CIPP-C Dumps To Pass IAPP Exam in 24 Hours - DumpsKing [Q87-Q106]

CIPP-C Dumps To Pass IAPP Exam in 24 Hours - DumpsKing

Buy Latest CIPP-C Exam Q&A PDF - One Year Free Update

NEW QUESTION 87
Which change was introduced by the 2009 amendments to the e-Privacy Directive 2002/58/EC?

• A. A mandatory notification for personal data breaches applicable to all data controllers.
• B. A voluntary notification for personal data breaches applicable to electronic communication providers.
• C. A mandatory notification for personal data breaches applicable to electronic communication providers.
• D. A voluntary notification for personal data breaches applicable to all data controllers.

Answer: C

 

NEW QUESTION 88
In what way does the "Red Flags Rule" under the Fair and Accurate Credit Transactions Act (FACTA) relate to the owner of a grocery store who uses a money wire service?

• A. it mandates the use of updated technology for securing credit records
• B. it does not apply because the owner is not a creditor
• C. it requires the owner to implement an identity theft warning system
• D. it is not usually enforced in the case of a small financial institution

Answer: A

 

NEW QUESTION 89
SCENARIO
Please use the following to answer the next QUESTION:
Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.
This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. "It's going to be great," the developer, Deidre Hoffman, tells you, "if, that is, we actually get it working!" She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. "It's just three young people," she says, "but they do great work." She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. "They do good work, so I chose them." Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, "I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing.
You worry too much, but that's why you're so good at your job!"
Which is the best first step in understanding the data security practices of a potential vendor?

• A. Requiring the vendor to complete a questionaire assessing International Organization for Standardization (ISO) 27001 compliance.
• B. Conducting a physical audit of the vendor's facilities.
• C. Examining investigation records of any breaches the vendor has experienced.
• D. Conducting a penetration test of the vendor's data security structure.

Answer: C

 

NEW QUESTION 90
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B.
Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
* Name
* Address
* Date of Birth
* Payroll number
* National Insurance number
* Sick pay entitlement
* Maternity/paternity pay entitlement
* Holiday entitlement
* Pension and benefits contributions
* Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

• A. Avoiding the use of another company's data to improve their own services.
• B. Vetting companies' measures with the appropriate supervisory authority.
• C. Hiring companies whose measures are consistent with recommendations of accrediting bodies.
• D. Requesting advice and technical support from Company A's IT team.

Answer: C

 

NEW QUESTION 91
Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

• A. Retention periods for erasure and deletion of categories of personal data.
• B. Incidents of personal data breaches, whether disclosed or not.
• C. Data inventory or data mapping exercises that have been conducted.
• D. Categories of recipients to whom the personal data have been disclosed.

Answer: A

 

NEW QUESTION 92
The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?

• A. Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing.
• B. Failure to provide the means for a data subject to rectify inaccuracies in personal data.
• C. Failure to process personal information in a manner compatible with its original purpose.
• D. Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default.

Answer: B

 

NEW QUESTION 93
SCENARIO
Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron's marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task.
At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron's legal department.
Registration Form
Vigotron's new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.) Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron's cloud provider, Stratculous. (Read more about Stratculous here.) Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer's name, email address or any other information gathered from the app to any third- party without a customer's consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer's legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)
* First name:
* Surname:
* Year of birth:
* Email:
* Physical Address (optional*):
* Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to [email protected] or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions
1.Jurisdiction. [...]
2.Applicable law. [...]
3.Limitation of liability. [...]
Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
Emily sends the draft to Sam for review. Which of the following is Sam most likely to point out as the biggest problem with Emily's consent provision?

• A. Processing health data requires explicit consent, but the form does not ask for explicit consent.
• B. The provision of the fitness app should be made conditional on the consent to the data processing for direct marketing.
• C. It is not legal to include fields requiring information regarding health status without consent.
• D. Direct marketing requires explicit consent, whereas the registration form only provides for a right to object

Answer: D

 

NEW QUESTION 94
An unforeseen power outage results in company Z's lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29's February, 2018 guidance, company Z should do which of the following?

• A. Notify the supervisory authority about the loss of availability
• B. Conduct a thorough audit of all security systems
• C. Notify affected individuals that their data was unavailable for a period of time.
• D. Document the loss of availability to demonstrate accountability

Answer: A

 

NEW QUESTION 95
According to the GDPR, how is pseudonymous personal data defined?

• A. Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data.
• B. Data that has been encrypted or is subject to other technical safeguards.
• C. Data that can no longer be attributed to a specific data subject without the use of additional information kept separately.
• D. Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.

Answer: C

 

NEW QUESTION 96
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Ontario University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Ontario's Alumni portal.
Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Before Anna determines whether Frank's performance database is permissible, what additional information does she need?

• A. More information about the extent of the information loss.
• B. More information about Frank's data protection training.
• C. More information about what students have been told and how the research will be used.
• D. More information about the algorithm Frank used to mask student numbers.

Answer: C

 

NEW QUESTION 97
Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?

• A. To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.
• B. The European Commission can adopt, repeal or amend an existing adequacy decision.
• C. The European Commission can adopt an adequacy decision for individual companies.
• D. EU member states are vested with the power to accept or reject a European Commission adequacy decision.

Answer: C

 

NEW QUESTION 98
WP29's "Guidelines on Personal data breach notification under Regulation 2016/679'' provides examples of ways to communicate data breaches transparently. Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?

• A. A notice on a corporate blog
• B. A postal notification
• C. A direct electronic message
• D. A prominent advertisement in print media

Answer: A

 

NEW QUESTION 99
When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves?

• A. Inform the subjects about the collection
• B. Upgrade security to match that of the source
• C. Update the data within a reasonable timeframe
• D. Provide a public notice regarding the data

Answer: A

 

NEW QUESTION 100
SCENARIO
Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron's marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task.
At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron's legal department.
Registration Form
Vigotron's new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.) Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron's cloud provider, Stratculous. (Read more about Stratculous here.) Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer's name, email address or any other information gathered from the app to any third- party without a customer's consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer's legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)
* First name:
* Surname:
* Year of birth:
* Email:
* Physical Address (optional*):
* Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to [email protected] or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions
1.Jurisdiction. [...]
2.Applicable law. [...]
3.Limitation of liability. [...]
Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
What is one potential problem Vigotron's age policy might encounter under the GDPR?

• A. Users are only required to be aged 13 or over to be considered adults.
• B. Organizations that tie a service to marketing must seek consent for each purpose.
• C. Organizations must make reasonable efforts to verify parental consent.
• D. Age restrictions are more stringent when health data is involved.

Answer: D

 

NEW QUESTION 101
When may a financial institution share consumer information with non-affiliated third parties for marketing purposes?

• A. After disclosing marketing practices to customers and after giving them an opportunity to opt in.
• B. After disclosing marketing practices to customers and after giving them an opportunity to opt out.
• C. After disclosing information-sharing practices to customers and after giving them an opportunity to opt in.
• D. After disclosing information-sharing practices to customers and after giving them an opportunity to opt out.

Answer: D

 

NEW QUESTION 102
An employee of company ABCD has just noticed a memory stick containing records of client data, including their names, addresses and full contact details has disappeared. The data on the stick is unencrypted and in clear text. It is uncertain what has happened to the stick at this stage, but it likely was lost during the travel of an employee. What should the company do?

• A. Invoke the "disproportionate effort" exception under Article 33 to postpone notifying data subjects until more information can be gathered.
• B. Immediately notify all the customers of the company that their information has been accessed by an unauthorized person.
• C. Notify as soon as possible the data protection supervisory authority that a data breach may have taken place.
• D. Launch an investigation and if nothing is found within one month, notify the data protection supervisory authority.

Answer: C

 

NEW QUESTION 103
After leaving the EU under the terms of Brexit, the United Kingdom will seek an adequacy determination.
What is the reason for this?

• A. The Insurance Commissioner determined that an adequacy determination is required by the Data Protection Act.
• B. Adequacy determinations automatically lapse when a Member State leaves the EU.
• C. The UK is less trustworthy now that its not part of the Union.
• D. The UK is now a third country because it's no longer subject to the GDPR.

Answer: D

 

NEW QUESTION 104
Which of the following is one of the supervisory authority's investigative powers?

• A. To require data controllers to provide them with written notification of all new processing activities.
• B. To determine whether a controller or processor has the right to a judicial remedy concerning a compensation decision made against them.
• C. To require that controllers or processors adopt approved data protection certification mechanisms.
• D. To notify the controller or the processor of an alleged infringement of the GDPR.

Answer: D

 

NEW QUESTION 105
What type of data lies beyond the scope of the General Data Protection Regulation?

• A. Pseudonymized
• B. Anonymized
• C. Encrypted
• D. Masked

Answer: B

 

NEW QUESTION 106
......

Download the Latest CIPP-C Dump - 2022 CIPP-C Exam Question Bank: https://www.dumpsking.com/CIPP-C-testking-dumps.html

Latest IAPP CIPP-C Certification Practice Test Questions: https://drive.google.com/open?id=1UiYjJ87N-kVovs3RvazWElyOhjb5SJcx