Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
exam questions

Exam CIPP-E All Questions

View all questions & answers for the CIPP-E exam

Exam CIPP-E topic 1 question 57 discussion

Actual exam question from IAPP's CIPP-E
Question #: 57
Topic #: 1
[All CIPP-E Questions]

SCENARIO -
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.
Under the GDPR, Liem and EcoMick’s contract with MarketIQ must include all of the following provisions EXCEPT?

  • A. Processing the personal data upon documented instructions regarding data transfers outside of the EEA.
  • B. Notification regarding third party requests for access to Liem and EcoMick’s personal data.
  • C. Assistance to Liem and EcoMick in their compliance with data protection impact assessments.
  • D. Returning or deleting personal data after the end of the provision of the services.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️

Comments

Chosen Answer:
This is a voting comment (?).
Switch to a voting comment New
semilias
Highly Voted 1 year, 11 months ago
should be answer B. GDPR article 28.3.A descirbes answer A 28.3.F describes answer C 28.3.G describes answer D ( so clearly stating That contract or other legal act shall stipulate 'at the choice of the controller, deletes or returns all the personal data to the controller...'
upvoted 14 times
...
Ssourav
Most Recent 4 months ago
Selected Answer: B
B. Notification regarding third party requests for access to Liem and EcoMick’s personal data. GDPR Article Reference: Article 28(3): The contract or other legal act between the controller and processor shall stipulate, in particular, that the processor shall: (a) process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization; (c) assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor; (e) at the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data.
upvoted 1 times
...
58ad832
6 months, 3 weeks ago
Selected Answer: B
GDPR article 28.3.A descirbes answer A 28.3.F describes answer C 28.3.G describes answer D. I agree with Semilas
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...