[UPDATED Sep-2025] Best Value Available Preparation Guide for CIPP-E Exam [Q119-Q141]

[UPDATED Sep-2025] Best Value Available Preparation Guide for CIPP-E Exam

1 Full CIPP-E Practice Test and 298 Unique Questions, Get it Now!

NEW QUESTION # 119
Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?

• A. Third-party data would be disclosed by providing such information to the data subject
• B. The data subject already has information regarding how his data will be used
• C. The provision of such information to the data subject would be too problematic
• D. The processing of the data subject's data is protected by appropriate technical measures

Answer: B

NEW QUESTION # 120
Which of the following is NOT considered a fair processing practice in relation to the transparency principle?

• A. Providing a hyperlink to the organization's home page, in a hard copy application form.
• B. Providing a multi-layered privacy notice, in a website environment.
• C. Providing a QR code linking to more detailed privacy notice, in a CCTV sign.
• D. Providing a "just-in-time" contextual pop-up privacy notice, in an online application from field.

Answer: A

Explanation:
According to the transparency principle, data controllers must provide clear and transparent information to data subjects about how their personal data is processed. This information must be easily accessible and easy to understand. Providing a hyperlink to the organization's home page, in a hard copy application form, is not considered a fair processing practice in relation to the transparency principle, because it does not directly inform the data subject about the specific purposes and legal basis of the processing, the data protection rights and obligations, and the contact details of the data controller and the data protection officer. This information should be provided in a concise, intelligible and easily accessible form, using clear and plain language, in a way that is appropriate to the means of communication. Providing a hyperlink to the organization's home page, in a hard copy application form, does not meet these criteria and may also be inaccessible to some data subjects who do not have internet access or are not familiar with the use of hyperlinks. Therefore, this option is not a fair processing practice in relation to the transparency principle. Reference: 1234 https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-for-the-use-of-personal-data-in-political-campaigning-1/lawful-fair-and-transparent-processing/ https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-for-the-use-of-personal-data-in-political-campaigning-1/lawful-fair-and-transparent-processing/

NEW QUESTION # 121
SCENARIO
Please use the following to answer the next question:
Zandelay Fashion ('Zandelay') is a successful international online clothing retailer that employs approximately
650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company's compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.
The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.
In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company's customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.
Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay's business plan and associated processing activities.
What would MOST effectively assist Zandelay in conducting their data protection impact assessment?

• A. Existing DPIA guides published by local supervisory authorities.
• B. Records of processing activities that data controllers are required to maintain.
• C. Information about DPIAs found in Articles 38 through 40 of the GDPR.
• D. Data breach documentation that data controllers are required to maintain.

Answer: C

NEW QUESTION # 122
What are the obligations of a processor that engages a sub-processor?

• A. The processor must obtain the controller's specific written authorization and provide annual reports on the sub-processor's performance.
• B. The processor must give the controller prior written notice and perform a preliminary audit of the sub- processor.
• C. The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.
• D. The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.

Answer: D

NEW QUESTION # 123
An organisation receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal data. Under what condition can the organisation charge the data subject for processing the request?

• A. Only where the organisation can show that it is reasonable to do so because more than one request was made.
• B. Only to the extent this is allowed under the restrictions on data subjects' rights introduced under Art 23 of GDPR.
• C. Only if the organisation can demonstrate that the request is clearly excessive or misguided.
• D. Only where the administrative costs of taking the action requested exceeds a certain threshold.

Answer: C

Explanation:
1. A request may be manifestly unfounded or excessive if it has no clear purpose, is clearly frivolous or vexatious, is made repeatedly by the same data subject, or goes beyond what is reasonably necessary to fulfil the data subject's request2. In such cases, the organisation can either charge a reasonable fee or refuse to act on the request, but it must be able to justify its decision and inform the data subject of the reasons and their right to lodge a complaint with a supervisory authority or a judicial remedy1. The other options are not correct, as they either do not reflect the conditions for charging a fee under the GDPR, or are not relevant to the question. References: Right of access | ICO, Charge for a Data Subject Request GDPR - GDPR Wiki

NEW QUESTION # 124
SCENARIO
Please use the following to answer the next Question:
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.
Based on the GDPR's position on the use of personal data for direct marketing purposes, which of the following is true about Louis's rights as a data subject?

• A. Louis has the right to object at any time to the use of his data and Bedrock must honor his request to cease use.
• B. Louis has the right to object to the use of his data, unless his data is required by Bedrock for the purpose of exercising a legal claim.
• C. Louis does not have the right to object to the use of his data if Bedrock can demonstrate compelling legitimate grounds for the processing.
• D. Louis does not have the right to object to the use of his data because he previously consented to it.

Answer: A

NEW QUESTION # 125
Which of the following was the first to implement national law for data protection in 1973?

• A. United Kingdom
• B. Germany
• C. Sweden
• D. France

Answer: C

NEW QUESTION # 126
An unforeseen power outage results in company Z's lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29's February, 2018 guidance, company Z should do which of the following?

• A. Document the loss of availability to demonstrate accountability
• B. Conduct a thorough audit of all security systems
• C. Notify affected individuals that their data was unavailable for a period of time.
• D. Notify the supervisory authority about the loss of availability

Answer: D

Explanation:
Reference https://www.google.com/url? sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwihmsidxtTqAhXvQUEAHXRaAdYQFjABegQIARAB& url=https%3A%2F%2Fec.europa.eu%2Fnewsroom%2Farticle29%2Fdocument.cfm%3Fdoc_id% 3D49827&usg=AOvVaw2uhYsKyRzJ6lwhQyiMURJF (5)

NEW QUESTION # 127
With respect to international transfers of personal data, the European Data Protection Board (EDPB) confirmed that derogations may be relied upon under what condition?

• A. Only as a last resort and when interpreted restrictively.
• B. Only if the Data Protection Impact Assessment (DPIA) shows low risk.
• C. If the data controller has received preapproval from a Data Protection Authority (DPA), after submitting the appropriate documents.
• D. When it has been determined that adequate protection can be performed.

Answer: A

Explanation:
The GDPR allows for derogations for specific situations when a transfer of personal data to a third country or an international organization cannot be based on an adequacy decision, appropriate safeguards, or binding corporate rules1. However, these derogations are exceptions to the general rule and should not become the norm. The EDPB confirmed that derogations should only be used as a last resort and when interpreted restrictively, taking into account the nature of the data, the purpose and duration of the processing, the country of origin and destination, and the rights and freedoms of data subjects23. The EDPB also stressed that the data exporter must assess the level of protection in the third country and ensure that the transfer does not undermine the essence of the fundamental rights and freedoms of data subjects23. References: 1: Article 49 of the GDPR 2: Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 3: A guide to international transfers | ICO

NEW QUESTION # 128
The European Parliament jointly exercises legislative and budgetary functions with which of the following?

• A. The Council of the European Union.
• B. The European Commission.
• C. The European Data Protection Board.
• D. The Article 29 Working Party.

Answer: A

NEW QUESTION # 129
According to Art 23 GDPR, which of the following data subject rights can NOT be restricted?

• A. Right to erasure ("Right to be forgotten").
• B. Right to restriction of processing.
• C. Right not to be subject to automated individual decision-making
• D. Right to lodge a complaint with a supervisory authority.

Answer: D

Explanation:
According to Article 23 of the GDPR, the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, may be restricted by a legislative measure of a Member State or the Union, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard certain public interests or the rights and freedoms of others1. However, Article 23 does not include Article 77, which grants the data subject the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the GDPR2. Therefore, this right cannot be restricted by any legislative measure, as it is essential for the effective judicial protection of the data subject and the enforcement of the GDPR3. Reference:
Free CIPP/E Study Guide, page 14, section 2.3
GDPR, Article 77
GDPR, Article 23
Guidelines on restrictions of data subject rights under Art. 23 of the GDPR, page 4, section 2 Statement on restrictions on data subject rights in connection to the COVID-19 pandemic, page 2, section 2

NEW QUESTION # 130
Under Article 9 of the GDPR, which of the following categories of data is NOT expressly prohibited from data processing?

• A. Personal data revealing trade union membership.
• B. Personal data revealing financial data.
• C. Personal data revealing ethnic origin.
• D. Personal data revealing genetic data.

Answer: B

Explanation:
Article 9 of the GDPR prohibits the processing of special categories of personal data, which are data that reveal sensitive information about the data subject and may pose a high risk to their rights and freedoms. The GDPR defines 10 types of personal data as special categories, which are:
* personal data revealing racial or ethnic origin;
* personal data revealing political opinions;
* personal data revealing religious or philosophical beliefs;
* personal data revealing trade union membership;
* genetic data;
* biometric data (where used for identification purposes);
* data concerning health;
* data concerning a person's sex life; and
* data concerning a person's sexual orientation.
Among the answer choices, only option C is not one of these categories, as financial data is not considered to reveal any sensitive information about the data subject. However, financial data is still subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, accuracy, security, etc.
References:
* Special category data | ICO
* Art. 9 GDPR Processing of special categories of personal data
* Special Categories of Data - International Association of Privacy Professionals

NEW QUESTION # 131
Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric dat a. Which of the following is NOT one of these exceptions?

• A. The processing is done by a non-profit organization and the results are disclosed outside the organization.
• B. The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a judicial capacity.
• C. The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State law to lift the prohibition.
• D. The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent.

Answer: A

Explanation:
Article 9 of the GDPR prohibits the processing of special category data, which includes biometric data for the purpose of uniquely identifying a natural person1. However, there are 10 exceptions to this general prohibition, usually referred to as 'conditions for processing special category data'2. These are:
(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims and judicial acts
(g) Substantial public interest conditions
(h) Health or social care
(i) Public health
(j) Archiving, research and statistics
Option A is not one of these exceptions, and therefore it is not a valid reason to process biometric data under Article 9. Option B, C and D are all valid exceptions, as they correspond to conditions , (f) and (a) respectively. Therefore, the correct answer is A.
Reference:
4: Art. 9 GDPR Processing of special categories of personal data
6: What are the rules on special category data? | ICO

NEW QUESTION # 132
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.
Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location.
During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.
To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

• A. Distributed a more comprehensive notice to employees and received their express consent.
• B. Consulted with the Information Security team to weigh security measures against possible server impacts.
• C. Assessed potential privacy risks by conducting a data protection impact assessment.
• D. Consulted with the relevant data protection authority about potential privacy violations.

Answer: C

Explanation:
A data protection impact assessment (DPIA) is a process to identify and minimise the data protection risks of a project that is likely to result in a high risk to the rights and freedoms of individuals1. The GDPR requires controllers to conduct a DPIA before starting such processing activities1. In this case, Building Block should have done a DPIA before implementing the SecurityScan measure, as it involves the monitoring of employees' computers, which could affect their privacy and other fundamental rights2. A DPIA would help Building Block to assess the necessity, proportionality and compliance measures of the SecurityScan measure, as well as to identify and mitigate the risks to the employees and to consult with the relevant stakeholders, such as the data protection officer, the employees themselves, and the supervisory authorities12. The other options are not the first step that Building Block should have done, as they either follow or depend on the outcome of the DPIA. References: Data Protection Impact Assessment (DPIA) - GDPR.eu, Data protection impact assessments | ICO

NEW QUESTION # 133
Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric dat a. Which of the following is NOT one of these exceptions?

• A. The processing is done by a non-profit organization and the results are disclosed outside the organization.
• B. The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a judicial capacity.
• C. The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State law to lift the prohibition.
• D. The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent.

Answer: A

Explanation:
Reference https://dataprivacymanager.net/sensitive-personal-data-special-category-under-the-gdpr/

NEW QUESTION # 134
A company is located in a country NOT considered by the European Union (EU) to have an adequate level of data protection. Which of the following is an obligation of the company if it imports personal data from another organization in the European Economic Area (EEA) under standard contractual clauses?

• A. Supply any information requested by a data protection authority (DPA) within 30 days.
• B. Submit the contract to its own government authority.
• C. Ensure that local laws do not impede the company from meeting its contractual obligations.
• D. Ensure that notice is given to and consent is obtained from data subjects.

Answer: C

Explanation:
The GDPR allows the transfer of personal data to countries outside of the EEA that do not provide an adequate level of data protection, if appropriate safeguards are provided by the data exporter and the data importer1. One of these safeguards are standard contractual clauses (SCCs) adopted by the European Commission, which are model clauses that impose obligations on both parties to ensure that the transfer complies with the GDPR requirements2. The SCCs also include clauses on the rights of the data subjects, the obligations of the data protection authorities, and the liability and indemnification of the parties3. One of the obligations of the data importer under the SCCs is to warrant that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract, and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the SCCs, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract4. Therefore, option D is the correct answer, as it reflects the obligation of the data importer under the SCCs to ensure that local laws do not impede the company from meeting its contractual obligations. Options A, B and C are incorrect, as they are not obligations of the data importer under the SCCs. Option A is not required by the GDPR or the SCCs, as the data importer does not need to submit the contract to its own government authority, unless the law of the country where the data importer is established requires it to do so prior to the transfer or disclosure of personal data5. Option B is not an obligation of the data importer, but of the data exporter, who must provide the data subjects with the information required by Articles 13 and 14 of the GDPR, including the fact that the data will be transferred to a third country and the appropriate safeguards in place6. Option C is not specific to the SCCs, but a general obligation of any controller or processor under the GDPR, who must cooperate with the supervisory authority and make available all information necessary to demonstrate compliance with their obligations7. Reference: 1: Article 46(1) of the GDPR 2: Standard Contractual Clauses (SCC) - European Commission 3: EU Standard Contractual Clauses (Word documents) 4: Clause 5(a) of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 5: Clause 5(b) of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 6: Clause 9 of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 7: Article 31 of the GDPR

NEW QUESTION # 135
An entity's website stores text files on EU users' computer and mobile device browsers. Prior to doing so, the entity is required to provide users with notices containing information and consent under which of the following frameworks?

• A. E-Privacy Directive 2002/58/EC.
• B. Data Protection Directive 95/46/EC.
• C. General Data Protection Regulation 2016/679.
• D. E-Commerce Directive 2000/31/EC.

Answer: A

Explanation:
Hello, this is Bing. I can help you with your question by providing you with some relevant information from the web. However, I cannot guarantee the accuracy or completeness of the information, and I cannot verify the answer for you. You should always consult the official sources and documents for the CIPP/E certification exam.
Based on my web search results, the most likely answer is B. E-Privacy Directive 2002/58/EC. Here is a summary of why:
The E-Privacy Directive 2002/58/EC1 is a specific legal framework that complements and particularizes the general data protection principles set out in the Data Protection Directive 95/46/EC1 (which has been replaced by the General Data Protection Regulation 2016/6792).
The E-Privacy Directive 2002/58/EC1 covers the processing of personal data and the protection of privacy in the electronic communications sector, including the use of cookies and similar technologies3.
Article 5.3 of the E-Privacy Directive 2002/58/EC1 states that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information14.
Therefore, an entity's website that stores text files (such as cookies) on EU users' computer and mobile device browsers must comply with the E-Privacy Directive 2002/58/EC1 and provide users with notices containing information and consent before doing so45.

NEW QUESTION # 136
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage What transfer mechanism should Jackie recommend for using InstaHR?

• A. Explicit consent of employees.
• B. Binding corporate rules.
• C. Standard contractual clauses
• D. Adequacy

Answer: A

NEW QUESTION # 137
SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage In support of Ruth's strategic goals of hiring more sales representatives, the Human Resources team is focused on improving its processes to ensure that new employees are sourced, interviewed, hired, and onboarded efficiently. To help with this, Mary identified two vendors, HRYourWay, a German based company, and InstaHR, an Australian based company. She decided to have both vendors go through ProStorage's vendor risk review process so she can work with Ruth to make the final decision. As part of the review process, Jackie, who is responsible for maintaining ProStorage's privacy program (including maintaining controller BCRs and conducting vendor risk assessments), reviewed both vendors but completed a transfer impact assessment only for InstaHR. After her review of both vendors, she determined that InstaHR satisfied more of the requirements as it boasted a more established privacy program and provided third-party attestations, whereas HRYourWay was a small vendor with minimal data protection operations.
Thus, she recommended InstaHR.
ProStorage's marketing team also worked to meet the strategic goals of the company by focusing on industries where it needed to grow its market share. To help with this, the team selected as a partner UpFinance, a US based company with deep connections to financial industry customers. During ProStorage's diligence process, Jackie from the privacy team noted in the transfer impact assessment that UpFinance implements several data protection measures including end-to-end encryption, with encryption keys held by the customer.
Notably, UpFinance has not received any government requests in its 7 years of business. Still, Jackie recommended that the contract require UpFinance to notify ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data.
What transfer mechanism should Jackie recommend for using InstaHR?

• A. Binding corporate rules.
• B. Adequacy
• C. Explicit consent of employees.
• D. Standard contractual clauses

Answer: D

Explanation:
According to the GDPR, any transfer of personal data to a third country or an international organisation must be based on an adequacy decision by the Commission, appropriate safeguards by the data exporter and importer, or derogations for specific situations1. In this scenario, InstaHR is an Australian based company that processes personal data on behalf of ProStorage, a Dutch based company. Australia is not recognised by the Commission as a country that provides an adequate level of data protection2, so the adequacy option is not available. Binding corporate rules (BCRs) are internal rules adopted by multinational groups of companies or organisations that define their global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries that do not provide an adequate level of protection3.
However, BCRs are not applicable in this case, as InstaHR is not part of the same corporate group as ProStorage. Explicit consent of employees is a possible derogation for specific situations, but it is not a reliable or practical transfer mechanism, as it must be freely given, specific, informed and unambiguous, and it can be withdrawn at any time4. Therefore, the most suitable transfer mechanism for using InstaHR is standard contractual clauses (SCCs). SCCs are contractual clauses that have been pre-approved by the Commission and that provide appropriate safeguards for data protection when transferring personal data from the EU/EEA to third countries. SCCs are legally binding and enforceable by data subjects, and they impose obligations on both the data exporter and the data importer. SCCs are widely used by data controllers and processors as a transfer mechanism under the GDPR. References: 1: Art. 44 GDPR - General principle for transfers22: Adequacy decisions - European Commission13: Binding corporate rules - European Commission14: Article 7 of the GDPR. : Standard Contractual Clauses (SCC) - European Commission1.

NEW QUESTION # 138
Which EU institution is vested with the competence to propose new data protection legislation on its own initiative?

• A. The European Parliament
• B. The Council of the European Union
• C. The European Council
• D. The European Commission

Answer: B

NEW QUESTION # 139
When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach?

• A. Documenting due diligence steps taken in the pre-contractual stage.
• B. Maintaining evidence that the processor was the best possible market choice available.
• C. Requiring that the processor directly notify the appropriate supervisory authority.
• D. Conducting a risk assessment to analyze possible outsourcing threats.

Answer: C

Explanation:
The GDPR imposes several obligations on data controllers when they engage data processors to process personal data on their behalf. One of these obligations is to ensure that the contract or other legal act between the controller and the processor stipulates that the processor must assist the controller in complying with its obligations under the GDPR, including the obligation to notify personal data breaches to the competent supervisory authority and, where applicable, to the affected data subjects1. However, this does not mean that the processor can directly notify the supervisory authority without the involvement of the controller. The GDPR clearly states that it is the controller's responsibility to notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of the breach2. The processor must only notify the controller without undue delay after becoming aware of the breach3. Therefore, requiring that the processor directly notify the appropriate supervisory authority is not an action that a data controller can depend upon to avoid liability in the event of a security breach, as it would be contrary to the GDPR and the controller's own obligation. Options A, B and D are actions that a data controller can take to reduce the risk of liability, as they demonstrate that the controller has exercised due diligence, assessed the potential impact of outsourcing, and chosen a reliable and compliant processor. Reference: 1: Article 28(3)(f) of the GDPR 2: Article 33(1) of the GDPR 3: Article 33(2) of the GDPR

NEW QUESTION # 140
Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?

• A. The European Commission can adopt an adequacy decision for individual companies.
• B. To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.
• C. The European Commission can adopt, repeal or amend an existing adequacy decision.
• D. EU member states are vested with the power to accept or reject a European Commission adequacy decision.

Answer: A

NEW QUESTION # 141
......

Get Instant Access to CIPP-E Practice Exam Questions: https://www.prep4sureguide.com/CIPP-E-prep4sure-exam-guide.html

The Best CIPP-E Exam Study Material Premium Files  and Preparation Tool: https://drive.google.com/open?id=1jM4ce7SbVmyE7fKXB6khoIBJ4afUYfF_