• Home
  • Blogs
  • [Q107-Q126] Free Sales Ending Soon - Use Real CIPP-C PDF Questions [Nov 23, 2021]

[Q107-Q126] Free Sales Ending Soon - Use Real CIPP-C PDF Questions [Nov 23, 2021]

Share

Free Sales Ending Soon - Use Real  CIPP-C PDF Questions [Nov 23, 2021]

Updated Nov-2021 Exam CIPP-C Dumps - Pass Your Certification Exam

NEW QUESTION 107
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Ontario University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Ontario's Alumni portal.
Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Anna will find that a risk analysis is NOT necessary in this situation as long as?

  • A. The data subjects are no longer current students of Frank's
  • B. The data subjects gave their unambiguous consent for the original processing
  • C. The algorithms that Frank uses for the processing are technologically sound
  • D. The processing will not negatively affect the rights of the data subjects

Answer: B

 

NEW QUESTION 108
A mobile device application that uses cookies will be subject to the consent requirement of which of the following?

  • A. The E-Commerce Directive
  • B. The Data Retention Directive
  • C. The ePrivacy Directive
  • D. The EU Cybersecurity Directive

Answer: C

 

NEW QUESTION 109
According to the GDPR, what is the main task of a Data Protection Officer (DPO)?

  • A. To monitor compliance with other local or European data protection provisions.
  • B. To create and maintain records of processing activities.
  • C. To create procedures for notification of personal data breaches to competent supervisory authorities.
  • D. To conduct Privacy Impact Assessments on behalf of the controller or processor.

Answer: D

 

NEW QUESTION 110
SCENARIO
Looking back at your first two years as the Director of Personal Information Protection and Compliance for the Berry Country Regional Medical Center in Thorn Bay, Ontario, Canada, you see a parade of accomplishments, from developing state-of-the-art simulation based training for employees on privacy protection to establishing an interactive medical records system that is accessible by patients as well as by the medical personnel. Now, however, a question you have put off looms large: how do we manage all the data-not only records produced recently, but those still on hand from years ago? A data flow diagram generated last year shows multiple servers, databases, and work stations, many of which hold files that have not yet been incorporated into the new records system. While most of this data is encrypted, its persistence may pose security and compliance concerns. The situation is further complicated by several long-term studies being conducted by the medical staff using patient information. Having recently reviewed the major Canadian privacy regulations, you want to make certain that the medical center is observing them.
You also recall a recent visit to the Records Storage Section, often termed "The Dungeon" in the basement of the old hospital next to the modern facility, where you noticed a multitude of paper records. Some of these were in crates marked by years, medical condition or alphabetically by patient name, while others were in undifferentiated bundles on shelves and on the floor. The back shelves of the section housed data tapes and old hard drives that were often unlabeled but appeared to be years old. On your way out of the dungeon, you noticed just ahead of you a small man in a lab coat who you did not recognize. He carried a batch of folders under his arm, apparently records he had removed from storage.
Which cryptographic standard would be most appropriate for protecting patient credit card information in the records system?

  • A. Obfuscation
  • B. Asymmetric Encryption
  • C. Symmetric Encryption
  • D. Hashing

Answer: B

 

NEW QUESTION 111
Which statement is correct when considering the right to privacy under Section 7 of the Canadian Charter of Rights and Freedoms?

  • A. The right to freedom of expression under section 10 will always override the right to privacy
  • B. The Supreme Court of Canada has stated that the Privacy Act has "quasi-constitutional status", and that the values and rights set out in the Act are closely linked to those set out in the Constitution as being necessary to a free and democratic society.
  • C. The right to privacy is an absolute right
  • D. The right to privacy protects the right to hold opinions and to receive and impart ideas without interference

Answer: B

Explanation:
Explanation
https://www.priv.gc.ca/en/about-the-opc/publications/guide_ind/

 

NEW QUESTION 112
Why is advisable to avoid consent as a legal basis for an employer to process employee data?

  • A. Employee data can only be processed if there is an approval from the data protection officer.
  • B. Consent may not be valid if the employee feels compelled to provide it.
  • C. An employer might have difficulty obtaining consent from every employee.
  • D. Data protection laws do not apply to processing of employee data.

Answer: A

 

NEW QUESTION 113
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B.
Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
* Name
* Address
* Date of Birth
* Payroll number
* National Insurance number
* Sick pay entitlement
* Maternity/paternity pay entitlement
* Holiday entitlement
* Pension and benefits contributions
* Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
Under the GDPR, which of Company B's actions would NOT be likely to trigger a potential enforcement action?

  • A. Their failure to provide sufficient security safeguards to Company A's data.
  • B. Their omission of data protection provisions in their contract with Company C.
  • C. Their decision to operate without a data protection officer.
  • D. Their engagement of Company C to improve their payroll service.

Answer: D

 

NEW QUESTION 114
Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?

  • A. The processing of the data subject's data is protected by appropriate technical measures
  • B. The data subject already has information regarding how his data will be used
  • C. The provision of such information to the data subject would be too problematic
  • D. Third-party data would be disclosed by providing such information to the data subject

Answer: B

 

NEW QUESTION 115
Which is TRUE about the scope and authority of data protection oversight authorities?

  • A. The Office of the Privacy Commissioner (OPC) of Canada has the right to impose financial sanctions on violators
  • B. No one agency officially oversees the enforcement of privacy regulations in the United States
  • C. The Asia-Pacific Economic Cooperation (APEC) Privacy Frameworks require all member nations to designate a national data protection authority
  • D. All authority in the European Union rests with the Data Protection Commission (DPC)

Answer: A

 

NEW QUESTION 116
SCENARIO
Please use the following to answer the next QUESTION:
Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.
This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. "It's going to be great," the developer, Deidre Hoffman, tells you, "if, that is, we actually get it working!" She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. "It's just three young people," she says, "but they do great work." She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. "They do good work, so I chose them." Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, "I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing. You worry too much, but that's why you're so good at your job!" You want to point out that normal protocols have not been followed in this matter. Which process in particular has been neglected?

  • A. Privacy breach prevention
  • B. Data mapping
  • C. Vendor due diligence or vetting
  • D. Forensic inquiry

Answer: C

 

NEW QUESTION 117
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Ontario University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Ontario's Alumni portal.
Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Which of the University's records does Anna NOT have to include in her record of processing activities?

  • A. Student records
  • B. Frank's performance database
  • C. Staff and alumni records
  • D. Department for Education records

Answer: B

 

NEW QUESTION 118
A key component of the OECD Guidelines is the "Individual Participation Principle". What parts of the General Data Protection Regulation (GDPR) provide the closest equivalent to that principle?

  • A. The breach notification requirements specified in Articles 33 and 34
  • B. The information requirements set out in Articles 13 and 14
  • C. The lawful processing criteria stipulated by Articles 6 to 9
  • D. The rights granted to data subjects under Articles 12 to 22

Answer: D

 

NEW QUESTION 119
What is the function of the privacy operational life cycle?

  • A. It allows privacy policies to mature to a fixed form
  • B. It ensures that outdated privacy policies are retired on a set schedule
  • C. It establishes initial plans for privacy protection and implementation
  • D. It allows the organization to respond to ever-changing privacy demands

Answer: C

 

NEW QUESTION 120
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
If Who-R-U adopts the We-Track-U pilot plan, why is it likely to be subject to the territorial scope of the GDPR?

  • A. It would be offering goods or services to data subjects in the Union.
  • B. It is monitoring the behavior of data subjects in the Union.
  • C. Its plan would be in the context of the establishment of a controller in the Union.
  • D. It is engaging in commercial activities conducted in the Union.

Answer: B

 

NEW QUESTION 121
Which of the following would NOT be relevant when determining if a processing activity would be considered profiling?

  • A. If the processing of the data is done through automated means
  • B. If the processing involves data that is considered personal data
  • C. If the processing is used to predict the behavior of data subjects
  • D. If the processing is to be performed by a third-party vendor

Answer: C

 

NEW QUESTION 122
Under the Data Protection Law Enforcement Directive of the EU, a government can carry out covert investigations involving personal data, as long it is set forth by law and constitutes a measure that is both necessary and what?

  • A. DPA-approved.
  • B. Important.
  • C. Proportionate.
  • D. Prudent.

Answer: C

 

NEW QUESTION 123
Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?

  • A. To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.
  • B. The European Commission can adopt an adequacy decision for individual companies.
  • C. The European Commission can adopt, repeal or amend an existing adequacy decision.
  • D. EU member states are vested with the power to accept or reject a European Commission adequacy decision.

Answer: B

 

NEW QUESTION 124
A law enforcement subpoenas the ACME telecommunications company for access to text message records of a person suspected of planning a terrorist attack. The company had previously encrypted its text message records so that only the suspect could access this data.
What law did ACME violate by designing the service to prevent access to the information by a law enforcement agency?

  • A. SCA
  • B. ECPA
  • C. USA Freedom Act
  • D. CALEA

Answer: D

 

NEW QUESTION 125
Which entities must comply with the Telemarketing Sales Rule?

  • A. For-profit and not-for-profit organizations when selling additional services to establish customers
  • B. For-profit organizations calling businesses when a binding contract exists between them
  • C. For-profit organizations and for-profit telefunders regarding charitable solicitations
  • D. Nonprofit organizations calling on their own behalf

Answer: A

 

NEW QUESTION 126
......

CIPP-C Dumps To Pass Certified Information Privacy Professional Exam in One Day : https://www.exams-boost.com/CIPP-C-valid-materials.html

Latest Real IAPP CIPP-C Exam Dumps Questions: https://drive.google.com/open?id=1E-oC3OCtu91Uh377svL94uum8ingMBsZ

Related Blogs

more
IAPP CIPP-C Certification Practice Exam

Copyright © 2026 EXAMS-BOOST.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor.