Free Access to IAPP.CIPP-E.v2024-03-24.q264 with Valid Practice Test (Page 20)

Question 92

SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's QUESTION. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
To ensure GDPR compliance, what should be the company's position on the issue of consent?

A.The child, as the user of the action figure, can provide consent himself, as long as no information is shared for marketing purposes.
B.Written authorization attesting to the responsible use of children's data would need to be obtained from the supervisory authority.
C.Consent for data collection is implied through the parent's purchase of the action figure for the child.
D.Parental consent for a child's use of the action figures would have to be obtained before any data could be collected.

Correct Answer: D

According to Article 8 of the GDPR, where the processing of personal data is based on consent and the offer of an information society service (ISS) is directly made to a child, the processing is lawful only if the child is at least 16 years old, or if the consent is given or authorised by the holder of parental responsibility over the child. The GDPR allows EU member states to lower the age threshold to a minimum of 13 years. The data controller must make reasonable efforts to verify that the consent is given or authorised by the holder of parental responsibility, taking into account available technology. An ISS is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. Examples of ISS include online marketplaces, social media platforms, and online games.
In this scenario, the company is offering an ISS to children, as the connected toys can talk and interact with children via the internet. The company is also processing personal data of the children, such as their voice, questions, preferences, and location. Therefore, the company must obtain parental consent for the use of the action figures before any data can be collected, unless the child is above the age threshold set by the relevant EU member state. The company must also inform the parents and the children about the nature and purpose of the data processing, the data transfers to South Africa, and the rights of the data subjects. The company must also ensure that the data processing is fair, lawful, transparent, and in accordance with the data protection principles and the children's best interests.
The other options are incorrect because:
A) The child cannot provide consent himself, regardless of the purpose of the data processing, unless he is above the age threshold set by the relevant EU member state. The GDPR does not make any distinction between data processing for marketing or non-marketing purposes when it comes to children's consent.
B) The company does not need to obtain written authorization from the supervisory authority to process children's data, as long as it complies with the GDPR requirements and obtains parental consent. The supervisory authority is the independent public authority responsible for monitoring the application of the GDPR in each EU member state, and it can intervene only in cases of non-compliance or complaints.
C) Consent for data collection cannot be implied through the parent's purchase of the action figure for the child. The GDPR requires that consent must be freely given, specific, informed, and unambiguous, and that it must be expressed by a clear affirmative action. The purchase of a product does not meet these criteria, and it does not indicate the parent's agreement to the data processing. Moreover, the packaging of the toy does not provide sufficient information about the data processing, nor does it mention that an internet connection is required.

Question 93

Which of the following is an accurate statement regarding the "one-stop-shop" mechanism of the GDPR?

A.It allows supervisory authorities concerned (other than the lead supervisory authority) to act against organizations m exceptional cases even if they do not have any type of establishment in the Member State of the respective authority.
B.It gives competence to the lead supervisory authority to address privacy issues derived from processes carried out by public authorities established in different countries.
C.It applies only to direct enforcement of data protection supervisory authorities (e.g.. finding a breach), but not to initiating or engaging m court proceedings
D.It can result in several lead supervisory authorities in the EU assuming competence over the same data processing activities of an organization.

Question 94

An entity's website stores text files on EU users' computer and mobile device browsers. Prior to doing so, the entity is required to provide users with notices containing information and consent under which of the following frameworks?

A.E-Commerce Directive 2000/31/EC.
B.E-Privacy Directive 2002/58/EC.
C.General Data Protection Regulation 2016/679.
D.Data Protection Directive 95/46/EC.

Question 95

SCENARIO
Please use the following to answer the next question:
Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy and Data Governance. Through her first initiative in conducting a data inventory, Sandy learned that Market4U maintains a list of 19 million global contacts that were collected throughout the course of Market4U's existence. Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered into Market4U's systems prior to May 2018, unless such contacts had a more recent interaction with Market4U content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide useful information regarding successful marketing campaigns and trends in industry verticals for Market4U's clients.
Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and entertainment industry. To assist with this behavior, Market4U's marketing team decided to add several new fields to Market4U's website forms, including forms for downloading white papers, creating accounts to participate in Market4U's forum, and attending events. Such fields include birth date and salary.
What should Sandy give as feedback to Dan and the marketing team regarding the new fields Dan wants to add to Market4U's forms?

A.Make all the fields optional.
B.Only request the information in brackets (i.e., age group and salary range).
C.Eliminate the fields as they are not necessary for the purposes of providing white papers or registration for events.
D.Eliminate the fields, as they are not proportional to the services being offered.

Question 96

If a multi-national company wanted to conduct background checks on all current and potential employees, including those based in Europe, what key provision would the company have to follow?

A.Background checks on employees could be performed only under prior notice to all employees.
B.Background checks are only authorized with prior notice and express consent from all employees including those based in Europe.
C.Background checks on European employees will stem from data protection and employment law, which can vary between member states.
D.Background checks may not be allowed on European employees, but the company can create lists based on its legitimate interests, identifying individuals who are ineligible for employment.

Question 92

Question 93

Question 94

Question 95

Question 96

Download PDF File