
[Nov-2021] CIPP-C Pre-Exam Practice Tests | Exam Questions and Answers for Certified Information Privacy Professional Study Guide
Certified Information Privacy Professional/ Canada (CIPP/C) Certification Sample Questions
NEW QUESTION 86
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B.
Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
* Name
* Address
* Date of Birth
* Payroll number
* National Insurance number
* Sick pay entitlement
* Maternity/paternity pay entitlement
* Holiday entitlement
* Pension and benefits contributions
* Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
Under the GDPR, which of Company B's actions would NOT be likely to trigger a potential enforcement action?
- A. Their omission of data protection provisions in their contract with Company C.
- B. Their failure to provide sufficient security safeguards to Company A's data.
- C. Their decision to operate without a data protection officer.
- D. Their engagement of Company C to improve their payroll service.
Answer: D
NEW QUESTION 87
Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and disclosure of a data subject's sensitive medical information without the data subject's knowledge or consent?
- A. A health professional involved in the medical care for the data subject, where the data subject's life hinges on the timely dissemination of such information.
- B. A member of the judiciary involved in adjudicating a legal dispute involving the data subject and concerning the health of the data subject.
- C. A journalist writing an article relating to the medical condition in QUESTION, who believes that the publication of such information is in the public interest.
- D. A public authority responsible for public health, where the sharing of such information is considered necessary for the protection of the general populace.
Answer: D
NEW QUESTION 88
What obligation does a data controller or processor have after appointing a data protection officer?
- A. To provide resources necessary to carry out the defined tasks of the data protection officer and to maintain his or her expert knowledge.
- B. To ensure that the data protection officer acts as the sole point of contact for individuals' Questions:
about their personal data. - C. To submit for approval to the data protection officer a code of conduct to govern organizational practices and demonstrate compliance with data protection principles.
- D. To ensure that the data protection officer receives sufficient instructions regarding the exercise of his or her defined tasks.
Answer: C
NEW QUESTION 89
A Spanish electricity customer calls her local supplier with Questions: about the company's upcoming merger.
Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information?
- A. Verify that the personal data has not already been sent to the customer.
- B. Verify that the purpose of the request from the customer is in line with the GDPR.
- C. Verify that the identity of the customer can be proven by other means.
- D. Verify that the request is applicable to the data collected before the GDPR entered into force.
Answer: D
NEW QUESTION 90
SCENARIO
Looking back at your first two years as the Director of Personal Information Protection and Compliance for the Berry Country Regional Medical Center in Thorn Bay, Ontario, Canada, you see a parade of accomplishments, from developing state-of-the-art simulation based training for employees on privacy protection to establishing an interactive medical records system that is accessible by patients as well as by the medical personnel. Now, however, a question you have put off looms large: how do we manage all the data-not only records produced recently, but those still on hand from years ago? A data flow diagram generated last year shows multiple servers, databases, and work stations, many of which hold files that have not yet been incorporated into the new records system. While most of this data is encrypted, its persistence may pose security and compliance concerns. The situation is further complicated by several long-term studies being conducted by the medical staff using patient information. Having recently reviewed the major Canadian privacy regulations, you want to make certain that the medical center is observing them.
You also recall a recent visit to the Records Storage Section, often termed "The Dungeon" in the basement of the old hospital next to the modern facility, where you noticed a multitude of paper records. Some of these were in crates marked by years, medical condition or alphabetically by patient name, while others were in undifferentiated bundles on shelves and on the floor. The back shelves of the section housed data tapes and old hard drives that were often unlabeled but appeared to be years old. On your way out of the dungeon, you noticed just ahead of you a small man in a lab coat who you did not recognize. He carried a batch of folders under his arm, apparently records he had removed from storage.
Which cryptographic standard would be most appropriate for protecting patient credit card information in the records system?
- A. Symmetric Encryption
- B. Obfuscation
- C. Hashing
- D. Asymmetric Encryption
Answer: D
NEW QUESTION 91
What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?
- A. The requirements affected individuals without exception.
- B. The requirements were financially burdensome to EU businesses.
- C. The requirements had limitations on how national authorities could use data.
- D. The requirements specified that data must be held within the EU.
Answer: C
NEW QUESTION 92
What is true if an employee makes an access request to his employer for any personal data held about him?
- A. The employer can decline the request if the information is only held electronically.
- B. The employer must supply any information held about an employee unless an exemption applies.
- C. The employer must supply all the information held about the employee.
- D. The employer can automatically decline the request if it contains personal data about a third person.
Answer: B
NEW QUESTION 93
SCENARIO
Please use the following to answer the next question:
WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids' website states the following:
"WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child's personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child's personal information.
We will only share you and your child's personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers."
"We may retain you and your child's personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years."
"We are processing you and your child's personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your child's personal information; rectify or erase you or your child's personal information; the right to correction or erasure of you and/or your child's personal information; object to any processing of you and your child's personal information. You also have the right to complain to the supervisory authority about our data processing activities." What additional information must Wonderkids provide in their Privacy Statement?
- A. Technical and organizational measures to protect data.
- B. How often promotional emails will be sent.
- C. Contact information of the hosting company.
- D. The categories of recipients with whom data will be shared.
Answer: C
NEW QUESTION 94
What practice does the USA FREEDOM Act NOT authorize?
- A. Emergency exceptions that allows the government to target roamers
- B. The bulk collection of telephone data and internet metadata
- C. An increase in the maximum penalty for material support to terrorism
- D. An extension of the expiration for roving wiretaps
Answer: A
NEW QUESTION 95
Which of the following would NOT be relevant when determining if a processing activity would be considered profiling?
- A. If the processing is used to predict the behavior of data subjects
- B. If the processing is to be performed by a third-party vendor
- C. If the processing involves data that is considered personal data
- D. If the processing of the data is done through automated means
Answer: A
NEW QUESTION 96
As a result of the European Court of Justice's ruling in the case of Google v. Spain, search engines outside the EEA are also likely to be subject to the Regulation's right to be forgotten. This holds true if the activities of an EU subsidiary and its U.S. parent are what?
- A. Consistent with Privacy Shield requirements
- B. Inextricably linked in their businesses.
- C. Supervised by the same Data Protection Officer.
- D. Bound by a standard contractual clause.
Answer: B
NEW QUESTION 97
What is the function of the privacy operational life cycle?
- A. It ensures that outdated privacy policies are retired on a set schedule
- B. It establishes initial plans for privacy protection and implementation
- C. It allows the organization to respond to ever-changing privacy demands
- D. It allows privacy policies to mature to a fixed form
Answer: B
NEW QUESTION 98
SCENARIO
Tom looked forward to starting his new position with a U.S -based automobile leasing company (New Company), now operating in 32 states. New Company was recently formed through the merger of two prominent players, one from the eastern region (East Company) and one from the western region (West Company). Tom, a Certified Information Privacy Technologist (CIPT), is New Company's first Information Privacy and Security Officer. He met today with Dick from East Company, and Harry, from West Company.
Dick and Harry are veteran senior information privacy and security professionals at their respective companies, and continue to lead the east and west divisions of New Company. The purpose of the meeting was to conduct a SWOT (strengths/weaknesses/opportunities/threats) analysis for New Company. Their SWOT analysis conclusions are summarized below.
Dick was enthusiastic about an opportunity for the New Company to reduce costs and increase computing power and flexibility through cloud services. East Company had been contemplating moving to the cloud, but West Company already had a vendor that was providing it with software-as-a-service (SaaS). Dick was looking forward to extending this service to the eastern region. Harry noted that this was a threat as well, because West Company had to rely on the third party to protect its data.
Tom mentioned that neither of the legacy companies had sufficient data storage space to meet the projected growth of New Company, which he saw as a weakness. Tom stated that one of the team's first projects would be to construct a consolidated New Company data warehouse. Tom would personally lead this project and would be held accountable if information was modified during transmission to or during storage in the new data warehouse.
Tom, Dick and Harry agreed that employee network access could be considered both a strength and a weakness. East Company and West Company had strong performance records in this regard; both had robust network access controls that were working as designed. However, during a projected year-long transition period, New Company employees would need to be able to connect to a New Company network while retaining access to the East Company and West Company networks.
When employees are working remotely, they usually connect to a Wi-Fi network. What should Harry advise for maintaining company security in this situation?
- A. Employing Wired Equivalent Privacy (WEP) encryption.
- B. Retaining the password assigned by the network.
- C. Hiding wireless service set identifiers (SSID).
- D. Using tokens sent through HTTP sites to verify user identity.
Answer: C
NEW QUESTION 99
Which area of privacy is a lead supervisory authority's (LSA) MAIN concern?
- A. Cross-border processing
- B. Special categories of data
- C. Data access disputes
- D. Data subject rights
Answer: A
NEW QUESTION 100
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Ontario University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Ontario's Alumni portal.
Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Anna will find that a risk analysis is NOT necessary in this situation as long as?
- A. The algorithms that Frank uses for the processing are technologically sound
- B. The data subjects gave their unambiguous consent for the original processing
- C. The data subjects are no longer current students of Frank's
- D. The processing will not negatively affect the rights of the data subjects
Answer: B
NEW QUESTION 101
In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met?
- A. The Council of the European Union.
- B. Approved data controllers.
- C. National data protection authorities.
- D. The European Data Protection Supervisor.
Answer: B
NEW QUESTION 102
Which of the following would require designating a data protection officer?
- A. Processing is carried out by an organization employing 250 persons or more.
- B. The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale.
- C. The core activities of the controller or processor consist of processing operations of financial information or information relating to children.
- D. Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.
Answer: B
NEW QUESTION 103
......
IAPP Exam Practice Test To Gain Brilliante Result: https://www.fast2test.com/CIPP-C-premium-file.html
Tested Material Used To CIPP-C: https://drive.google.com/open?id=12ibkurjewDX-RtAgDy4MLGd-GEhGiygR