exam questions

Exam CIPP-E All Questions

View all questions & answers for the CIPP-E exam

Exam CIPP-E topic 1 question 154 discussion

Actual exam question from IAPP's CIPP-E
Question #: 154
Topic #: 1
[All CIPP-E Questions]

SCENARIO -
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre-registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like storage and sharing of DNA information with other applications and medical providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers’ attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
Who-R-U is NOT required to notify the local German DPA about the laptop theft because?

  • A. The company isn’t a controller established in the Union.
  • B. The laptop belonged to a company located in Canada.
  • C. The data isn’t considered personally identifiable financial information.
  • D. There is no evidence that the thieves have accessed the data on the laptop.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Claire0911
Highly Voted 1 year, 2 months ago
DPAs can regulate Cs and Ps established in their territory and since the company is not established in Germany, it may not be required to report to the local DPA. Hence, the answer should be A. As for B, even if the computer belongs to a company in Canada, if the company's main establishment is in Germany, it may still be required to report to German DPA.
upvoted 5 times
...
72d0a83
Most Recent 3 weeks, 2 days ago
Selected Answer: A
A. The company isn’t a controller established in the Union In this scenario, Who-R-U is a Canadian company with no current business operations in the EU and all its customers are Canadian.
upvoted 1 times
...
7f814c6
5 months, 1 week ago
Selected Answer: A
Should be A. The GDPR requires notification of a data breach to the relevant DPA if the breach is likely to result in a risk to the rights and freedoms of natural persons, and this applies to controllers established in the Union or those offering goods or services to or monitoring the behavior of data subjects in the Union. In this scenario, Who-R-U is a Canadian company with no current business operations in the EU and all its customers are Canadian.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago