exam questions

Exam CIPP-US All Questions

View all questions & answers for the CIPP-US exam

Exam CIPP-US topic 1 question 21 discussion

Actual exam question from IAPP's CIPP-US
Question #: 21
Topic #: 1
[All CIPP-US Questions]

SCENARIO -
Please use the following to answer the next question:
A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer’s data handling practices.
The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: “Please act immediately by identifying all personal data received from our company.”
This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup’s rapid market penetration.
As the Company’s data privacy leader, you are sensitive to the criticality of the relationship with the retailer.
Under the General Data Protection Regulation (GDPR), how would the U.S.-based startup company most likely be classified?

  • A. As a data supervisor
  • B. As a data processor
  • C. As a data controller
  • D. As a data manager
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Supp2023
Highly Voted 1 year, 9 months ago
"Data supervisor" is not a recognized term under the GDPR. The correct answer is C: as a data controller. The GDPR defines a data controller as the entity that determines the purposes, conditions, and means of the processing of personal data. In the given scenario, the US-based startup company is selling a new gaming application and would likely be considered a data controller as it determines the purposes and means of processing personal data of its users.
upvoted 7 times
...
447bcdc
Most Recent 2 weeks, 5 days ago
Selected Answer: B
b. As a data processor Under the GDPR, a data processor is an entity that processes personal data on behalf of a data controller. In this scenario, the US-based startup company is likely processing personal data (such as user data) on behalf of the EU-based retailer. The retailer, as the entity determining the purposes and means of processing personal data, would be classified as the data controller. Therefore, the US-based startup company, while handling personal data, is doing so under the instructions of the EU-based retailer, making it a data processor.
upvoted 1 times
...
fightingpotato
2 months, 1 week ago
Selected Answer: C
Under the General Data Protection Regulation (GDPR), the U.S.-based startup company would most likely be classified as C. As a data controller. This is because the startup determines the purposes and means of processing personal data received from the EU-based retailer. Even though the retailer is also involved, the startup's role in handling that data typically aligns with that of a data controller.
upvoted 1 times
...
twiny
3 months, 3 weeks ago
The biggest problem with this question is the wording of its scenario, specifically the first sentence: "A US-based startup company is selling a new gaming application", with the word "selling" being the biggest cause of confusion. However, reading the rest of the scenario, one can infer that the startup is not actually "selling" the game (or the gaming application). It's the European retailer/partner who is selling the game. The US-based startup develops the game and sells it through its retailers, one of which is in Europe. So, the US startup does not collect any customer data. It's the EU retailer who does that and transfers it to the US startup. Therefore, the EU retailer is the data controller, and the US startup is the data processor. Hence, the correct answer is "B. As a data processor." The answer provided by the author, "A. As a data supervisor", is incorrect because "Data supervisor" is not a term used in the GDPR. GDPR is very strict in its language; therefore, assuming that Supervisor and Controller can be used interchangeably shows poor judgment.
upvoted 2 times
...
Bhimesh
8 months, 3 weeks ago
Selected Answer: B
The answer should be B: The controller is an EU-based retail partner and their letter says " The letter closes with an urgent request: “Please act immediately by identifying all personal data received from our company.”
upvoted 2 times
Bhimesh
8 months, 1 week ago
Correction - Option C
upvoted 1 times
...
...
BM9904
10 months, 2 weeks ago
Selected Answer: C
Data controller is an organization that has the authority to decide how and why personal information is to be processed. This entity is the focus of most obligations under privacy and data protection laws
upvoted 2 times
...
Buki007
10 months, 3 weeks ago
Under the GDPR the company would be determined as a controller since they control the means and the use of the personal data that is collected and shared with their retail partner.
upvoted 1 times
...
Romeokton
11 months ago
Selected Answer: C
Also think is C
upvoted 2 times
...
jjjrbm
1 year, 1 month ago
Correct answer is C. Data Controller
upvoted 2 times
...
PrivacyICU
1 year, 3 months ago
Selected Answer: B
Processor is the answer and correct based on the fact that the EU retailer was collecting consents and sending data internationally to US. The distractor of lack of consent and the instruction somehow implied that it now needs to be adhered to by the processor despite controller EU Retailer messing up should be mindfully sidestepped. Supervisor and Controller are synonymous with both terms used in the GDPR. Data manager is not a term used in GDPR.
upvoted 1 times
...
testaking917
1 year, 3 months ago
Must be processor because they do not collect the data directly but the retailer does that
upvoted 3 times
...
Savaage
1 year, 9 months ago
The prompt says that the video game company received data from the retail, making it the Data Processor.
upvoted 4 times
...
Robb17
1 year, 9 months ago
Data processor
upvoted 2 times
...
cpr14
1 year, 10 months ago
So what's the correct answer?
upvoted 2 times
...
Lisawood
1 year, 10 months ago
there is no data supervisor under GDPR
upvoted 1 times
Testtaker719
1 year, 10 months ago
Is the suggested answer valid although no equivalent role under GDPR but does apply to US?
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago