through analytics. What is the company first required to do?
- A. Proceed no further, as such repurposing is unlawful
- B. Only inform the data subjects of the new purpose.
- C. Obtain specific consent for the new processing
- D. Update the privacy notice upon which consent was given
Answer: C
Explanation:
According to the GDPR, consent is one of the lawful bases for processing personal data1. Consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her2. Therefore, consent must be specific to each purpose of processing and cannot be bundled with other purposes3. If a company wants to use personal data for a new purpose that is not compatible with the original purpose for which consent was given, it must obtain a new consent from the data subjects for the new processing4. Simply informing the data subjects of the new purpose or updating the privacy notice is not sufficient, as it does not imply the data subject's agreement to the new processing. Proceeding with the new processing without obtaining a new consent would be unlawful and could result in fines and sanctions5. Reference:
Free CIPP/E Study Guide, page 23, section 4.1.1
GDPR, Article 4 (11)
GDPR, Recital 32
GDPR, Article 6 (4)
GDPR, Article 83 (5) (a)
NEW QUESTION # 162
Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?
- A. The European Commission can adopt an adequacy decision for individual companies.
- B. EU member states are vested with the power to accept or reject a European Commission adequacy decision.
- C. To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.
- D. The European Commission can adopt, repeal or amend an existing adequacy decision.
Answer: A
Explanation:
Explanation/Reference: https://www.futurelearn.com/courses/general-data-protection-regulation/0/steps/32449
NEW QUESTION # 163
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?
- A. Vetting companies' measures with the appropriate supervisory authority.
- B. Avoiding the use of another company's data to improve their own services.
- C. Requesting advice and technical support from Company A's IT team.
- D. Hiring companies whose measures are consistent with recommendations of accrediting bodies.
Answer: D
NEW QUESTION # 164
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Granchester's Alumni portal.
Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Before Anna determines whether Frank's performance database is permissible, what additional information does she need?
- A. More information about Frank's data protection training.
- B. More information about the algorithm Frank used to mask student numbers.
- C. More information about what students have been told and how the research will be used.
- D. More information about the extent of the information loss.
Answer: C
Explanation:
Before Anna determines whether Frank's performance database is permissible, she needs to know more information about the following aspects of the data processing:
* The purpose and legal basis of the data processing, which should be clearly defined and documented in a data protection impact assessment (DPIA) or a similar document12.
* The nature and extent of the personal data involved, which should be limited to what is necessary for the purpose and not retained longer than necessary12.
* The measures taken to ensure the security and confidentiality of the personal data, such as encryption, pseudonymization, access control, etc12.
* The rights and interests of the data subjects, such as their right to access, rectify, erase or restrict their personal data, as well as their right to object or withdraw consent12.
* The potential risks and consequences of the data processing for the rights and freedoms of the data subjects, such as identity theft, discrimination, reputational damage, etc12.
In this case, Anna needs to know more information about what students have been told and how the research will be used. This is because:
* The purpose of using student records for research purposes is not clear from Frank's description. He does not specify whether he has obtained consent from the students or their parents/guardians, or whether he has informed them about his research objectives and methods.
* The nature and extent of using student records for research purposes is not clear from Frank's description. He does not specify which student records he is using (e.g., by name or by reference number), how many records he is using (e.g., by cohort or by class), or how long he will keep them (e.
g., until graduation or indefinitely).
* The measures taken to ensure the security and confidentiality of using student records for research purposes are not clear from Frank's description. He does not specify whether he has encrypted his program or his laptop before transferring it to his home device, whether he has backed up his program or his laptop before losing it on the train, or whether he has reported his lost laptop to his IT department.
Therefore, Anna needs more information about these aspects before she can determine whether Frank's performance database is permissible under the GDPR.
References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals 2: CIPP/E Certification - International Association of Privacy Professionals
NEW QUESTION # 165
According to the E-Commerce Directive 2000/31/EC, where is the place of "establishment" for a company providing services via an Internet website confirmed by the GDPR?
- A. Where the customer's Internet service provider is located
- B. Where the decisions about processing are made
- C. Where the technology supporting the website is located
- D. Where the website is accessed
Answer: B
Explanation:
According to the E-Commerce Directive 2000/31/EC, the place of establishment for a company providing services via an Internet website is the place where the service provider effectively pursues an economic activity through a fixed establishment for an indefinite period of time. The presence and use of the technical means and technologies required to provide the service do not, in themselves, constitute an establishment of the provider. The place of establishment is determined by the place where the decisions about processing are made, not by the place where the technology supporting the website is located, where the website is accessed, or where the customer's Internet service provider is located. This is confirmed by the GDPR, which applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. References:
* E-Commerce Directive 2000/31/EC, Article 2(a), Recital 191
* GDPR, Article 3(1)2
NEW QUESTION # 166
MagicClean is a web-based service located in the United States that matches home cleaning services to customers. It otters its services exclusively in the United States It uses a processor located in France to optimize its data. Is MagicClean subject to the GDPR?
- A. Yes. because MagicClean's data processing agreement with the French processor is an establishment in the EU
- B. Yes, because MagicClean is processing data in the EU
- C. No, because MagicClean is located m the United States only.
- D. No. because MagicClean is not offering services to EU data subjects.
Answer: D
Explanation:
According to Article 3 of the GDPR, the regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The regulation also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU. In this case, MagicClean is a controller not established in the EU, and it does not offer services to EU data subjects or monitor their behaviour. Therefore, MagicClean is not subject to the GDPR, even if it uses a processor located in France to optimize its data. The location of the processor does not determine the applicability of the GDPR, but the context of the activities of the controller or the processor and the relationship with the data subjects. References:
* Article 3 of the GDPR
* IAPP CIPP/E Study Guide, page 14
NEW QUESTION # 167
Which of the following is NOT a role of works councils?
- A. Determining whether employees' personal data can be processed or not.
- B. Determining what changes will affect employee working conditions.
- C. Determining whether to approve or reject certain decisions of the employer that affect employees.
- D. Determining the monetary fines to be levied against employers for data breach violations of employee data.
Answer: D
NEW QUESTION # 168
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester's Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Before Anna determines whether Frank's performance database is permissible, what additional information does she need?
- A. More information about Frank's data protection training.
- B. More information about the algorithm Frank used to mask student numbers.
- C. More information about what students have been told and how the research will be used.
- D. More information about the extent of the information loss.
Answer: C
Explanation:
Before Anna determines whether Frank's performance database is permissible, she needs to know more information about the following aspects of the data processing:
The purpose and legal basis of the data processing, which should be clearly defined and documented in a data protection impact assessment (DPIA) or a similar document12.
The nature and extent of the personal data involved, which should be limited to what is necessary for the purpose and not retained longer than necessary12.
The measures taken to ensure the security and confidentiality of the personal data, such as encryption, pseudonymization, access control, etc12.
The rights and interests of the data subjects, such as their right to access, rectify, erase or restrict their personal data, as well as their right to object or withdraw consent12.
The potential risks and consequences of the data processing for the rights and freedoms of the data subjects, such as identity theft, discrimination, reputational damage, etc12.
In this case, Anna needs to know more information about what students have been told and how the research will be used. This is because:
The purpose of using student records for research purposes is not clear from Frank's description. He does not specify whether he has obtained consent from the students or their parents/guardians, or whether he has informed them about his research objectives and methods.
The nature and extent of using student records for research purposes is not clear from Frank's description. He does not specify which student records he is using (e.g., by name or by reference number), how many records he is using (e.g., by cohort or by class), or how long he will keep them (e.g., until graduation or indefinitely).
The measures taken to ensure the security and confidentiality of using student records for research purposes are not clear from Frank's description. He does not specify whether he has encrypted his program or his laptop before transferring it to his home device, whether he has backed up his program or his laptop before losing it on the train, or whether he has reported his lost laptop to his IT department.
Therefore, Anna needs more information about these aspects before she can determine whether Frank's performance database is permissible under the GDPR.
NEW QUESTION # 169
When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves?
- A. Provide a public notice regarding the data
- B. Update the data within a reasonable timeframe
- C. Inform the subjects about the collection
- D. Upgrade security to match that of the source
Answer: C
NEW QUESTION # 170
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B.
Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
* Name
* Address
* Date of Birth
* Payroll number
* National Insurance number
* Sick pay entitlement
* Maternity/paternity pay entitlement
* Holiday entitlement
* Pension and benefits contributions
* Trade union contributions
Jenny is the compliance officer at Company A.
She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
Under the GDPR, which of Company B's actions would NOT be likely to trigger a potential enforcement action?
- A. Their failure to provide sufficient security safeguards to Company A's data.
- B. Their decision to operate without a data protection officer.
- C. Their omission of data protection provisions in their contract with Company C.
- D. Their engagement of Company C to improve their payroll service.
Answer: D
NEW QUESTION # 171
In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?
- A. When paying a search engine company to give prominence to certain products and services within specific search results.
- B. When creating an untargeted pop-up ad on a website.
- C. When calling a potential customer to notify her of an upcoming product sale.
- D. When emailing a customer to announce that his recent order should arrive earlier than expected.
Answer: B
NEW QUESTION # 172
Under Article 9 of the GDPR, which of the following categories of data is NOT expressly prohibited from data processing?
- A. Personal data revealing financial data.
- B. Personal data revealing genetic data.
- C. Personal data revealing ethnic origin.
- D. Personal data revealing trade union membership.
Answer: A
Explanation:
Article 9 of the GDPR prohibits the processing of special categories of personal data, which are data that reveal sensitive information about the data subject and may pose a high risk to their rights and freedoms. The GDPR defines 10 types of personal data as special categories, which are:
personal data revealing racial or ethnic origin;
personal data revealing political opinions;
personal data revealing religious or philosophical beliefs;
personal data revealing trade union membership;
genetic data;
biometric data (where used for identification purposes);
data concerning health;
data concerning a person's sex life; and
data concerning a person's sexual orientation.
Among the answer choices, only option C is not one of these categories, as financial data is not considered to reveal any sensitive information about the data subject. However, financial data is still subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, accuracy, security, etc. Reference:
Special category data | ICO
Art. 9 GDPR Processing of special categories of personal data
Special Categories of Data - International Association of Privacy Professionals
NEW QUESTION # 173
Which GDPR principle would a Spanish employer most likely depend upon to annually send the personal data of its employees to the national tax authority?
- A. The protection of the vital interest of the employees.
- B. The consent of the employees.
- C. The legitimate interest of the public administration.
- D. The legal obligation of the employer.
Answer: D
Explanation:
According to Article 6 of the GDPR, the processing of personal data is only lawful if and to the extent that at least one of the following applies:
* the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
* processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
* processing is necessary for compliance with a legal obligation to which the controller is subject;
* processing is necessary in order to protect the vital interests of the data subject or of another natural person;
* processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
* processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
In this case, the Spanish employer would most likely depend on the legal obligation of the employer as the lawful basis for sending the personal data of its employees to the national tax authority. This is because the employer is subject to the tax laws and regulations of Spain, which require the employer to report the income and deductions of its employees to the tax authority on an annual basis. The employer must comply with this legal obligation, and the processing of the employees' personal data is necessary for this purpose. The employer does not need to obtain the consent of the employees, as consent is not a valid basis for processing personal data where there is a clear imbalance between the data subject and the controller, such as in the context of employment. The employer also does not need to rely on the legitimate interest of the public administration, as this is not a specific purpose for which the employer is processing the personal data, but rather a general interest that may be served by the tax authority. The employer also does not need to invoke the protection of the vital interest of the employees, as this basis only applies in situations where the processing is necessary to protect someone's life, such as in a medical emergency. References: Article 6 GDPR - Lawfulness of processing - General Data Protection Regulation (GDPR), Lawful basis for processing
| ICO, Legal obligation as a lawful basis for processing personal data under the GDPR, [Consent in the employment context | ICO], [Vital interests | ICO]
NEW QUESTION # 174
Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the company encrypt all personal data at rest. Which GDPR principle is she following?
- A. Accuracy
- B. Storage Limitation
- C. Integrity and confidentiality
- D. Lawfulness, fairness and transparency
Answer: C
Explanation:
The GDPR requires that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures1. This principle is known as integrity and confidentiality, or sometimes as security2. Encryption is one of the possible technical measures that can be used to protect personal data at rest, as it makes the data unintelligible to anyone who does not have the key to decrypt it3. By recommending that the company encrypts all personal data at rest, Tanya is following the principle of integrity and confidentiality, as she is ensuring that the personal data is secure and protected from unauthorised access or accidental damage. References: 1: Article 5(1)(f) of the GDPR 2: A guide to the data protection principles | ICO 3: Encryption | ICO
NEW QUESTION # 175
......
Online Questions - Outstanding Practice To your CIPP-E Exam: https://pass4sure.test4cram.com/CIPP-E_real-exam-dumps.html