• Home
  • Articles
  • Instant Download CIPP-E Dumps Q&As Provide PDF&Test Engine [Q113-Q136]

Instant Download CIPP-E Dumps Q&As Provide PDF&Test Engine [Q113-Q136]

Share

Instant Download CIPP-E Dumps Q&As Provide PDF&Test Engine

Fast Exam Updates CIPP-E dumps with PDF Test Engine Practice

NEW QUESTION # 113
According to Article 14 of the GDPR, how long does a controller have to provide a data subject with necessary privacy information, if that subject's personal data has been obtained from other sources?

  • A. Within a reasonable period after obtaining the personal data, but no later than eight weeks.
  • B. As soon as possible after obtaining the personal data.
  • C. Within a reasonable period after obtaining the personal data, but no later than one month.
  • D. As soon as possible after the first communication with the data subject.

Answer: C

Explanation:
According to Article 14 of the GDPR, if the controller obtains personal data from other sources, such as third parties or publicly accessible sources, the controller must provide the data subject with the necessary privacy information, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject. The controller must provide this information within a reasonable period after obtaining the personal data, but no later than one month, having regard to the specific circumstances in which the personal data are processed. However, there are some exceptions to this rule, such as if the data subject already has the information, if the provision of the information proves impossible or would involve a disproportionate effort, if the obtaining or disclosure of the data is expressly laid down by EU or member state law, or if the personal data must remain confidential subject to an obligation of professional secrecy12. Reference:
GDPR, Article 14
Free CIPP/E Study Guide, page 19, section 2.5.1
CIPP/E Certification, page 14, section 1.2.1
Art. 14 GDPR - Information to be provided where personal data have not been obtained from the data subject Article 14 GDPR - GDPRhub


NEW QUESTION # 114
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
JaphSoft's use of pseudonymization is NOT in compliance with the CDPR because?

  • A. JaphSoft failed to keep personally identifiable information in a separate database.
  • B. JaphSoft was in possession of information that could be used to identify data subjects.
  • C. JaphSoft failed to first anonymize the personal data.
  • D. JaphSoft pseudonymized all the data instead of deleting what it no longer needed.

Answer: D


NEW QUESTION # 115
According to the GDPR, how is pseudonymous personal data defined?

  • A. Data that can no longer be attributed to a specific data subject without the use of additional information kept separately.
  • B. Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.
  • C. Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data.
  • D. Data that has been encrypted or is subject to other technical safeguards.

Answer: A


NEW QUESTION # 116
How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?

  • A. The Data Retention Directive's annulment makes such data retention now permissible.
  • B. The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.
  • C. The ePrivacy Directive harmonizes EU member states' rules concerning such data retention.
  • D. The ePrivacy Directive allows individual EU member states to engage in such data retention.

Answer: B


NEW QUESTION # 117
SCENARIO
Please use the following to answer the next question:
Jason, a long-time customer of ABC insurance, was involved in a minor car accident a few months ago.
Although no one was hurt, Jason has been plagued by texts and calls from a company called Erbium Insurance offering to help him recover compensation for personal injury. Jason has heard about insurance companies selling customers' data to third parties, and he's convinced that Erbium must have gotten his information from ABC.
Jason has also been receiving an increased amount of marketing information from ABC, trying to sell him their full range of their insurance policies.
Perturbed by this, Jason has started looking at price comparison sites on the Internet and has been shocked to find that other insurers offer much cheaper rates than ABC, even though he has been a loyal customer for many years. When his ABC policy comes up for renewal, he decides to switch to Xentron Insurance.
In order to activate his new insurance policy, Jason needs to supply Xentron with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask ABC to transfer his information directly to Xentron. He also takes this opportunity to ask ABC to stop using his personal data for marketing purposes.
ABC supplies Jason with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Jason it cannot transfer his data directly to Xentron at this is not technically feasible. ABC also explains that Jason's contract included a provision whereby Jason agreed that his data could be used for marketing purposes; according to ABC, it is too late for Jason to change his mind about this. It angers Jason when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Jason is still receiving unwanted calls from Erbium Insurance. He writes to Erbium to ask for the name of the organization that supplied his details to them. He warns Erbium that he plans to complain to the data protection authority because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Erbium's response letter confirms Jason's suspicions. Erbium is ABC's wholly owned subsidiary, and they received information about Jason's accident from ABC shortly after Jason submitted his accident claim.
Erbium assures Jason that there has been no breach of the GDPR, as Jason's contract included a provision in which he agreed to share his information with ABC's affiliates for business purposes.
Jason is disgusted by the way in which he has been treated by ABC, and writes to them insisting that all his information be erased from their computer system.
After Jason has exercised his right to restrict the use of his data, under what conditions would Erbium have grounds for refusing to comply?

  • A. If Erbium also uses the data to conduct public health research.
  • B. If Erbium is entitled to use of the data as an affiliate of ABC.
  • C. If the data becomes necessary to defend Erbium's legal rights.
  • D. If the accuracy of the data is not an aspect that Jason is disputing.

Answer: B


NEW QUESTION # 118
When does the European Data Protection Board (EDPB) recommend reevaluating whether a transfer tool is effectively providing a level of personal data protection that is in compliance with the European Union (EU) level?

  • A. Every year.
  • B. On an ongoing basis.
  • C. After a personal data breach.
  • D. Every three (3) years.

Answer: B

Explanation:
Reference https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf


NEW QUESTION # 119
SCENARIO
Please use the following to answer the next question:
Outliers Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Jonathan, suspects that this is partly due to the company's outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company ZenFiTech, hoping that they can design a new, cutting-edge website for Outliers Inc.'s foundering business.
During negotiations, a ZenFiTech representative describes a plan for gathering more customer information through detailed questionnaires, which could be used to tailor their preferences to specific travel destinations. Outliers Inc. can choose any number of data categories - age, income, ethnicity - that would help them best accomplish their goals. Jonathan loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the questionnaires will require customers to provide explicit consent to having their data collected. The ZenFiTech representative suggests that they also run a program to analyze the new website's traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the Outliers Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which ZenFiTech will analyze by means of a special program. Outliers Inc. would receive aggregate statistics to help them evaluate the website's effectiveness. Jonathan enthusiastically engages ZenFiTech for these services.
If Outliers Inc. decides not to report the incident to the supervisory authority, what would be their BEST defense?

  • A. The resulting obligation to notify data subjects would involve disproportionate effort.
  • B. The incident resulted from the actions of a third-party that were beyond their control.
  • C. The sensitivity of the categories of data involved in the incident was not substantial enough.
  • D. The destruction of the stolen data makes any risk to the affected data subjects unlikely.

Answer: B


NEW QUESTION # 120
Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric dat a. Which of the following is NOT one of these exceptions?

  • A. The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent.
  • B. The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a judicial capacity.
  • C. The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State law to lift the prohibition.
  • D. The processing is done by a non-profit organization and the results are disclosed outside the organization.

Answer: D

Explanation:
Article 9 of the GDPR prohibits the processing of special category data, which includes biometric data for the purpose of uniquely identifying a natural person1. However, there are 10 exceptions to this general prohibition, usually referred to as 'conditions for processing special category data'2. These are:
(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims and judicial acts
(g) Substantial public interest conditions
(h) Health or social care
(i) Public health
(j) Archiving, research and statistics
Option A is not one of these exceptions, and therefore it is not a valid reason to process biometric data under Article 9. Option B, C and D are all valid exceptions, as they correspond to conditions , (f) and (a) respectively. Therefore, the correct answer is A.
Reference:
4: Art. 9 GDPR Processing of special categories of personal data
6: What are the rules on special category data? | ICO


NEW QUESTION # 121
Which type of personal data does the GDPR define as a "special category" of personal data?

  • A. Trade-union membership.
  • B. Financial information.
  • C. Closed Circuit Television (CCTV) footage.
  • D. Educational history.

