IAPP CIPP-C問題集

質問 1：
Which of the following describes a mandatory requirement for a group of undertakings that wants to appoint a single data protection officer?
A. The group of undertakings must be comprised of organizations of similar sizes and functions.
B. The group of undertakings must obtain approval from a supervisory authority.
C. The data protection officer must be easily accessible from each establishment where the undertakings are located.
D. The data protection officer must be located in the country where the data controller has its main establishment.
正解：C

質問 2：
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Ontario University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
* Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
* Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
* Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees.
These records are available to former students after registering through Ontario's Alumni portal.
Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
* Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Anna will find that a risk analysis is NOT necessary in this situation as long as?
A. The processing will not negatively affect the rights of the data subjects
B. The data subjects are no longer current students of Frank's
C. The algorithms that Frank uses for the processing are technologically sound
D. The data subjects gave their unambiguous consent for the original processing
正解：D

質問 3：
In which of the following cases, cited as an example by a WP29 guidance, would conducting a single data protection impact assessment to address multiple processing operations be allowed?
A. A medical organization that wants to begin genetic testing to support earlier research for which they have performed a DPIA.
B. A marketing team that wants to collect mailing addresses of customers for whom they already have email addresses.
C. A data controller who plans to use a new technology product that has already undergone a DPIA by the product's provider.
D. A railway operator who plans to evaluate the same video surveillance in all the train stations of his company.
正解：D

質問 4：
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well.
The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's QUESTION. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.
In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which practice should the company institute?
A. Insert contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union.
B. Include dual-factor authentication before each use by a child in order to ensure a minimum amount of security.
C. Encrypt the data in transit over the wireless Bluetooth connection.
D. Include three-factor authentication before each use by a child in order to ensure the best level of security possible.
正解：C

質問 5：
Which is the best way to view an organization's privacy framework?
A. As an aspirational goal that improves the organization
B. As an industry benchmark that can apply to many organizations
C. As a fixed structure that directs changes in the organization
D. As a living structure that aligns to changes in the organization
正解：C

質問 6：
Which marketing-related activity is least likely to be covered by the provisions of Privacy and Electronic Communications Regulations (Directive 2002/58/EC)?
A. A text message to individuals from a company offering concert tickets for sale.
B. An email from a retail outlet promoting a sale to one of their previous customer.
C. Advertisements passively displayed on a website.
D. The use of cookies to collect data about an individual.
正解：C

質問 7：
SCENARIO
Please use the following to answer the next question:
T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.
T-Craze also opened various office locations throughout Europe to help expand its business. While Germany Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.
The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.
What is the best option for the lead regulator when responding to the Spanish supervisory authority's notice that it plans to take action regarding Sofia's complaint?
A. Reject, because GDPR does not allow other supervisory authorities to take action if there is a lead authority.
B. Reject, because Right Target's processing was conducted throughout Europe.
C. Accept, because GDPR permits non-lead authorities to take action for such complaints.
D. Accept, because it did not receive any complaints.
正解：A

質問 8：
Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and disclosure of a data subject's sensitive medical information without the data subject's knowledge or consent?
A. A journalist writing an article relating to the medical condition in QUESTION, who believes that the publication of such information is in the public interest.
B. A member of the judiciary involved in adjudicating a legal dispute involving the data subject and concerning the health of the data subject.
C. A public authority responsible for public health, where the sharing of such information is considered necessary for the protection of the general populace.
D. A health professional involved in the medical care for the data subject, where the data subject's life hinges on the timely dissemination of such information.
正解：C

質問 9：
SCENARIO
Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron's marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task.
At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron's legal department.
Registration Form
Vigotron's new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.) Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron's cloud provider, Stratculous. (Read more about Stratculous here.) Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer's name, email address or any other information gathered from the app to any third- party without a customer's consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer's legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)
* First name:
* Surname:
* Year of birth:
* Email:
* Physical Address (optional*):
* Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to [email protected] or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions
1.Jurisdiction. [...]
2.Applicable law. [...]
3.Limitation of liability. [...]
Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
Emily sends the draft to Sam for review. Which of the following is Sam most likely to point out as the biggest problem with Emily's consent provision?
A. Processing health data requires explicit consent, but the form does not ask for explicit consent.
B. Direct marketing requires explicit consent, whereas the registration form only provides for a right to object
C. It is not legal to include fields requiring information regarding health status without consent.
D. The provision of the fitness app should be made conditional on the consent to the data processing for direct marketing.
正解：B

一年間無料で問題集をアップデートするサービスを提供します。

弊社の商品をご購入になったことがあるお客様に一年間の無料更新サービスを提供いたします。弊社は毎日問題集が更新されたかどうかを確認しますから、もし更新されたら、弊社は直ちに最新版のCIPP-C問題集をお客様のメールアドレスに送信いたします。ですから、試験に関連する情報が変わったら、あなたがすぐに知ることができます。弊社はお客様がいつでも最新版のIAPP CIPP-C学習教材を持っていることを保証します。

弊社は無料でCertified Information Privacy Professional試験のDEMOを提供します。

Pass4Testの試験問題集はPDF版とソフト版があります。PDF版のCIPP-C問題集は印刷されることができ、ソフト版のCIPP-C問題集はどのパソコンでも使われることもできます。両方の問題集のデモを無料で提供し、ご購入の前に問題集をよく理解することができます。

簡単で便利な購入方法：ご購入を完了するためにわずか2つのステップが必要です。弊社は最速のスピードでお客様のメールボックスに製品をお送りします。あなたはただ電子メールの添付ファイルをダウンロードする必要があります。

領収書について：社名入りの領収書が必要な場合には、メールで社名に記入して頂き送信してください。弊社はPDF版の領収書を提供いたします。

タグ：CIPP-C問題集、CIPP-C、CIPP-C、CIPP-C、CIPP-C、CIPP-C、CIPP-C、CIPP-C、CIPP-C、CIPP-C