Free Access to IAPP.CIPP-E.v2024-03-24.q264 with Valid Practice Test (Page 49)

Question 237

SCENARIO
Please use the following to answer the next question:
Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta |EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.
The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a Which of the following must be a component of the anti-money-laundering data-sharing practice of the platform?

A.The terms of service shall also enumerate all applicable anti-money laundering few.
B.The terms of service shall include the address of the anti-money laundering agency and contacts of the investigators who may access me data.
C.Customers shall have an opt-out feature to restrict data sharing with law enforcement agencies after the registration.
D.Customers snail receive a clear and conspicuous notice about such data sharing before submitting their data during the registration process.

Question 238

What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108?

A.Both govern international transfers of personal data
B.Both govern the manual processing of personal data
C.Both only apply to European Union countries
D.Both require notification of processing activities to a supervisory authority

Correct Answer: D

The GDPR and the Convention 108 are two important data protection instruments that aim to protect the rights and freedoms of individuals with regard to their personal data. They both have some similarities and some differences, but one common feature is that they both require notification of processing activities to a supervisory authority.
A supervisory authority is an independent public body that monitors and enforces compliance with data protection laws. In the EU, there are 47 national data protection authorities (DPAs) that have the power to impose administrative fines, issue guidelines, conduct investigations, and cooperate with other authorities1. In the Council of Europe, there are 54 parties to the Convention 108 that have established their own supervisory authorities or have agreed to be supervised by an external authority2.
Notification of processing activities is a requirement for any controller or processor of personal data that falls under the scope of the GDPR or the Convention 108. A controller is a natural or legal person who determines the purposes and means of the processing of personal data3. A processor is a natural or legal person who processes personal data on behalf of a controller3. Notification means informing the supervisory authority about certain aspects of the processing, such as:
The identity and contact details of the controller and processor
The categories and sources of personal data
The purposes and legal basis for processing
The recipients or categories of recipients of personal data
The retention period or criteria for determining it
The existence of any automated decision-making or profiling
The rights of data subjects and how they can exercise them
Notification can be done in various ways, such as:
Submitting a written notification form
Publishing a notice on a website or other platform
Sending an email or other electronic message
Using an online system or portal
Notification should be done as soon as possible after becoming aware of any relevant information about the processing. It should also be updated whenever there are significant changes in relation to the processing4.
Therefore, both the GDPR and the Convention 108 require notification of processing activities to a supervisory authority. This is one way to ensure transparency, accountability, and compliance with data protection laws.

Question 239

Which mechanism, new to the GDPR, now allows for the possibility of personal data transfers to third countries under Article 42?

A.Approved certifications.
B.Law enforcement requests.
C.Standard contractual clauses.
D.Binding corporate rules.

Question 240

What are the obligations of a processor that engages a sub-processor?

A.The processor must obtain the controller's specific written authorization and provide annual reports on the sub-processor's performance.
B.The processor must give the controller prior written notice and perform a preliminary audit of the sub- processor.
C.The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.
D.The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.

Question 241

With the issue of consent, the GDPR allows member states some choice regarding what?

A.The mechanisms through which consent may be communicated
B.The circumstances in which silence or inactivity may constitute consent
C.The age at which children must be required to obtain parental consent
D.The timeframe in which data subjects are allowed to withdraw their consent

Question 237

Question 238

Question 239

Question 240

Question 241

Download PDF File