exam questions

Exam CIPP-US All Questions

View all questions & answers for the CIPP-US exam

Exam CIPP-US topic 1 question 19 discussion

Actual exam question from IAPP's CIPP-US
Question #: 19
Topic #: 1
[All CIPP-US Questions]

SCENARIO -
Please use the following to answer the next question:
A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer’s data handling practices.
The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: “Please act immediately by identifying all personal data received from our company.”
This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup’s rapid market penetration.
As the Company’s data privacy leader, you are sensitive to the criticality of the relationship with the retailer.
At this stage of the investigation, what should the data privacy leader review first?

  • A. Available data flow diagrams
  • B. The text of the original complaint
  • C. The company’s data privacy policies
  • D. Prevailing regulation on this subject
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
d654514
6 days, 12 hours ago
Selected Answer: A
At this stage of the investigation, the data privacy leader should review A. Available data flow diagrams.
upvoted 1 times
...
fightingpotato
2 months, 1 week ago
Selected Answer: A
At this stage of the investigation, the data privacy leader should review A. Available data flow diagrams. This will help identify all personal data received from the EU-based retailer, understand how that data is processed and stored, and ensure compliance with the supervisory authority’s request. Understanding the data flows is crucial for responding effectively to the investigation and mitigating potential risks.
upvoted 2 times
...
twiny
3 months, 3 weeks ago
All options are plausible correct answers. However, the key to answering this question lies in the following sentence: “The letter closes with an urgent request: 'Please act immediately by identifying all personal data received from our company.'” And the question explicitly asks about the "first" step: "At this stage of the investigation, what should the data privacy leader review first?" Therefore, to help their European retailer/partner, reviewing the available data flow diagrams would be the first step for the data privacy leader. By reviewing the data flows, the data privacy leader will be able to identify the data received from the partner and respond to them accordingly, thus addressing the point asked by the question.
upvoted 1 times
...
Bhimesh
8 months, 3 weeks ago
Selected Answer: D
Should be D. Prevailing regulation on this subject
upvoted 1 times
...
Buki007
11 months, 2 weeks ago
The answer is D. If you look at A, what if we review the Data flows and later find out that the regulation does not apply to us?
upvoted 1 times
...
jjjrbm
1 year, 1 month ago
B makes sense as well. Several of the options are reasonable
upvoted 3 times
...
PrivacyICU
1 year, 3 months ago
Selected Answer: D
D makes sense because you want to understand the law before you apply it to your case.
upvoted 1 times
...
smp175
1 year, 5 months ago
Does anyone have any additional information on why the answer is D and not A? It seems that identifying categories of PII received would be fine, and therefore reviewing data flows would be the first step. Is it because the prompt specifically states "identifying all personal data", which implies such data would not be anonymized, and therefore prevailing regulation should be reviewed before providing such PII?
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago