Free Access to IAPP.CIPP-E.v2024-08-06.q168 with Valid Practice Test (Page 5)

Question 16

Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and disclosure of a data subject's sensitive medical information without the data subject's knowledge or consent?

A.A member of the judiciary involved in adjudicating a legal dispute involving the data subject and concerning the health of the data subject.
B.A public authority responsible for public health, where the sharing of such information is considered necessary for the protection of the general populace.
C.A journalist writing an article relating to the medical condition in question, who believes that the publication of such information is in the public interest.
D.A health professional involved in the medical care for the data subject, where the data subject's life hinges on the timely dissemination of such information.

Question 17

SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage What transfer mechanism did ProStorage most likely rely on to transfer Ruth's medical information to the hospital?

A.Performance of a contract with Ruth.
B.Protecting against legal liability from Ruth.
C.Protecting the vital interest of Ruth
D.Ruth's implied consent.

Question 18

A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a global data transfer solution. Which of the following statements would help the company make an effective decision?

A.Binding Corporate Rules are especially recommended for small and medium companies.
B.The data exporter does not need to be located in the EU for the standard Contractual Clauses.
C.Binding Corporate Rules provide a global solution for all the entities of a company that are bound by the intra-group agreement.
D.The company will need the prior authorization of all EU data protection authorities for concluding Standard Contractual Clauses.

Correct Answer: C

According to the GDPR, transfers of personal data to third countries or international organisations are only allowed if the controller or processor complies with the conditions laid down in Chapter V of the GDPR1. One of these conditions is the existence of an adequacy decision by the European Commission, which means that the third country or international organisation ensures an adequate level of protection for the personal data2. However, if there is no adequacy decision, the controller or processor must provide appropriate safeguards for the data transfer, such as binding corporate rules (BCR) or standard contractual clauses (SCC)3.
Binding corporate rules (BCR) are internal rules adopted by a group of undertakings or enterprises engaged in a joint economic activity, which define its global policy with regard to the international transfers of personal data within the same corporate group or business partners located in third countries4. BCR must include all the general data protection principles and enforceable rights to ensure appropriate safeguards for the data transfers. They must be legally binding and enforced by every member concerned of the group5. BCR must be approved by the competent supervisory authority in accordance with the consistency mechanism provided by the GDPR6.
Standard contractual clauses (SCC) are sets of contractual terms and conditions that the controller or processor and the recipient of the data agree to apply to the data transfer. SCC are adopted by the European Commission or by a supervisory authority in accordance with the consistency mechanism and are available in the Official Journal of the European Union7. SCC must offer sufficient safeguards on data protection for the data to be transferred internationally8.
In the given scenario, option C is the statement that would help the company make an effective decision between BCR and SCC, as it highlights the main advantage of BCR over SCC, which is the global and comprehensive solution that BCR provide for all the entities of a company that are bound by the intra-group agreement. BCR are especially suitable for large and complex organisations that have frequent and high-volume data transfers within the same corporate group or business partners located in third countries. BCR also offer more flexibility and legal certainty than SCC, as they are tailored to the specific needs and structure of the group and do not require individual contracts for each data transfer.
The other options (A, B, and D) are either incorrect or misleading statements that would not help the company make an effective decision between BCR and SCC. Option A is incorrect, as BCR are not recommended for small and medium companies, but rather for large and complex ones, as explained above. Option B is misleading, as it implies that the data exporter can be located outside the EU for the SCC, which is true, but not relevant for the comparison with BCR, as the data exporter can also be located outside the EU for the BCR, as long as it is subject to the GDPR by virtue of Article 3(2). Option D is also misleading, as it implies that the company will need the prior authorization of all EU data protection authorities for concluding SCC, which is false, as the company will only need the prior authorization of the competent supervisory authority in the Member State where the data exporter is established, unless the SCC are modified or supplemented by additional clauses or safeguards. Reference:
1: [Article 44 of the GDPR]
2: [Article 45 of the GDPR]
3: [Article 46 of the GDPR]
4: [Article 4 (20) of the GDPR]
5: [Article 47 of the GDPR]
6: [Article 63 of the GDPR]
7: [Article 93 of the GDPR]
8: [Article 46 (2) and (d) of the GDPR]
9: [Binding Corporate Rules (BCR)]
10: [Article 3 (2) of the GDPR]
11: [Article 46 (3) (a) and (b) of the GDPR]
12: [Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)]
13: [Binding Corporate Rules (BCR) - European Commission]
14: [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679]
15: [https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en]
16: [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679]
17: [https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en]

Question 19

SCENARIO
Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner's Office ('ICO' - the U.K.'s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT's main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR.
The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.
Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has formed its view on the matter?

A.Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism.
B.Request that members of the seconding supervisory authority and the host supervisory authority co-draft a decision.
C.Submit a draft decision to other supervisory authorities for their opinion.
D.Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.

Question 20

Which kind of privacy notice, originally advocated by the Article 29 Working Party, is commonly recommended tor Al-based technologies because of the way it provides processing information at specific points of data collection?

A.Layered notice.
B.Privacy dashboard notice
C.Visualization notice.
D.Just-in-lime notice.

Question 16

Question 17

Question 18

Question 19

Question 20

Download PDF File