Answer: A

Explanation:
Reference https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/lawful-basis-for-processing/special-category-data/#:~:text=The%20GDPR%20defines% 20special%20category%20data%20as%3A&text=personal%20data%20revealing%20trade%20union,used% 20for%20identification%20purposes)%3B


NEW QUESTION # 122
Which of the following is NOT recognized as being a common characteristic of cloud-computing services?

  • A. The service's infrastructure is shared among the supplier's customers and can be located in a number of countries.
  • B. The supplier allows customer data to be transferred around the infrastructure according to capacity.
  • C. The supplier assumes the vendor's business risk associated with data processed by the supplier.
  • D. The supplier determines the location, security measures, and service standards applicable to the processing.

Answer: C


NEW QUESTION # 123
After leaving the EU under the terms of Brexit, the United Kingdom will seek an adequacy determination. What is the reason for this?

  • A. The Insurance Commissioner determined that an adequacy determination is required by the Data Protection Act.
  • B. The UK is less trustworthy now that its not part of the Union.
  • C. Adequacy determinations automatically lapse when a Member State leaves the EU.
  • D. The UK is now a third country because it's no longer subject to the GDPR.

Answer: D

Explanation:
The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU1. Therefore, after leaving the EU under the terms of Brexit, the UK became a third country for the purposes of the GDPR, meaning that personal data transfers from the EU to the UK are subject to the rules on international data transfers under Chapter V of the GDPR2. In order to ensure the continuity and stability of data flows between the EU and the UK, the UK sought an adequacy decision from the European Commission, which is a formal recognition that a third country provides an equivalent level of data protection to that of the EU3. On 28 June 2021, the European Commission adopted two adequacy decisions in respect of the UK: one for transfers under the GDPR and the other for transfers under the Law Enforcement Directive (LED)4. These decisions allow personal data to flow freely from the EU to the UK without any further safeguard being necessary, and are expected to last until 27 June 2025, unless they are amended, suspended or repealed earlier5. Reference:
GDPR, Article 3
GDPR, Chapter V
Data protection adequacy for non-EU countries, section "Adequacy decisions" UK government welcomes the European Commission's draft data adequacy decisions Adequacy, section "What does the EU GDPR adequacy decision say?"


NEW QUESTION # 124
Which of the following Convention 108+ principles, as amended in 2018, is NOT consistent with a principle found in the GDPR?

  • A. The obligation of companies to declare data breaches.
  • B. The necessity of the bulk collection of personal data by the government.
  • C. The requirement to demonstrate compliance to a supervisory authority.

Answer: B

Explanation:
The Convention 108+ is the modernized version of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which was opened for signature on 10 October 20181. The Convention 108+ aims to reinforce the individuals' protection, strengthen the implementation of the Convention, and promote it as a universal standard for data protection2. The Convention 108+ reflects the same principles as those enshrined in the EU's General Data Protection Regulation (GDPR), which applies from 25 May 20183. Therefore, the Convention 108+ and the GDPR are largely consistent and coherent in their provisions and objectives.
However, one of the principles of the Convention 108+ that is not consistent with a principle found in the GDPR is the necessity of the bulk collection of personal data by the government. The Convention 108+ allows for the possibility of bulk collection of personal data by the government for national security purposes, subject to certain safeguards and oversight mechanisms. The GDPR, on the other hand, does not regulate the processing of personal data by the government for national security purposes, as this falls outside the scope of EU law. The GDPR also does not explicitly endorse the bulk collection of personal data by the government, but rather requires that any processing of personal data must be based on a legal basis, respect the principles of data protection, and ensure the rights and freedoms of data subjects. Therefore, the correct answer is C.
Reference:
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data Convention 108+ and the GDPR General Data Protection Regulation
[Convention 108+: the consultative committee of the convention for the protection of individuals with regard to the processing of personal data (T-PD) publishes its guidelines on artificial intelligence and data protection]
[Article 3 GDPR - Territorial scope]
[Article 5 GDPR - Principles relating to processing of personal data]
I hope this helps you understand the Convention 108+ and the GDPR better. If you have any other questions, please feel free to ask me.


NEW QUESTION # 125
Which GDPR principle would a Spanish employer most likely depend upon to annually send the personal data of its employees to the national tax authority?

  • A. The protection of the vital interest of the employees.
  • B. The consent of the employees.
  • C. The legitimate interest of the public administration.
  • D. The legal obligation of the employer.

Answer: D

Explanation:
According to Article 6 of the GDPR, the processing of personal data is only lawful if and to the extent that at least one of the following applies:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes; processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; processing is necessary for compliance with a legal obligation to which the controller is subject; processing is necessary in order to protect the vital interests of the data subject or of another natural person; processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
In this case, the Spanish employer would most likely depend on the legal obligation of the employer as the lawful basis for sending the personal data of its employees to the national tax authority. This is because the employer is subject to the tax laws and regulations of Spain, which require the employer to report the income and deductions of its employees to the tax authority on an annual basis. The employer must comply with this legal obligation, and the processing of the employees' personal data is necessary for this purpose. The employer does not need to obtain the consent of the employees, as consent is not a valid basis for processing personal data where there is a clear imbalance between the data subject and the controller, such as in the context of employment. The employer also does not need to rely on the legitimate interest of the public administration, as this is not a specific purpose for which the employer is processing the personal data, but rather a general interest that may be served by the tax authority. The employer also does not need to invoke the protection of the vital interest of the employees, as this basis only applies in situations where the processing is necessary to protect someone's life, such as in a medical emergency. Reference: Article 6 GDPR - Lawfulness of processing - General Data Protection Regulation (GDPR), Lawful basis for processing | ICO, Legal obligation as a lawful basis for processing personal data under the GDPR, [Consent in the employment context | ICO], [Vital interests | ICO]


NEW QUESTION # 126
Which of the following is NOT considered a fair processing practice in relation to the transparency principle?

  • A. Providing a hyperlink to the organization's home page, in a hard copy application form.
  • B. Providing a multi-layered privacy notice, in a website environment.
  • C. Providing a QR code linking to more detailed privacy notice, in a CCTV sign.
  • D. Providing a "just-in-time" contextual pop-up privacy notice, in an online application from field.

Answer: A

Explanation:
According to the transparency principle, data controllers must provide clear and transparent information to data subjects about how their personal data is processed. This information must be easily accessible and easy to understand. Providing a hyperlink to the organization's home page, in a hard copy application form, is not considered a fair processing practice in relation to the transparency principle, because it does not directly inform the data subject about the specific purposes and legal basis of the processing, the data protection rights and obligations, and the contact details of the data controller and the data protection officer. This information should be provided in a concise, intelligible and easily accessible form, using clear and plain language, in a way that is appropriate to the means of communication. Providing a hyperlink to the organization's home page, in a hard copy application form, does not meet these criteria and may also be inaccessible to some data subjects who do not have internet access or are not familiar with the use of hyperlinks. Therefore, this option is not a fair processing practice in relation to the transparency principle. Reference: 1234 https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-for-the-use-of-personal-data-in-political-campaigning-1/lawful-fair-and-transparent-processing/ https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-for-the-use-of-personal-data-in-political-campaigning-1/lawful-fair-and-transparent-processing/


NEW QUESTION # 127
What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

  • A. No prior permission required, but an opt-out requirement on all emails sent to consumers.
  • B. A pre-checked box stating that the consumer agrees to receive email marketing.
  • C. A notice that the consumer's email address will be used for marketing purposes.
  • D. A prior opt-in consent for consumers unless they are already customers.

Answer: D


NEW QUESTION # 128
SCENARIO
Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner's Office ('ICO' - the U.K.'s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT's main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR.
The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.
Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has formed its view on the matter?

  • A. Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism.
  • B. Request that members of the seconding supervisory authority and the host supervisory authority co-draft a decision.
  • C. Submit a draft decision to other supervisory authorities for their opinion.
  • D. Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.

Answer: D


NEW QUESTION # 129
If a company is planning to use closed-circuit television (CCTV) on its premises and is concerned with GDPR compliance, it should first do all of the following EXCEPT?

