• Home
  • Blogs
  • [2021] Use Valid Exam CIPP-C by Test4Sure Books For Free Website [Q24-Q45]

[2021] Use Valid Exam CIPP-C by Test4Sure Books For Free Website [Q24-Q45]

Share

[2021] Use Valid Exam CIPP-C by Test4Sure Books For Free Website

Free Certified Information Privacy Professional CIPP-C Official Cert Guide PDF Download

NEW QUESTION 24
A company in France suffers a robbery over the weekend owing to a faulty alarm system. When it is determined that the break-in involves the loss of a substantial amount of data, the company decides on a CCTV system to monitor for future incidents. Company technicians install cameras in the entrance of the building, hallways and offices. Footage is recorded continuously, and is monitored by the home office in the United States. What is the most realistic step the company could take to address their security concerns and comply with the personal data processing principles set out in Article 5 of the GDPR?

  • A. Seek informed consent from company employees.
  • B. Have cameras recording during work hours only.
  • C. Restrict camera placement to building entrances only.
  • D. Retain captured footage for no more than 30 days.

Answer: A

 

NEW QUESTION 25
SCENARIO
Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron's marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task.
At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron's legal department.
Registration Form
Vigotron's new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.) Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron's cloud provider, Stratculous. (Read more about Stratculous here.) Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer's name, email address or any other information gathered from the app to any third- party without a customer's consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer's legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)
* First name:
* Surname:
* Year of birth:
* Email:
* Physical Address (optional*):
* Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to [email protected] or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions
1.Jurisdiction. [...]
2.Applicable law. [...]
3.Limitation of liability. [...]
Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
Emily sends the draft to Sam for review. Which of the following is Sam most likely to point out as the biggest problem with Emily's consent provision?

  • A. Processing health data requires explicit consent, but the form does not ask for explicit consent.
  • B. The provision of the fitness app should be made conditional on the consent to the data processing for direct marketing.
  • C. It is not legal to include fields requiring information regarding health status without consent.
  • D. Direct marketing requires explicit consent, whereas the registration form only provides for a right to object

Answer: D

 

NEW QUESTION 26
SCENARIO
Please use the following to answer the next QUESTION:
Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.
This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. "It's going to be great," the developer, Deidre Hoffman, tells you, "if, that is, we actually get it working!" She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. "It's just three young people," she says, "but they do great work." She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. "They do good work, so I chose them." Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, "I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing. You worry too much, but that's why you're so good at your job!" You want to point out that normal protocols have not been followed in this matter. Which process in particular has been neglected?

  • A. Forensic inquiry
  • B. Data mapping
  • C. Privacy breach prevention
  • D. Vendor due diligence or vetting

Answer: D

 

NEW QUESTION 27
Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?

  • A. Third-party data would be disclosed by providing such information to the data subject
  • B. The provision of such information to the data subject would be too problematic
  • C. The data subject already has information regarding how his data will be used
  • D. The processing of the data subject's data is protected by appropriate technical measures

Answer: C

 

NEW QUESTION 28
What are the obligations of a processor that engages a sub-processor?

  • A. The processor must give the controller prior written notice and perform a preliminary audit of the sub- processor.
  • B. The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.
  • C. The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.
  • D. The processor must obtain the controller's specific written authorization and provide annual reports on the sub-processor's performance.

Answer: B

 

NEW QUESTION 29
SCENARIO
Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own business for two years.
Brady's business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady's company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box's chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box's home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box's Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady's business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles.
Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.
Under the General Data Protection Regulation (GDPR), what is the most likely reason Serge may have grounds to object to the use of his quotation?

  • A. Because of the juxtaposition of the quotation with others' quotations.
  • B. Because of the misapplication of the household exception in relation to a social networking service (SNS).
  • C. Because of the use of personal data outside of the social networking service (SNS).
  • D. Because of the misrepresentation of personal data as an endorsement.

Answer: B

 

NEW QUESTION 30
What is the key difference between the European Council and the Council of the European Union?

  • A. The European Council is comprised of the heads of each EU member state.
  • B. The Council of the European Union is helmed by a president.
  • C. The Council of the European Union has a degree of legislative power.
  • D. The European Council focuses primarily on issues involving human rights.

Answer: A

 

NEW QUESTION 31
What is the MAIN reason GDPR Article 4(22) establishes the concept of the "concerned supervisory authority"?

  • A. To ensure that the interests of individuals residing outside the lead authority's jurisdiction are represented.
  • B. To encourage the consistency of local data processing activity.
  • C. To give corporations a choice about who their supervisory authority will be.
  • D. To ensure the GDPR covers controllers that do not have an establishment in the EU but have a representative in a member state.

Answer: B

 

NEW QUESTION 32
What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

  • A. The controller will be liable to pay an administrative fine
  • B. The processor will be considered to be a controller in respect of the processing concerned
  • C. The processor will be liable to pay compensation to affected data subjects
  • D. The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved

Answer: C

 

NEW QUESTION 33
SCENARIO
Please use the following to answer the next question:
T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.
T-Craze also opened various office locations throughout Europe to help expand its business. While Germany continued to host T-Craze's headquarters and main product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.
The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.
Which of the following is T-Craze's lead supervisory authority?

  • A. France, because that is where T-Craze conducts processing of personal information.
  • B. Spain, because that is T-Craze's primary market based on its marketing campaigns.
  • C. Germany, because that is where T-Craze is headquartered.
  • D. T-Craze may choose its lead supervisory authority where any of its affiliates are based, because it has presence in several European countries.

Answer: B

 

NEW QUESTION 34
SCENARIO
Please use the following to answer the next question:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customer's privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer's personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worry Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understood Cheryl's concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company's day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
What is the main problem with Cheryl's suggested method of communicating the new privacy policy?

  • A. The policy might not be implemented consistency across departments.
  • B. Employees would not be comfortable with a policy that is put into action overtime.
  • C. The policy would not be considered valid if not communicated in full.
  • D. Employees might not understand how the documents relate to the policy as a whole.

Answer: A

 

NEW QUESTION 35
How is the retention of communications traffic data for law enforcement purposes addressed by Canadian data protection law?

  • A. The Data Retention Directive's annulment makes such data retention now permissible.
  • B. The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.
  • C. The ePrivacy Directive allows individual to engage in such data retention.
  • D. The ePrivacy Directive harmonizes rules concerning such data retention.

Answer: B

 

NEW QUESTION 36
Which of the following is NOT recognized as being a common characteristic of cloud-computing services?

  • A. The supplier allows customer data to be transferred around the infrastructure according to capacity.
  • B. The supplier determines the location, security measures, and service standards applicable to the processing.
  • C. The service's infrastructure is shared among the supplier's customers and can be located in a number of countries.
  • D. The supplier assumes the vendor's business risk associated with data processed by the supplier.

Answer: D

 

NEW QUESTION 37
Which statement is correct when considering the right to privacy under Section 7 of the Canadian Charter of Rights and Freedoms?

  • A. The right to privacy protects the right to hold opinions and to receive and impart ideas without interference
  • B. The right to privacy is an absolute right
  • C. The right to freedom of expression under section 10 will always override the right to privacy
  • D. The Supreme Court of Canada has stated that the Privacy Act has "quasi-constitutional status", and that the values and rights set out in the Act are closely linked to those set out in the Constitution as being necessary to a free and democratic society.

Answer: D

Explanation:
Explanation
https://www.priv.gc.ca/en/about-the-opc/publications/guide_ind/

 

NEW QUESTION 38
What should a controller do after a data subject opts out of a direct marketing activity?

  • A. Without exception, securely delete all personal data relating to the data subject.
  • B. Take reasonable steps to inform third-party recipients that the data subject's personal data should be deleted and no longer processed.
  • C. Without undue delay, provide information to the data subject on the action that will be taken.
  • D. Refrain from processing personal data relating to the data subject for the relevant type of communication.

Answer: D

 

NEW QUESTION 39
A mobile device application that uses cookies will be subject to the consent requirement of which of the following?

  • A. The Data Retention Directive
  • B. The E-Commerce Directive
  • C. The EU Cybersecurity Directive
  • D. The ePrivacy Directive

Answer: D

 

NEW QUESTION 40
What must be included in a written agreement between the controller and processor in relation to processing conducted on the controller's behalf?

  • A. An obligation on the processor to report any personal data breach to the controller within 72 hours.
  • B. An obligation on both parties to report any serious personal data breach to the supervisory authority.
  • C. An obligation on both parties to agree to a termination of the agreement if the other party is responsible for a personal data breach.
  • D. An obligation on the processor to assist the controller in complying with the controller's obligations to notify the supervisory authority about personal data breaches.

Answer: B

 

NEW QUESTION 41
A Spanish electricity customer calls her local supplier with Questions: about the company's upcoming merger.
Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information?

  • A. Verify that the personal data has not already been sent to the customer.
  • B. Verify that the identity of the customer can be proven by other means.
  • C. Verify that the purpose of the request from the customer is in line with the GDPR.
  • D. Verify that the request is applicable to the data collected before the GDPR entered into force.

Answer: D

 

NEW QUESTION 42
Which of the following demonstrates compliance with the accountability principle found in Article 5, Section
2 of the GDPR?

  • A. Anonymizing special categories of data.
  • B. Getting consent from the data subject for a cross border data transfer.
  • C. Encrypting data in transit and at rest using strong encryption algorithms.
  • D. Conducting regular audits of the data protection program.

Answer: D

 

NEW QUESTION 43
Which is TRUE about the scope and authority of data protection oversight authorities?

  • A. The Office of the Privacy Commissioner (OPC) of Canada has the right to impose financial sanctions on violators
  • B. All authority in the European Union rests with the Data Protection Commission (DPC)
  • C. No one agency officially oversees the enforcement of privacy regulations in the United States
  • D. The Asia-Pacific Economic Cooperation (APEC) Privacy Frameworks require all member nations to designate a national data protection authority

Answer: A

 

NEW QUESTION 44
According to the GDPR, what is the main task of a Data Protection Officer (DPO)?

  • A. To create procedures for notification of personal data breaches to competent supervisory authorities.
  • B. To create and maintain records of processing activities.
  • C. To conduct Privacy Impact Assessments on behalf of the controller or processor.
  • D. To monitor compliance with other local or European data protection provisions.

Answer: C

 

NEW QUESTION 45
......

IAPP CIPP-C Official Cert Guide PDF: https://www.test4sure.com/CIPP-C-pass4sure-vce.html

Exam CIPP-C: Certified Information Privacy Professional/ Canada (CIPP/C) - Test4Sure: https://drive.google.com/open?id=1bK2B17xi0Q0kt489QcY79s1zxVhN86Uc 

Related Blogs

more
IAPP CIPP-C Certification Practice Exam

Copyright © 2026 TEST4SURE.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor.