Welcome to TestSimulate

Pass Your Next Certification Exam Fast!

Everything you need to prepare, learn & pass your certification exam easily.

365 days free updates. First attempt guaranteed success.

  • Home
  • Blogs
  • Latest CIPP-C Pass Guaranteed Exam Dumps with Accurate & Updated Questions [Q99-Q116]

Latest CIPP-C Pass Guaranteed Exam Dumps with Accurate & Updated Questions [Q99-Q116]

Share

Latest CIPP-C Pass Guaranteed Exam Dumps with Accurate & Updated Questions

CIPP-C Exam Brain Dumps - Study Notes and Theory

NEW QUESTION 99
SCENARIO
Looking back at your first two years as the Director of Personal Information Protection and Compliance for the Berry Country Regional Medical Center in Thorn Bay, Ontario, Canada, you see a parade of accomplishments, from developing state-of-the-art simulation based training for employees on privacy protection to establishing an interactive medical records system that is accessible by patients as well as by the medical personnel. Now, however, a question you have put off looms large: how do we manage all the data-not only records produced recently, but those still on hand from years ago? A data flow diagram generated last year shows multiple servers, databases, and work stations, many of which hold files that have not yet been incorporated into the new records system. While most of this data is encrypted, its persistence may pose security and compliance concerns. The situation is further complicated by several long-term studies being conducted by the medical staff using patient information. Having recently reviewed the major Canadian privacy regulations, you want to make certain that the medical center is observing them.
You also recall a recent visit to the Records Storage Section, often termed "The Dungeon" in the basement of the old hospital next to the modern facility, where you noticed a multitude of paper records. Some of these were in crates marked by years, medical condition or alphabetically by patient name, while others were in undifferentiated bundles on shelves and on the floor. The back shelves of the section housed data tapes and old hard drives that were often unlabeled but appeared to be years old. On your way out of the dungeon, you noticed just ahead of you a small man in a lab coat who you did not recognize. He carried a batch of folders under his arm, apparently records he had removed from storage.
Which data lifecycle phase needs the most attention at this Ontario medical center?

  • A. Retention
  • B. Collection
  • C. Disclosure
  • D. Use

Answer: A

 

NEW QUESTION 100
Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?

  • A. The identity and contact details of the controller and the reasons the data is being collected.
  • B. The name/s of relevant government agencies involved and the steps needed for revising the data.
  • C. The contact information of the controller and a description of the retention policy.
  • D. The authority by which the controller is collecting the data and the third parties to whom the data will be sent.

Answer: A

 

NEW QUESTION 101
A key component of the OECD Guidelines is the "Individual Participation Principle". What parts of the General Data Protection Regulation (GDPR) provide the closest equivalent to that principle?

  • A. The information requirements set out in Articles 13 and 14
  • B. The lawful processing criteria stipulated by Articles 6 to 9
  • C. The rights granted to data subjects under Articles 12 to 22
  • D. The breach notification requirements specified in Articles 33 and 34

Answer: C

 

NEW QUESTION 102
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
If Who-R-U adopts the We-Track-U pilot plan, why is it likely to be subject to the territorial scope of the GDPR?

  • A. It is engaging in commercial activities conducted in the Union.
  • B. Its plan would be in the context of the establishment of a controller in the Union.
  • C. It would be offering goods or services to data subjects in the Union.
  • D. It is monitoring the behavior of data subjects in the Union.

Answer: D

 

NEW QUESTION 103
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn't prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company's app, like storage and sharing of DNA information with other applications and medical providers. The company's contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers' attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn't include any technology or infrastructure; rather, it's simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob's laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
The Customer for Life plan may conflict with which GDPR provision?

  • A. Article 20, which gives data subjects a right to data portability.
  • B. Article 16, which provides data subjects with a rights to rectification.
  • C. Article 6, which requires processing to be lawful.
  • D. Article 7, which requires consent to be as easy to withdraw as it is to give.

Answer: D

 

NEW QUESTION 104
SCENARIO
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company's outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.'s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations.
TripBliss Inc. can choose any number of data categories - age, income, ethnicity - that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website's traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website's effectiveness. Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.'s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva's system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company's system of access control must be reconsidered.
After Leon has informed his manager, what is Techiva's legal responsibility as a processor?

  • A. They must report it to TripBliss Inc.
  • B. They must conduct a full systems audit.
  • C. They must report it to the supervisory authority.
  • D. They must inform customers who have used the website.

Answer: B

 

NEW QUESTION 105
A U.S.-based online shop uses sophisticated software to track the browsing behavior of its European customers and predict future purchases. It also shares this information with third parties. Under the GDPR, what is the online shop's PRIMARY obligation while engaging in this kind of profiling?

  • A. It must prove that it uses sufficient security safeguards to protect customer data
  • B. It must solicit informed consent through a notice on its website
  • C. It must be able to demonstrate a prior business relationship with the customers
  • D. It must seek authorization from the European supervisory authorities

Answer: B

 

NEW QUESTION 106
SCENARIO
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company's outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.'s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations.
TripBliss Inc. can choose any number of data categories - age, income, ethnicity - that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website's traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website's effectiveness. Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.'s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva's system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company's system of access control must be reconsidered.
With regard to TripBliss Inc.'s use of website cookies, which of the following statements is correct?

  • A. Because Techiva will receive only aggregate statistics of data collected from the cookies, no additional consent is necessary.
  • B. Because not all of the cookies are strictly necessary to enable the use of a service requested from TripBliss Inc., consent requirements apply to their use of cookies.
  • C. Because of the categories of data involved, explicit consent for the use of cookies must be obtained separately from customers.
  • D. Because the use of cookies involves the potential for location tracking, explicit consent must be obtained from customers.

Answer: C

 

NEW QUESTION 107
More than half of U.S. states require telemarketers to?

  • A. Provide written contracts for customer transactions
  • B. Obtain written consent from potential customers
  • C. identify themselves at the beginning of a call
  • D. Register with the state before conducting business

Answer: A

 

NEW QUESTION 108
A Spanish electricity customer calls her local supplier with Questions: about the company's upcoming merger.
Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information?

  • A. Verify that the personal data has not already been sent to the customer.
  • B. Verify that the identity of the customer can be proven by other means.
  • C. Verify that the purpose of the request from the customer is in line with the GDPR.
  • D. Verify that the request is applicable to the data collected before the GDPR entered into force.

Answer: D

 

NEW QUESTION 109
What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?

  • A. The requirements affected individuals without exception.
  • B. The requirements had limitations on how national authorities could use data.
  • C. The requirements specified that data must be held within the EU.
  • D. The requirements were financially burdensome to EU businesses.

Answer: B

 

NEW QUESTION 110
What is true if an employee makes an access request to his employer for any personal data held about him?

  • A. The employer can decline the request if the information is only held electronically.
  • B. The employer must supply any information held about an employee unless an exemption applies.
  • C. The employer must supply all the information held about the employee.
  • D. The employer can automatically decline the request if it contains personal data about a third person.

Answer: B

 

NEW QUESTION 111
Which is TRUE about the scope and authority of data protection oversight authorities?

  • A. The Office of the Privacy Commissioner (OPC) of Canada has the right to impose financial sanctions on violators
  • B. All authority in the European Union rests with the Data Protection Commission (DPC)
  • C. No one agency officially oversees the enforcement of privacy regulations in the United States
  • D. The Asia-Pacific Economic Cooperation (APEC) Privacy Frameworks require all member nations to designate a national data protection authority

Answer: A

 

NEW QUESTION 112
Many businesses print their employees' photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted?

  • A. Because use of biometric data to confirm the unique identification of data subjects benefits from an exemption.
  • B. Because employees are deemed to have given their explicit consent when they agree to be photographed by their employer.
  • C. Because photographs qualify as biometric data only when they undergo a "specific technical processing".
  • D. Because photographic ID is a physical security measure which is "necessary for reasons of substantial public interest".

Answer: C

Explanation:
Explanation
Reference https://ess.csa.canon.com/rs/206-CLL-191/images/IAPP-Top-10-Operational-Impacts-of- GDPR.pdf?TC=DM&CN=CSA_OMNIA_Partners&CS=CSA&CR=T1_Gov%20GenNonProfit (11)

 

NEW QUESTION 113
Which GDPR requirement will present the most significant challenges for organizations with Bring Your Own Device (BYOD) programs?

  • A. Personal data of data subjects must always be accurate and kept up to date.
  • B. Processing of special categories of personal data on a large scale requires appointing a DPO.
  • C. Data controllers must be in control of the data they hold at all times.
  • D. Data subjects must be sufficiently informed of the purposes for which their personal data is processed.

Answer: C

 

NEW QUESTION 114
Which GDPR principle would a Spanish employer most likely depend upon to annually send the personal data of its employees to the national tax authority?

  • A. The protection of the vital interest of the employees.
  • B. The legal obligation of the employer.
  • C. The consent of the employees.
  • D. The legitimate interest of the public administration.

Answer: B

 

NEW QUESTION 115
Article 5(1)(b) of the GDPR states that personal data must be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes." Based on Article 5(1)(b), what is the impact of a member state's interpretation of the word "incompatible"?

  • A. It dictates the level of security a processor must follow when using and storing personal data for two different purposes.
  • B. It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of personal data.
  • C. It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original intended purpose.
  • D. It sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data.

Answer: A

 

NEW QUESTION 116
......

Pass IAPP CIPP-C Test Practice Test Questions Exam Dumps: https://www.testsimulate.com/CIPP-C-study-materials.html

Related Blogs

more
Go To CIPP-C Questions

Copyright © 2026 TESTSIMULATE.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor.