Winter Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: bigdisc65

IAPP CIPP-E Actual Questions

Page: 13 / 19
Question 52

SCENARIO

Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from Bedrock Insurance.

Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.

Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.

In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.

Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.

In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s wholly owned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates for business purposes.

Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.

Based on the GDPR’s position on the use of personal data for direct marketing purposes, which of the following is true about Louis’s rights as a data subject?

Options:

A.

Louis does not have the right to object to the use of his data because he previously consented to it.

B.

Louis has the right to object at any time to the use of his data and Bedrock must honor his request to cease use.

C.

Louis has the right to object to the use of his data, unless his data is required by Bedrock for the purpose

of exercising a legal claim.

D.

Louis does not have the right to object to the use of his data if Bedrock can demonstrate compelling legitimate grounds for the processing.

Question 53

A key component of the OECD Guidelines is the “Individual Participation Principle”. What parts of the General Data Protection Regulation (GDPR) provide the closest equivalent to that principle?

Options:

A.

The lawful processing criteria stipulated by Articles 6 to 9

B.

The information requirements set out in Articles 13 and 14

C.

The breach notification requirements specified in Articles 33 and 34

D.

The rights granted to data subjects under Articles 12 to 22

Question 54

Which of the following is NOT recognized as a common characteristic of cloud computing services?

Options:

A.

The service's infrastructure is shared among the supplier's customers and can be located in a number of countries.

B.

The supplier determines the location, security measures, and service standards applicable to the processing.

C.

The supplier allows customer data to be transferred around the infrastructure according to capacity.

D.

The supplier assumes the vendor's business risk associated with data processed by the supplier.

Question 55

How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?

Options:

A.

The ePrivacy Directive allows individual EU member states to engage in such data retention.

B.

The ePrivacy Directive harmonizes EU member states’ rules concerning such data retention.

C.

The Data Retention Directive’s annulment makes such data retention now permissible.

D.

The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.

Page: 13 / 19
Exam Code: CIPP-E
Exam Name: Certified Information Privacy Professional/Europe (CIPP/E)
Last Update: Nov 21, 2024
Questions: 268
CIPP-E pdf

CIPP-E PDF

$28  $80
CIPP-E Engine

CIPP-E Testing Engine

$33.25  $95
CIPP-E PDF + Engine

CIPP-E PDF + Testing Engine

$45.5  $130