Free Access to IAPP.CIPP-E.v2024-03-24.q264 with Valid Practice Test (Page 42)

Question 202

Which of the following was the first to implement national law for data protection in 1973?

A.France
B.Sweden
C.Germany
D.United Kingdom

Question 203

SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canad a. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
The Customer for Life plan may conflict with which GDPR provision?

A.Article 20, which gives data subjects a right to data portability.
B.Article 6, which requires processing to be lawful.
C.Article 7, which requires consent to be as easy to withdraw as it is to give.
D.Article 16, which provides data subjects with a rights to rectification.

Question 204

What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?

A.The restriction of cross-border data flow
B.The creation of legally binding data protection principles
C.The synchronization of approaches to data protection
D.The establishment of a list of legitimate data processing criteria

Question 205

An organization receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal dat a. Under what condition can the organization charge the data subject a fee for processing the request?

A.Only where the organization can show that it is reasonable to do so because more than one request was made.
B.Only to the extent this is allowed under the restrictions on data subjects' rights introduced under Art 23 of GDPR.
C.Only where the administrative costs of taking the action requested exceeds a certain threshold.
D.Only if the organization can demonstrate that the request is clearly excessive or misguided.

Question 206

In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent?

A.When the data is to be processed for market research.
B.When providing preventive or counselling services to the child.
C.When providing the child with materials purely for educational use.
D.When a legitimate business interest makes obtaining consent impractical.

Correct Answer: B

Under the GDPR, the processing of personal data of a child on the basis of consent requires the consent of the holder of parental responsibility over the child, unless the child is at least 16 years old or the applicable national law provides for a lower age (not below 13 years). However, there are some situations where the processing of personal data of a child without parental consent may be justified by other lawful grounds, such as the performance of a contract, the compliance with a legal obligation, the protection of vital interests, the performance of a task carried out in the public interest, or the legitimate interests of the controller or a third party. One of these situations is when the processing is necessary for providing preventive or counselling services to the child, especially in the context of information society services. This is recognised by Recital 38 of the GDPR, which states that:
"Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child." Therefore, the processing of personal data of a child without parental consent may be lawful if it is necessary for providing preventive or counselling services to the child, such as health, education, social or legal services, that are offered directly to the child and that aim to protect the child's well-being, safety, development or rights. This may include, for example, online counselling platforms, sexual health advice services, anti-bullying or mental health support services, or child protection helplines. In such cases, the controller should ensure that the processing is fair, transparent, proportionate and respectful of the child's best interests, and that appropriate safeguards are in place to protect the child's personal data and rights.
The other options are not likely to justify the processing of personal data of a child without parental consent, as they do not meet the criteria of necessity, proportionality or legitimacy. The processing of personal data of a child for market research purposes is not necessary for the performance of a contract, the compliance with a legal obligation, the protection of vital interests, the performance of a task carried out in the public interest, or the legitimate interests of the controller or a third party, and may pose significant risks to the child's privacy and autonomy. Therefore, such processing requires the consent of the holder of parental responsibility over the child, unless the child is old enough to give their own consent. The provision of materials purely for educational use to a child may not require the processing of personal data of the child at all, or may only require the processing of minimal personal data, such as the child's name or email address. In such cases, the processing may be based on the consent of the child, if the child is old enough to understand the implications of their consent, or on the legitimate interests of the controller, if the processing is necessary for the provision of the educational materials and does not override the interests or rights of the child. However, the controller should still inform the child and the holder of parental responsibility about the processing and provide them with the opportunity to object or withdraw their consent. The existence of a legitimate business interest does not automatically justify the processing of personal data of a child without parental consent, as the controller must also consider the impact of the processing on the rights and freedoms of the child, and whether the processing is necessary and proportionate for the pursuit of that interest. Moreover, the controller must balance the legitimate business interest against the interests or rights of the child, and ensure that the processing does not cause any harm or disadvantage to the child. If the processing involves the use of personal data of a child for the purposes of marketing or creating personality or user profiles, the controller must obtain the consent of the holder of parental responsibility over the child, unless the child is old enough to give their own consent, as these purposes pose a high risk to the child's privacy and autonomy. Reference: GDPR Article 6, GDPR Article 8, GDPR Recital 38, Children and the UK GDPR | ICO, Guidelines on consent under Regulation 2016/679 - European Data Protection Board

Question 202

Question 203

Question 204

Question 205

Question 206

Download PDF File