Free Access to IAPP.CIPP-E.v2024-03-24.q264 with Valid Practice Test (Page 14)

Question 62

Read the following steps:
Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices Monitor and analyze the apps and devices for compliance Manage application life cycles Monitor data sharing An organization should perform these steps to do which of the following?

A.Pursue a GDPR-compliant Privacy by Design process.
B.Maintain a secure Bring Your Own Device (BYOD) program.
C.Institute a GDPR-compliant employee monitoring process.
D.Ensure cloud vendors are complying with internal data use policies.

Question 63

Pursuant to Article 4(5) of the GDPR, data is considered "pseudonymized" if?

A.It cannot be attributed to a data subject without the use of additional information.
B.It cannot be attributed to a person under any circumstances.
C.It can only be attributed to a person by the controller.
D.It can only be attributed to a person by a third party.

Question 64

SCENARIO
Please use the following to answer the next question:
Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in Greece (5), Italy (15) and Spain (1), have registered their most profitable results ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based in ARRA's main Italian establishment, has organized a team event for its 420 employees and their families at its hotel in Spain.
Upon arrival at the hotel, each employee and family member is given an electronic wristband at the reception desk. The wristband serves a number of functions:
. Allows access to the "party zone" of the hotel, and emits a buzz if the user approaches any unauthorized areas
. Allows up to three free drinks for each person of legal age, and emits a buzz once this limit has been reached
. Grants a unique ID number for participating in the games and contests that have been planned.
Along with the wristband, each guest receives a QR code that leads to the online privacy notice describing the use of the wristband. The page also contains an unchecked consent checkbox. In the case of employee family members under the age of 16, consent must be given by a parent.
Among the various activities planned for the event, ARRA Hotels' HR office has autonomously set up a photocall area, separate from the main event venue, where employees can come and have their pictures taken in traditional carnival costume.
The photos will be posted on ARRA Hotels' main website for general marketing purposes.
On the night of the event, an employee from one of ARRA's Greek hotels is displeased with the results of the photos in which he appears. He intends to file a complaint with the relevant supervisory authority in regard to the following:
. The lack of any privacy notice in the separate photocall area
The unlawful cross-border processing of his personal data
. The unacceptable aesthetic outcome of his photos
Why would consent NOT be considered an adequate legal basis for accessing the party zone?

A.The consent is not completely unambiguous.
B.The consent is not sufficiently informed.
C.The consent is not freely given.
D.The consent is not in writing.

Question 65

The Planet 49 CJEU Judgement applies to?

A.Cookies used only by third parties.
B.Cookies that are deemed technically necessary.
C.Cookies regardless of whether the data accessed is personal or not.
D.Cookies where the data accessed is considered as personal data only.

Correct Answer: C

Reference:
The Planet 49 CJEU Judgement applies to cookies regardless of whether the data accessed is personal or not. The Court of Justice of the European Union (the 'CJEU') delivered this judgement on 1 October 2019, in response to a request for a preliminary ruling from the German Federal Court of Justice (the 'Bundesgerichtshof') . The case concerned the validity of consent for the use of cookies and similar technologies under the e-Privacy Directive and the GDPR.
The CJEU ruled that Article 5 (3) of the e-Privacy Directive, which requires consent for the storage of, or access to, information stored in the user's terminal equipment, applies to any information installed or accessed from an individual's device, regardless of whether it constitutes personal data or not. The Court reasoned that the aim of the provision is to protect the user from interference with his or her private sphere, which may occur irrespective of the nature of the information stored or accessed. Therefore, the consent requirement applies to all cookies and similar technologies, except for those that are strictly necessary for the provision of a service explicitly requested by the user.
The CJEU also clarified that the consent required for cookies under the e-Privacy Directive must comply with the standard of consent under the GDPR, which means that it must be freely given, specific, informed and unambiguous, and given by a clear affirmative action. The Court held that a pre-ticked checkbox does not constitute valid consent, as it does not imply active behaviour by the user. The Court also stated that the user must be provided with clear and comprehensive information about the cookies, including their duration and whether third parties will have access to them. Reference:
Planet 49 Judgment - takeaways for Cookie Monsters
The Planet 49 decision: Implications for organisations that use cookies CURIA - List of results

Question 66

What is true if an employee makes an access request to his employer for any personal data held about him?

A.The employer can automatically decline the request if it contains personal data about a third person.
B.The employer can decline the request if the information is only held electronically.
C.The employer must supply all the information held about the employee.
D.The employer must supply any information held about an employee unless an exemption applies.

Question 62

Question 63

Question 64

Question 65

Question 66

Download PDF File