  • A. Perform a data protection impact assessment (DPIA).
  • B. Create an information retention policy for those who operate the system.
  • C. Notify the appropriate data protection authority.
  • D. Ensure that safeguards are in place to prevent unauthorized access to the footage.

Answer: C


NEW QUESTION # 130
Pursuant to Article 4(5) of the GDPR, data is considered "pseudonymized" if?

  • A. It cannot be attributed to a data subject without the use of additional information.
  • B. It can only be attributed to a person by a third party.
  • C. It cannot be attributed to a person under any circumstances.
  • D. It can only be attributed to a person by the controller.

Answer: A


NEW QUESTION # 131
Which of the following is NOT considered a fair processing practice in relation to the transparency principle?

  • A. Providing a multi-layered privacy notice, in a website environment.
  • B. Providing a hyperlink to the organization's home page, in a hard copy application form.
  • C. Providing a QR code linking to more detailed privacy notice, in a CCTV sign.
  • D. Providing a "just-in-time" contextual pop-up privacy notice, in an online application from field.

Answer: A


NEW QUESTION # 132
Which statement is correct when considering the right to privacy under Article 8 of the European Convention on Human Rights (ECHR)?

  • A. The right to privacy has to be balanced against other rights under the ECHR
  • B. The right to privacy is an absolute right
  • C. The right to privacy protects the right to hold opinions and to receive and impart ideas without interference
  • D. The right to freedom of expression under Article 10 of the ECHR will always override the right to privacy

Answer: A

Explanation:
Reference https://www.echr.coe.int/Documents/Guide_Art_8_ENG.pdf (15)


NEW QUESTION # 133
Which type of personal data does the GDPR define as a "special category" of personal data?

  • A. Trade-union membership.
  • B. Financial information.
  • C. Closed Circuit Television (CCTV) footage.
  • D. Educational history.

Answer: A


NEW QUESTION # 134
Read the following steps:
Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices Monitor and analyze the apps and devices for compliance Manage application life cycles Monitor data sharing An organization should perform these steps to do which of the following?

  • A. Ensure cloud vendors are complying with internal data use policies.
  • B. Pursue a GDPR-compliant Privacy by Design process.
  • C. Institute a GDPR-compliant employee monitoring process.
  • D. Maintain a secure Bring Your Own Device (BYOD) program.

Answer: D

Explanation:
The steps listed in the question are part of a best practice framework for implementing a secure BYOD program, which allows employees to use their personal devices to access organizational data and applications. A BYOD program poses significant privacy and security risks, such as data leakage, unauthorized access, malware infection, and compliance violations. Therefore, an organization should follow a comprehensive approach to discover, monitor, manage, and secure the devices, apps, and data involved in a BYOD program. This approach can help the organization meet the GDPR requirements for data protection by design and by default, data security, accountability, and data breach notification. Reference:
Free CIPP/E Study Guide, page 15, section 2.3.3
CIPP/E Certification, page 10, section 1.1.2
Cipp-e Study guides, Class notes & Summaries, document "CIPP/E Exam Summary 2023", page 42, section 2.3.3


NEW QUESTION # 135
According to the E-Commerce Directive 2000/31/EC, where is the place of "establishment" for a company providing services via an Internet website confirmed by the GDPR?

  • A. Where the customer's Internet service provider is located
  • B. Where the decisions about processing are made
  • C. Where the website is accessed
  • D. Where the technology supporting the website is located

Answer: A

Explanation:
Reference https://www.ohiobar.org/member-tools-benefits/publications/Ohio-Lawyer/the-european-general- data-protection-regulation-gdpr/


NEW QUESTION # 136
......

Exam Valid Dumps with Instant Download Free Updates: https://www.dumpsvalid.com/CIPP-E-still-valid-exam.html

CIPP-E Dumps First Attempt Guaranteed Success: https://drive.google.com/open?id=1MT-vSUWXB45WlPw3041oom65R7wf21v6

Related Articles

more
IAPP CIPP-E Certification Practice Exam

Copyright © 2026 DumpsValid NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy