Free Access to IAPP.CIPP-E.v2024-03-24.q264 with Valid Practice Test (Page 51)

Question 247

A company in France suffers a robbery over the weekend owing to a faulty alarm system. When it is determined that the break-in involves the loss of a substantial amount of data, the company decides on a CCTV system to monitor for future incidents. Company technicians install cameras in the entrance of the building, hallways and offices. Footage is recorded continuously, and is monitored by the home office in the United States. What is the most realistic step the company could take to address their security concerns and comply with the personal data processing principles set out in Article 5 of the GDPR?

A.Restrict camera placement to building entrances only.
B.Seek informed consent from company employees.
C.Have cameras recording during work hours only.
D.Retain captured footage for no more than 30 days.

Question 248

Which of the following is NOT a role of works councils?

A.Determining the monetary fines to be levied against employers for data breach violations of employee data.
B.Determining what changes will affect employee working conditions.
C.Determining whether employees' personal data can be processed or not.
D.Determining whether to approve or reject certain decisions of the employer that affect employees.

Question 249

Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and disclosure of a data subject's sensitive medical information without the data subject's knowledge or consent?

A.A member of the judiciary involved in adjudicating a legal dispute involving the data subject and concerning the health of the data subject.
B.A public authority responsible for public health, where the sharing of such information is considered necessary for the protection of the general populace.
C.A health professional involved in the medical care for the data subject, where the data subject's life hinges on the timely dissemination of such information.
D.A journalist writing an article relating to the medical condition in QUESTION, who believes that the publication of such information is in the public interest.

Correct Answer: D

The GDPR defines data concerning health as a special category of personal data that is subject to specific processing conditions and safeguards. The GDPR prohibits the processing of such data unless one of the exceptions in Article 9 applies. One of these exceptions is the explicit consent of the data subject, which means that the data subject has given a clear and affirmative indication of their agreement to the processing of their health data. Another exception is when the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care. A third exception is when the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. These exceptions are based on the principle of necessity, which means that the processing must be strictly necessary for a specific purpose and cannot be achieved by other means.
In the given scenario, the journalist does not fall under any of these exceptions. The journalist is not a health professional, a public authority, or a person who has obtained the explicit consent of the data subject. The journalist is not processing the data for any legitimate purpose related to public health, medical care, or social protection. The journalist is merely pursuing their own interest in publishing a story that may or may not be in the public interest. The journalist is not respecting the data subject's rights and freedoms, especially their right to privacy and confidentiality. Therefore, the journalist would be least likely to be allowed to engage in the collection, use, and disclosure of the data subject's sensitive medical information without their knowledge or consent. Reference:
Article 4 (15) and Article 9 of the GDPR
Health data | ICO
What does the GDPR mean for personal data in medical reports?
Sensitive data and medical confidentiality - FutureLearn
Health data and data privacy: storing sensitive data under GDPR

Question 250

SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canad a. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
If Who-R-U adopts the We-Track-U pilot plan, why is it likely to be subject to the territorial scope of the GDPR?

A.Its plan would be in the context of the establishment of a controller in the Union.
B.It would be offering goods or services to data subjects in the Union.
C.It is engaging in commercial activities conducted in the Union.
D.It is monitoring the behavior of data subjects in the Union.

Question 251

What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention
108?

A.Both govern international transfers of personal data
B.Both govern the manual processing of personal data
C.Both only apply to European Union countries
D.Both require notification of processing activities to a supervisory authority

Question 247

Question 248

Question 249

Question 250

Question 251

Download PDF File