Free Access to IAPP.CIPP-E.v2024-03-24.q264 with Valid Practice Test (Page 10)

Question 42

Article 29 Working Party has emphasized that the GDPR forbids "forum shopping", which occurs when companies do what?

A.Choose the data protection officer that is most sympathetic to their business concerns.
B.Designate their main establishment in member state with the most flexible practices.
C.File appeals of infringement judgments with more than one EU institution simultaneously.
D.Select third-party processors on the basis of cost rather than quality of privacy protection.

Correct Answer: B

The GDPR aims to harmonize the data protection rules across the EU and to ensure consistent and effective enforcement of those rules. However, the GDPR also recognizes that there may be some differences in the interpretation and application of the law among the member states, depending on their national legislation, culture and practices. Therefore, the GDPR introduces the concept of the "main establishment" of a controller or processor, which is the place where the decisions on the purposes and means of the processing of personal data are taken in the EU1. The main establishment determines which national supervisory authority will act as the lead authority for the cross-border processing activities of that controller or processor, and which national law will apply in case of a dispute or a complaint2. The Article 29 Working Party, which is an advisory body composed of representatives of the national supervisory authorities, the European Data Protection Supervisor and the European Commission, has issued guidelines on how to identify the main establishment of a controller or processor under the GDPR3. The guidelines emphasize that the main establishment must reflect the reality of the processing activities and the effective and real exercise of management power over those activities. The guidelines also warn against the practice of "forum shopping", which occurs when a controller or processor designates its main establishment in a member state with the most flexible or lenient data protection regime, regardless of the actual location of the decision-making or the data processing. The guidelines state that such a practice is forbidden under the GDPR, and that the supervisory authorities will closely monitor and verify the criteria used by the controllers or processors to determine their main establishment. If the supervisory authorities find that the main establishment does not correspond to the factual situation, they may challenge the designation and apply the relevant corrective measures4. Reference: 1 Art. 4 (16) GDPR - Definitions - General Data Protection Regulation (GDPR)2 Art. 56-58 GDPR - Cooperation and consistency - General Data Protection Regulation (GDPR)3 Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - European Data Protection Board4 Ibid, p. 14-15.

Question 43

A company plans to transfer employee health information between two of its entities in France. To maintain the security of the processing, what would be the most important security measure to apply to the health data transmission?

A.Inform the data subject of the security measures in place.
B.Ensure that the receiving entity has signed a data processing agreement.
C.Encrypt the transferred data in transit and at rest.
D.Conduct a data protection impact assessment.

Question 44

SCENARIO
Please use the following to answer the next question:
Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in Greece (5), Italy (15) and Spain (1), have registered their most profitable results ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based in ARRA's main Italian establishment, has organized a team event for its 420 employees and their families at its hotel in Spain.
Upon arrival at the hotel, each employee and family member is given an electronic wristband at the reception desk. The wristband serves a number of functions:
. Allows access to the "party zone" of the hotel, and emits a buzz if the user approaches any unauthorized areas
. Allows up to three free drinks for each person of legal age, and emits a buzz once this limit has been reached
. Grants a unique ID number for participating in the games and contests that have been planned.
Along with the wristband, each guest receives a QR code that leads to the online privacy notice describing the use of the wristband. The page also contains an unchecked consent checkbox. In the case of employee family members under the age of 16, consent must be given by a parent.
Among the various activities planned for the event, ARRA Hotels' HR office has autonomously set up a photocall area, separate from the main event venue, where employees can come and have their pictures taken in traditional carnival costume.
The photos will be posted on ARRA Hotels' main website for general marketing purposes.
On the night of the event, an employee from one of ARRA's Greek hotels is displeased with the results of the photos in which he appears. He intends to file a complaint with the relevant supervisory authority in regard to the following:
. The lack of any privacy notice in the separate photocall area
The unlawful cross-border processing of his personal data
. The unacceptable aesthetic outcome of his photos
Assuming that there is a cross-border processing of personal data, which of the following criteria would NOT be useful to the lead supervisory authority responsible for the Greek employee's complaint when trying to determine the location of the controller's main establishment?

A.Where the processor is registered as a company.
B.Where the controller is registered as a company.
C.Where the director with responsibility for processing activities is located.
D.Where decisions about the processing activities are made.

Question 45

Pursuant to Article 17 and EDPB Guidelines S'2019 on RTBF criteria in search engines cases, all of the following would be valid grounds for data subject delisting requests EXCEPT?

A.The personal data is no longer necessary in relation to the search engine provider's processing
B.The processing s necessary for exercising the right of freedom of expression and information
C.The data subject withdraws consent and there is no other legal basis for the processing.
D.The personal dale has been collected in relation to the offer of Information society services (ISS) to a child.

Question 46

When is data sharing agreement MOST likely to be needed?

A.When anonymized data is being shared.
B.When personal data is being shared between commercial organizations acting as joint data controllers.
C.When personal data is being proactively shared by a controller to support a police investigation.
D.When personal data is being shared with a public authority with powers to require the personal data to be disclosed.

Correct Answer: B

A data sharing agreement is a contract that documents what data is being shared and how it can be used. It can be used to make data sharing lawful and to demonstrate compliance with the accountability principle under the GDPR. A data sharing agreement is most likely to be needed when personal data is being shared between commercial organizations acting as joint data controllers, because they have to determine and agree on their respective roles and responsibilities, such as the purpose and legal basis of the data sharing, the rights of the data subjects, the security measures, and the liability for any breaches. A data sharing agreement is not mandatory, but it is good practice and can help to avoid disputes and confusion. A data sharing agreement may not be needed or may be less detailed in the other scenarios, depending on the circumstances and the nature of the data. For example, anonymized data is not personal data under the GDPR and does not require a data sharing agreement, although it may still be subject to other contractual or ethical obligations. Personal data that is proactively shared by a controller to support a police investigation may be covered by a legal obligation or a public interest, and the controller may not have much control over how the data is used by the police. Personal data that is shared with a public authority with powers to require the personal data to be disclosed may also be subject to a legal obligation or a public interest, and the controller may have to comply with the authority's request without a data sharing agreement. Reference:
Data sharing agreements | ICO, which provides guidance on the benefits and contents of a data sharing agreement.
Data Sharing Agreement - the Definition - GDPR Summary, which explains what a data sharing agreement is and when it can be used.
The role of data sharing and the GDPR | Data Republic, which discusses the impact of the GDPR on data sharing practices.

Question 42

Question 43

Question 44

Question 45

Question 46

Download PDF File