Login / Register   My Cart (0)

Searching the best new exam braindumps which can guarantee you 100% pass rate, you don't need to run about busily by, our latest pass guide materials will be here waiting for you. With our new exam braindumps, you will pass exam surely.

All Products Contact now
  • Home
  • Articles
  • 2021 Updated Verified CIPP-C dumps Q&As - Pass Guarantee or Full Refund [Q14-Q33]

2021 Updated Verified CIPP-C dumps Q&As - Pass Guarantee or Full Refund [Q14-Q33]

Share

2021 Updated Verified CIPP-C dumps Q&As - Pass Guarantee or Full Refund

CIPP-C PDF Questions and Testing Engine With 180 Questions

NEW QUESTION 14
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
Which of the following BEST describes the relationship between Liem, EcoMick and JaphSoft?

  • A. JaphSoft is the sole processor because it processes personal data on behalf of its clients.
  • B. Liem and EcoMick are joint controllers because they carry out joint marketing activities.
  • C. Liem is a controller and EcoMick is a processor because Liem provides specific instructions regarding how the marketing campaigns should be rolled out.
  • D. EcoMick and JaphSoft are is a controller and Liem is a processor because EcoMick is sharing its marketing data with Liem for contacts in Europe.

Answer: D

 

NEW QUESTION 15
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
If Who-R-U decides to track locations using its app, what must it do to comply with the GDPR?

  • A. Provide a transparent notice to users.
  • B. Anonymize the data and add latency so it avoids disclosing real time locations.
  • C. Get consent from the app users.
  • D. Obtain a court order because location data is a special category of personal data.

Answer: C

 

NEW QUESTION 16
A Spanish electricity customer calls her local supplier with Questions: about the company's upcoming merger.
Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information?

  • A. Verify that the personal data has not already been sent to the customer.
  • B. Verify that the identity of the customer can be proven by other means.
  • C. Verify that the purpose of the request from the customer is in line with the GDPR.
  • D. Verify that the request is applicable to the data collected before the GDPR entered into force.

Answer: D

 

NEW QUESTION 17
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B.
Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
* Name
* Address
* Date of Birth
* Payroll number
* National Insurance number
* Sick pay entitlement
* Maternity/paternity pay entitlement
* Holiday entitlement
* Pension and benefits contributions
* Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
Under the GDPR, which of Company B's actions would NOT be likely to trigger a potential enforcement action?

  • A. Their decision to operate without a data protection officer.
  • B. Their omission of data protection provisions in their contract with Company C.
  • C. Their failure to provide sufficient security safeguards to Company A's data.
  • D. Their engagement of Company C to improve their payroll service.

Answer: D

 

NEW QUESTION 18
In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met?

  • A. The Council of the European Union.
  • B. National data protection authorities.
  • C. The European Data Protection Supervisor.
  • D. Approved data controllers.

Answer: D

 

NEW QUESTION 19
SCENARIO
Please use the following to answer the next question:
Dynaroux Fashion ('Dynaroux') is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Ronan is their recently appointed data protection officer, who oversees the company's compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.
The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.
In an aggressive bid to build revenue growth, Jonas, the CEO, tells Ronan that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company's customers by analyzing their purchases. Ronan tells the CEO that: (a) the potential risks of such activities means that Dynaroux needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Dynaroux may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.
Jonas tells Ronan that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Dynaroux's business plan and associated processing activities.
Which of the following facts about Dynaroux would trigger a data protection impact assessment under the GDPR?

  • A. The company intends to shift their business model to rely more heavily on online shopping.
  • B. The company plans to undertake profiling of its customers through analysis of their purchasing patterns.
  • C. The company employs approximately 650 people and will therefore be carrying out extensive processing activities.
  • D. The company will be undertaking processing activities involving sensitive data categories such as financial and children's data.

Answer: B

 

NEW QUESTION 20
SCENARIO
Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own business for two years.
Brady's business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady's company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box's chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box's home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box's Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady's business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles.
Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.
Under the General Data Protection Regulation (GDPR), what is the most likely reason Serge may have grounds to object to the use of his quotation?

  • A. Because of the juxtaposition of the quotation with others' quotations.
  • B. Because of the misapplication of the household exception in relation to a social networking service (SNS).
  • C. Because of the use of personal data outside of the social networking service (SNS).
  • D. Because of the misrepresentation of personal data as an endorsement.

Answer: B

 

NEW QUESTION 21
SCENARIO
WebTracker Limited is a cloud-based online marketing service located in London. Last year, WebTracker migrated its IT infrastructure to the cloud provider AmaZure, which provides SQL Databases and Artificial Intelligence services to WebTracker. The roles and responsibilities between the two companies have been formalized in a standard contract, which includes allocating the role of data controller to WebTracker.
The CEO of WebTracker, Mr. Bond, would like to assess the effectiveness of AmaZure's privacy controls, and he recently decided to hire you as an independent auditor. The scope of the engagement is limited only to the marketing services provided by WebTracker, you will not be evaluating any internal data processing activity, such as HR or Payroll.
This ad-hoc audit was triggered due to a future partnership between WebTracker and SmartHome - a partnership that will not require any data sharing. SmartHome is based in the USA, and most recently has dedicated substantial resources to developing smart refrigerators that can suggest the recommended daily calorie intake based on DNA information. This and other personal data is collected by WebTracker.
To get an idea of the scope of work involved, you have decided to start reviewing the company's documentation and interviewing key staff to understand potential privacy risks.
The results of this initial work include the following notes:
* There are several typos in the current privacy notice of WebTracker, and you were not able to find the privacy notice for SmartHome.
* You were unable to identify all the sub-processors working for SmartHome. No subcontractor is indicated in the cloud agreement with AmaZure, which is responsible for the support and maintenance of the cloud infrastructure.
* There are data flows representing personal data being collected from the internal employees of WebTracker, including an interface from the HR system.
* Part of the DNA data collected by WebTracker was from employees, as this was a prototype approved by the CEO of WebTracker.
* All the WebTracker and SmartHome customers are based in USA and Canada.
Which of the following issues is most likely to require an investigation by the Chief Privacy Officer (CPO) of WebTracker?

  • A. Employees' personal data are being stored in a cloud HR system, as approved by the HR Manager.
  • B. File Integrity Monitoring is being deployed in SQL servers, as indicated by the IT Architect Manager.
  • C. AmaZure sends newsletter to WebTracker customers, as approved by the Marketing Manager.
  • D. Data flows use encryption for data at rest, as defined by the IT manager.

Answer: C

 

NEW QUESTION 22
What is the MAIN reason GDPR Article 4(22) establishes the concept of the "concerned supervisory authority"?

  • A. To ensure that the interests of individuals residing outside the lead authority's jurisdiction are represented.
  • B. To encourage the consistency of local data processing activity.
  • C. To give corporations a choice about who their supervisory authority will be.
  • D. To ensure the GDPR covers controllers that do not have an establishment in the EU but have a representative in a member state.

Answer: B

 

NEW QUESTION 23
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
Why would the consent provided by Ms. Iman NOT be considered valid in regard to JaphSoft?

  • A. She was not told which controller would be processing her personal data.
  • B. She did not read the privacy notice stating that her personal data would be shared.
  • C. She only viewed the visual representations of the privacy notice Liem provided.
  • D. She has never made any purchases from JaphSoft and has no relationship with the company.

Answer: B

 

NEW QUESTION 24
Many businesses print their employees' photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted?

  • A. Because use of biometric data to confirm the unique identification of data subjects benefits from an exemption.
  • B. Because employees are deemed to have given their explicit consent when they agree to be photographed by their employer.
  • C. Because photographs qualify as biometric data only when they undergo a "specific technical processing".
  • D. Because photographic ID is a physical security measure which is "necessary for reasons of substantial public interest".

Answer: C

Explanation:
Explanation
Reference https://ess.csa.canon.com/rs/206-CLL-191/images/IAPP-Top-10-Operational-Impacts-of- GDPR.pdf?TC=DM&CN=CSA_OMNIA_Partners&CS=CSA&CR=T1_Gov%20GenNonProfit (11)

 

NEW QUESTION 25
With the issue of consent, the GDPR allows member states some choice regarding what?

  • A. The circumstances in which silence or inactivity may constitute consent
  • B. The timeframe in which data subjects are allowed to withdraw their consent
  • C. The age at which children must be required to obtain parental consent
  • D. The mechanisms through which consent may be communicated

Answer: C

 

NEW QUESTION 26
WP29's "Guidelines on Personal data breach notification under Regulation 2016/679'' provides examples of ways to communicate data breaches transparently. Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?

  • A. A notice on a corporate blog
  • B. A postal notification
  • C. A direct electronic message
  • D. A prominent advertisement in print media

Answer: A

 

NEW QUESTION 27
What term BEST describes the European model for data protection?

  • A. Sectoral
  • B. Comprehensive
  • C. Market-based
  • D. Self-regulatory

Answer: A

 

NEW QUESTION 28
Which of the following is an example of direct marketing that would be subject to European data protection laws?

  • A. A charity fundraising event notice sent to an individual at her business address.
  • B. An updated privacy notice sent to an individual's personal email address.
  • C. A service outage notification provided to an individual by recorded telephone message.
  • D. A revision of contract terms conveyed to an individual by SMS from a marketing organization.

Answer: A

 

NEW QUESTION 29
Which statement is correct when considering the right to privacy under Section 7 of the Canadian Charter of Rights and Freedoms?

  • A. The right to privacy protects the right to hold opinions and to receive and impart ideas without interference
  • B. The right to privacy is an absolute right
  • C. The right to freedom of expression under section 10 will always override the right to privacy
  • D. The Supreme Court of Canada has stated that the Privacy Act has "quasi-constitutional status", and that the values and rights set out in the Act are closely linked to those set out in the Constitution as being necessary to a free and democratic society.

Answer: D

Explanation:
Explanation
https://www.priv.gc.ca/en/about-the-opc/publications/guide_ind/

 

NEW QUESTION 30
SCENARIO
Looking back at your first two years as the Director of Personal Information Protection and Compliance for the Berry Country Regional Medical Center in Thorn Bay, Ontario, Canada, you see a parade of accomplishments, from developing state-of-the-art simulation based training for employees on privacy protection to establishing an interactive medical records system that is accessible by patients as well as by the medical personnel. Now, however, a question you have put off looms large: how do we manage all the data-not only records produced recently, but those still on hand from years ago? A data flow diagram generated last year shows multiple servers, databases, and work stations, many of which hold files that have not yet been incorporated into the new records system. While most of this data is encrypted, its persistence may pose security and compliance concerns. The situation is further complicated by several long-term studies being conducted by the medical staff using patient information. Having recently reviewed the major Canadian privacy regulations, you want to make certain that the medical center is observing them.
You also recall a recent visit to the Records Storage Section, often termed "The Dungeon" in the basement of the old hospital next to the modern facility, where you noticed a multitude of paper records. Some of these were in crates marked by years, medical condition or alphabetically by patient name, while others were in undifferentiated bundles on shelves and on the floor. The back shelves of the section housed data tapes and old hard drives that were often unlabeled but appeared to be years old. On your way out of the dungeon, you noticed just ahead of you a small man in a lab coat who you did not recognize. He carried a batch of folders under his arm, apparently records he had removed from storage.
Which cryptographic standard would be most appropriate for protecting patient credit card information in the records system?

  • A. Obfuscation
  • B. Symmetric Encryption
  • C. Hashing
  • D. Asymmetric Encryption

Answer: D

 

NEW QUESTION 31
Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

  • A. Retention periods for erasure and deletion of categories of personal data.
  • B. Incidents of personal data breaches, whether disclosed or not.
  • C. Data inventory or data mapping exercises that have been conducted.
  • D. Categories of recipients to whom the personal data have been disclosed.

Answer: A

 

NEW QUESTION 32
A law enforcement subpoenas the ACME telecommunications company for access to text message records of a person suspected of planning a terrorist attack. The company had previously encrypted its text message records so that only the suspect could access this data.
What law did ACME violate by designing the service to prevent access to the information by a law enforcement agency?

  • A. SCA
  • B. USA Freedom Act
  • C. CALEA
  • D. ECPA

Answer: C

 

NEW QUESTION 33
......

Exam Engine for CIPP-C Exam Free Demo & 365 Day Updates: https://passguide.dumpexams.com/CIPP-C-vce-torrent.html

Related Articles

more
IAPP CIPP-C Certification Practice Exam

Searching the best new exam braindumps which can guarantee you 100% pass rate, you don't need to run about busily by, our latest pass guide materials will be here waiting for you. With our new exam braindumps, you will pass exam surely.

Latest Dumps Exams

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 Dumpexams NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy