• Home
  • Articles
  • Updated Free IAPP CIPP-US Test Engine Questions with 170 Q&As [Q44-Q66]

Updated Free IAPP CIPP-US Test Engine Questions with 170 Q&As [Q44-Q66]

Share

Updated Free IAPP CIPP-US Test Engine Questions with 170 Q&As

The Best Certified Information Privacy Professional CIPP-US Professional Exam Questions


Earning the CIPP-US certification demonstrates a high level of knowledge and expertise in U.S. privacy laws and regulations, which is increasingly important in today's digital age. Certified Information Privacy Professional/United States (CIPP/US) certification also provides professionals with a competitive advantage in the job market and can lead to higher salaries and career advancement opportunities.


Training Course for Actual Testing

The IAPP CIPP-US exam training course, known as ‘Learn to Navigate the Details of US Privacy Law with Skill and Confidence’, helps the candidate know the navigation techniques of the Privacy Law in the US, and is globally recognized. US privacy law as a whole is comprised of federal, state, as well as local laws. Thus, such a course educates the privacy specialists on how to be aligned with all these laws in their practice. It also enables them to avoid fines and damages to their brands. A class like this is ideal for specialists in data privacy who need deep training on the US data privacy laws. It is also ideal for individuals aiming at getting the CIPP-US designation. After all, such training leads the candidate to a deep study of the US data privacy laws on the national, state, and local levels. Plus, it analyses sectoral regulations, the enforcement of the laws in both criminal and civil spheres, as well as a look into the EU General Data Protection Regulation. Then, the course also delves into the California Consumer Private Act. Some of the domains covered when one is learning are:

  • Accessibility of data to the government and judiciary;
  • Private sector data collection, usage, and limits;
  • The privacy environment in the US;
  • Privacy at the workplace.

All in all, a candidate can take the course through online classes, virtual classes, in-person learning sessions, or group lessons.


How much IAPP CIPP-US: Certified Information Privacy Professional/United States (CIPP/US) Exam cost

IAPP CIPP-US: Certified Information Privacy Professional/United States (CIPP/US) exam cost is $550 USD and retake fees is $375 USD, for more information please visit the official website.

 

NEW QUESTION # 44
The rules for "e-discovery" mainly prevent which of the following?

  • A. A conflict between business practice and technological safeguards
  • B. A breach of an organization's data retention program
  • C. The practice of employees using personal devices for work
  • D. The loss of information due to poor data retention practices

Answer: D


NEW QUESTION # 45
Why was the Privacy Protection Act of 1980 drafted?

  • A. To protect individuals from personal privacy invasion by the police
  • B. To assist prosecutors in civil litigation against newspaper companies
  • C. To assist in the prosecution of white-collar crimes
  • D. To respond to police searches of newspaper facilities

Answer: D

Explanation:
the PPA protects individuals; however, the PPA was drafted in direct response to the Zurcher decision: In 1978, the U.S. Supreme Court ruled in the case of Zurcher v. Stanford Daily that law enforcement could obtain search warrants to search newsrooms for evidence related to criminal activities. This decision raised concerns that such searches could impede the ability of journalists to do their jobs and gather information without fear of government interference.


NEW QUESTION # 46
What is the main reason some supporters of the European approach to privacy are skeptical about self- regulation of privacy practices?

  • A. A new business owner may not understand the regulations
  • B. A large amount of money may have to be sent on improved technology and security
  • C. Industries may not be strict enough in the creation and enforcement of rules
  • D. Human rights may be disregarded for the sake of privacy

Answer: C


NEW QUESTION # 47
Which statement is FALSE regarding the provisions of the Employee Polygraph Protection Act of 1988 (EPPA)?

  • A. The EPPA includes an exception that allows polygraph tests in professions in which employee honesty is necessary for public safety.
  • B. Employers are prohibited from administering psychological testing based on personality traits such as honesty, preferences or habits.
  • C. Employers involved in the manufacture of controlled substances may terminate employees based on polygraph results if other evidence exists.
  • D. The EPPA requires that employers post essential information about the Act in a conspicuous location.

Answer: B

Explanation:
Section: (none)
Explanation


NEW QUESTION # 48
The use of cookies on a website by a service provider is generally not deemed a 'sale' of personal information by CCPA, as long as which of the following conditions is met?

  • A. The analytics cookies placed by the service provider are capable of being tracked but cannot be linked to a particular consumer of that business.
  • B. The service provider retains personal information obtained in the course of providing the services specified in the agreement with the subcontractors.
  • C. The information collected by the service provider is necessary to perform debugging and the business and service provider have entered into an appropriate agreement.
  • D. The third party stores personal information to trigger a response to a consumer's request to exercise their right to opt in.

Answer: C

Explanation:
The California Consumer Privacy Act (CCPA) defines a 'sale' of personal information as any transfer or disclosure of personal information to another business or third party for monetary or other valuable consideration. However, the CCPA also provides some exceptions to this definition, such as:
* If the consumer has directed the business to intentionally disclose the personal information or use the personal information to interact with a third party, provided the third party does not also sell the personal information.
* If the business transfers the personal information to a service provider that is contractually prohibited from retaining, using, or disclosing the personal information for any purpose other than performing the services specified in the contract with the business.
* If the business transfers the personal information to a third party as part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided the information is used or shared consistently with the CCPA.
The use of cookies on a website by a service provider is generally not deemed a sale of personal information by the CCPA, as long as the information collected by the service provider is necessary to perform the services specified in the contract with the business,and the service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose. One of the examples of a valid business purpose is to perform debugging to identify and repair errors that impair existing intended functionality.
Therefore, option D is the correct answer, as it describes a scenario where the use of cookies by a service provider is not a sale of personal information under the CCPA, assuming the service provider complies with the contractual obligations and does not further use or disclose the information.
Option A is incorrect, as it does not describe a valid exception to the definition of a sale. The third party that stores personal information to trigger a response to a consumer's request to opt in is not acting as a service provider, but as a separate entity that may have its own interest in the personal information. The consumer's request to opt in does not necessarily imply that the consumer has directed the business to disclose the personal information to the third party.
Option B is incorrect, as it does not describe a valid exception to the definition of a sale. The analytics cookies placed by the service provider may still constitute a sale of personal information, even if they cannot be linked to a particular consumer of that business. The CCPA defines personal information broadly to include any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Therefore, the analytics cookies may still fall within the scope of personal information, and their use by the service provider may still be a sale, unless one of the exceptions applies.
Option C is incorrect, as it does not describe a valid exception to the definition of a sale. The service provider that retains personal information obtained in the course of providing the services specified in the agreement with the subcontractors is not acting as a service provider to the business, but as a separate entity that may have its own interest in the personal information. The agreement with the subcontractors does not necessarily imply that the business has authorized the service provider to retain, use, or disclose the personal information for any purpose other than performing the services specified in the contract with the business.
References:
* [IAPP CIPP/US Study Guide], Chapter 10: California Consumer Privacy Act, pp. 223-226.
* CIPP/US Practice Questions (Sample Questions), Question 30.


NEW QUESTION # 49
The "Consumer Privacy Bill of Rights" presented in a 2012 Obama administration report is generally based on?

  • A. Traditional fair information practices
  • B. The 1974 Privacy Act
  • C. European Union Directive
  • D. Common law principles

Answer: C


NEW QUESTION # 50
Which venture would be subject to the requirements of Section 5 of the Federal Trade Commission Act?

  • A. A national bank's no-fee checking promotion
  • B. A city bus system's frequent rider program
  • C. An online merchant's free shipping offer
  • D. A local nonprofit charity's fundraiser

Answer: C

Explanation:
Section 5 of the Federal Trade Commission Act (FTC Act) prohibits "unfair or deceptive acts or practices in or affecting commerce."1 This prohibition applies to all persons engaged in commerce, including banks, but also exempts some entities, such as nonprofit organizations and common carriers, from FTC jurisdiction.2 Therefore, among the four options, only an online merchant's free shipping offer would be subject to the requirements of Section 5, as it involves a commercial activity thatcould potentially mislead or harm consumers. For example, if the online merchant fails to disclose the terms and conditions of the offer, or charges hidden fees, or delivers the products late or damaged, it could violate Section 5 by engaging in a deceptive practice.3 References: 1: Section 5 | Federal Trade Commission 2: Federal Trade Commission Act Section 5: Unfair or Deceptive Acts or Practices, page 13: IAPP CIPP/US Certified Information Privacy Professional Study Guide, page 23.


NEW QUESTION # 51
Which of the following is NOT a principle found in the APEC Privacy Framework?

  • A. Integrity of Personal Information.
  • B. Privacy by Design.
  • C. Access and Correction.
  • D. Preventing Harm.

Answer: B

Explanation:
Explanation/Reference: https://www.google.com/url?
sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwiqtJX4tPHvAhUQG-
wKHUoGBgkQFjAHegQIBRAD&url=https%3A%2F%2Fwww.apec.org%2F-%2Fmedia%2FAPEC%
2FPublications%2F2016%2F11%2F2016-CTI-Report-to-Ministers%2FTOC%2FAppendix-17-Updates-to-the- APEC-Privacy-Framework.pdf&usg=AOvVaw1Yysi4Ym_1VaCw1VZiB70a


NEW QUESTION # 52
According to Section 5 of the FTC Act, self-regulation primarily involves a company's right to do what?

  • A. Appeal decisions made against it
  • B. Adhere to its industry's code of conduct
  • C. Decide if any enforcement actions are justified
  • D. Determine which bodies will be involved in adjudication

Answer: B

Explanation:
See IAPP book, Section 3.10, paragraph 2.


NEW QUESTION # 53
SCENARIO
Please use the following to answer the next QUESTION:
Larry has become increasingly dissatisfied with his telemarketing position at SunriseLynx, and particularly with his supervisor, Evan. Just last week, he overheard Evan mocking the state's Do Not Call list, as well as the people on it. "If they were really serious about not being bothered," Evan said, "They'd be on the national DNC list. That's the only one we're required to follow. At SunriseLynx, we call until they ask us not to." Bizarrely, Evan requires telemarketers to keep records of recipients who ask them to call "another time." This, to Larry, is a clear indication that they don't want to be called at all. Evan doesn't see it that way.
Larry believes that Evan's arrogance also affects the way he treats employees. The U.S. Constitution protects American workers, and Larry believes that the rights of those at SunriseLynx are violated regularly. At first Evan seemed friendly, even connecting with employees on social medi a. However, following Evan's political posts, it became clear to Larry that employees with similar affiliations were the only ones offered promotions.
Further, Larry occasionally has packages containing personal-use items mailed to work. Several times, these have come to him already opened, even though this name was clearly marked. Larry thinks the opening of personal mail is common at SunriseLynx, and that Fourth Amendment rights are being trampled under Evan's leadership.
Larry has also been dismayed to overhear discussions about his coworker, Sadie. Telemarketing calls are regularly recorded for quality assurance, and although Sadie is always professional during business, her personal conversations sometimes contain sexual comments. This too is something Larry has heard Evan laughing about. When he mentioned this to a coworker, his concern was met with a shrug. It was the coworker's belief that employees agreed to be monitored when they signed on. Although personal devices are left alone, phone calls, emails and browsing histories are all subject to surveillance. In fact, Larry knows of one case in which an employee was fired after an undercover investigation by an outside firm turned up evidence of misconduct. Although the employee may have stolen from the company, Evan could have simply contacted the authorities when he first suspected something amiss.
Larry wants to take action, but is uncertain how to proceed.
Which act would authorize Evan's undercover investigation?

  • A. The Whistleblower Protection Act
  • B. The Stored Communications Act (SCA)
  • C. The National Labor Relations Act (NLRA)
  • D. The Fair and Accurate Credit Transactions Act (FACTA)

Answer: C


NEW QUESTION # 54
If an organization maintains data classified as high sensitivity in the same system as data classified as low sensitivity, which of the following is the most likely outcome?

  • A. The organization will be able to address legal discovery requests efficiently without producing more information than necessary.
  • B. Temporary employees will be able to find the data necessary to fulfill their responsibilities.
  • C. The impact of an organizational data breach will be more severe than if the data had been segregated.
  • D. The organization will still be in compliance with most sector-specific privacy and security laws.

Answer: A


NEW QUESTION # 55
What was unique about the action that the Federal Trade Commission took against B.J.'s Wholesale Club in
2005?

  • A. It was the first substantial U.S.-EU Safe Harbor enforcement.
  • B. It made user consent mandatory after any revisions of policy.
  • C. It was based on matters of fairness rather than deception.
  • D. It made third-party audits a penalty for policy violations.

Answer: C

Explanation:
The Federal Trade Commission (FTC) is the primary federal agency that enforces consumer privacy and data security laws in the United States. The FTC has the authority to bring enforcement actions against businesses that engage in unfair or deceptive acts or practices that affect commerce, under Section 5 of the FTC Act.
Unfair acts or practices are those that cause or are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers and is not outweighed by countervailing benefits to consumers or competition. Deceptive acts or practices are those that involve a material representation, omission, or practice that is likely to mislead consumers acting reasonably under the circumstances.
The FTC's action against B.J.'s Wholesale Club in 2005 was unique because it was based on matters of fairness rather than deception. The FTC alleged that B.J.'s Wholesale Club, a retailer that operates warehouse stores and gas stations, failed to provide reasonable security for the sensitive information of its customers, such as name, card number, and expiration date, that it collected from the magnetic stripes of credit and debit cards. The FTC claimed that this information was used by unauthorized persons to make millions of dollars of fraudulent purchases. The FTC did not allege that B.J.'s Wholesale Club made any false or misleading statements or omissions about its data security practices, but rather that its failure to take appropriate security measures was an unfair practice that violated Section 5 of the FTC Act. The FTC argued that B.J.'s Wholesale Club's lax security caused or was likely to cause substantial injury to consumers that was not reasonably avoidable by consumers and was not outweighed by any benefits to consumers or competition.
The FTC's action against B.J.'s Wholesale Club was one of the first cases in which the FTC used its unfairness authority to address data security issues,and it set a precedent for future enforcement actions against businesses that fail to protect consumer data. The settlement required B.J.'s Wholesale Club to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years. References:
* FTC Complaint, Paragraphs 1-23
* FTC Agreement Containing Consent Order, Paragraphs 1-9
* FTC Analysis of Proposed Consent Order to Aid Public Comment, Pages 1-3
* [IAPP CIPP/US Study Guide], Pages 69-70


NEW QUESTION # 56
Which of the following is an example of federal preemption?

  • A. The Payment Card Industry's (PCI) ability to self-regulate and enforce data security standards for payment card data.
  • B. The U.S. Federal Trade Commission's (FTC) ability to enforce against unfair and deceptive trade practices across sectors and industries.
  • C. The U.S. Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act prohibiting states from passing laws that impose greater obligations on senders of email marketing.
  • D. The California Consumer Privacy Act (CCPA) regulating businesses that have no physical brick-and-mortal presence in California, but which do business there.

Answer: C


NEW QUESTION # 57
SCENARIO
Please use the following to answer the next QUESTION:
A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.
The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal dat a. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: "Please act immediately by identifying all personal data received from our company." This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.
As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.
Upon review, the data privacy leader discovers that the Company's documented data inventory is obsolete. What is the data privacy leader's next best source of information to aid the investigation?

  • A. Interviews with key marketing personnel
  • B. Reports on recent purchase histories
  • C. Lists of all customers, sorted by country
  • D. Database schemas held by the retailer

Answer: C


NEW QUESTION # 58
A covered entity suffers a ransomware attack that affects the personal health information (PHI) of more than
500 individuals. According to Federal law under HIPAA, which of the following would the covered entity NOT have to report the breach to?

  • A. The affected individuals
  • B. Medical providers
  • C. Department of Health and Human Services
  • D. The local media

Answer: B

Explanation:
According to the Health Insurance Portability and Accountability Act (HIPAA), a covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA. A covered entity must report a breach of unsecured protected health information (PHI) to the following parties:
* The Department of Health and Human Services (HHS), which is the federal agency responsible for enforcing HIPAA and issuing regulations and guidance on privacy and security issues. A covered entity must notify HHS of a breach affecting 500 or more individuals without unreasonable delay and in no
* case later than 60 days after discovery of the breach. A covered entity must also notify HHS of breaches affecting fewer than 500 individuals within 60 days of the end of the calendar year in which the breaches occurred.
* The affected individuals, who are the individuals whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of the breach. A covered entity must notify the affected individuals without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification must be in writing by first-class mail or, if the individual agrees, by electronic mail. The notification must include a brief description of the breach, the types of information involved, the steps the individual should take to protect themselves, the steps the covered entity is taking to investigate and mitigate the breach, and the contact information of the covered entity.
* The local media, if the breach affects more than 500 residents of a state or jurisdiction. A covered entity must notify prominent media outlets serving the state or jurisdiction without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification must include the same information as the notification to the affected individuals.
A covered entity does not have to report the breach to medical providers, unless they are also affected individuals or business associates of the covered entity. A business associate is a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI. A covered entity must have a writtencontract or agreement with its business associates that requires them to protect the privacy and security of PHI and report any breaches to the covered entity.
References:
* IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Section C: Sector-specific Requirements for Health Information
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.3: Sector-specific Requirements for Health Information
* Practice Exam - International Association of Privacy Professionals


NEW QUESTION # 59
SCENARIO
Please use the following to answer the next QUESTION:
A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.
The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal dat a. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: "Please act immediately by identifying all personal data received from our company." This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.
As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.
Under the GDPR, the complainant's request regarding her personal information is known as what?

  • A. Right of Access
  • B. Right of Removal
  • C. Right of Rectification
  • D. Right to Be Forgotten

Answer: B


NEW QUESTION # 60
Global Manufacturing Co's Human Resources department recently purchased a new software tool. This tool helps evaluate future candidates for executive roles by scanning emails to see what those candidates say and what is said about them. This provides the HR department with an automated "360 review" that lets them know how the candidate thinks and operates, what their peers and direct reports say about them, and how well they interact with each other.
What is the most important step for the Human Resources Department to take when implementing this new software?

  • A. Confirming that employees have read and signed the employee handbook where they have been advised that they have no right to privacy as long as they are using the organization's systems, regardless of the protected group or laws enforced by EEOC.
  • B. Making sure that the software does not unintentionally discriminate against protected groups.
  • C. Ensuring that the software contains a privacy notice explaining that employees have no right to privacy as long as they are running this software on organization systems to scan email systems.
  • D. Providing notice to employees that their emails will be scanned by the software and creating automated profiles.

Answer: B


NEW QUESTION # 61
SCENARIO
Please use the following to answer the next QUESTION :
Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital. He has also started a program to become a registered nurse.
Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients' Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues.
On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department could reduce paper waste through a system of one-time distribution.
He was also curious about the hospital's use of a billing company. He questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients' care.
On his first day Declan became familiar with all areas of the hospital's large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had plans to properly report what had happened.
Despite Declan's concern about this issue, he was amazed by the hospital's effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were accessible to all medical facilities nationwide.
Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he could explain why. John plans to ask a colleague about this.
In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to think more carefully about genetic testing.
Although Declan's day ended with many QUESTIONS, he was pleased about his new position.
What is the most likely way that Declan might directly violate the Health Insurance Portability and Accountability Act (HIPAA)?

  • A. By speaking to a patient without prior authorization
  • B. By following through with his plans for his upcoming paper
  • C. By ignoring the conversation about a potential breach
  • D. By being present when patients are checking in

Answer: B

Explanation:
"Other than for treatment, covered entities must make reasonable efforts to limit the use and disclosure of PHI to the minimum necessary in order to accomplish the intended purpose." He isn't involved in the potential breach, which is why he isn't trained for it, and doesn't know all the facts of the situation. He has not obligation doesn't need to investigate any further based on anything that he heard.


NEW QUESTION # 62
When developing a company privacy program, which of the following relationships will most help a privacy professional develop useful guidance for the organization?

  • A. Relationships with clients, vendors, and customers whose data will be primarily collected and used throughout the organizational program.
  • B. Relationships with individuals across company departments and at different levels in the organization's hierarchy.
  • C. Relationships with company leaders responsible for approving, implementing, and periodically reviewing the corporate privacy program.
  • D. Relationships with individuals within the privacy professional community who are able to share expertise and leading practices for different industries.

Answer: B

Explanation:
IAPP Book, Section 4.3.1.1, paragraph 3.


NEW QUESTION # 63
SCENARIO
Please use the following to answer the next QUESTION:
A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.
The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: "Please act immediately by identifying all personal data received from our company." This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.
As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.
Under the General Data Protection Regulation (GDPR), how would the U.S.-based startup company most likely be classified?

  • A. As a data supervisor
  • B. As a data processor
  • C. As a data controller
  • D. As a data manager

Answer: B

Explanation:
The data privacy leader needs to identify all the personal data that the Company has received from the retailer, as well as the purposes, retention periods, and sharing practices of such data. Since the data inventory is obsolete, the data privacy leader cannot rely on it to provide accurate and complete information. Therefore, the next best source of information is to interview the key marketing personnel who are responsible for the partnership with the retailer and the use of the personal data. The marketing personnel can provide insights into the data flows, the data categories, the data processing activities, and the data protection measures that the Company has implemented. They can also help the data privacy leader to locate the relevant documents, contracts, and records that can support the investigation. References: [IAPP CIPP/US Study Guide], Chapter 5:
Data Management, p. 97-98; IAPP Privacy Tech Vendor Report, Data Mapping and Inventory, p. 9-10.


NEW QUESTION # 64
Which of the following best describes the ASIA-Pacific Economic Cooperation (APEC) principles?

  • A. A code of responsibilities for medical establishments to uphold privacy laws.
  • B. A baseline of marketers' minimum responsibilities for providing opt-out mechanisms.
  • C. A bill of rights for individuals seeking access to their personal information.
  • D. An international court ruling on personal information held in the commercial sector.

Answer: D

Explanation:
The APEC principles are part of the APEC Privacy Framework, which is an inter-governmental agreement among the 21 member economies of the Asia-Pacific Economic Cooperation (APEC) to promote information privacy protection and the free flow of information in the region. The APEC Privacy Framework consists of four parts: a preamble, a scope, a set of nine information privacy principles, and an implementation section.
The APEC information privacy principles are:
* Preventing harm: Personal information controllers should take reasonable steps to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction, and to address the risks and challenges posed by specific technologies and business practices.
* Notice: Personal information controllers should provide clear and easily accessible statements about their personal information handling practices, including the types of personal information they collect, the purposes for which they collect it, the types of third parties to which they disclose it, the choices and means they offer individuals for limiting the use and disclosure of their personal information, and how they can contact the personal information controller with inquiries or complaints.
* Collection limitation: Personal information controllers should limit the collection of personal information to what is relevant for the purposes of collection and should collect personal information by lawful and fair means and, where appropriate, with notice to, or consent of, the individual concerned.
* Use limitation: Personal information controllers should use personal information only for the purposes for which it was collected or for purposes that a reasonable person would consider appropriate in the circumstances, and should retain personal information only as long as necessary to fulfill the stated purposes or as required by law or regulation.
* Choice: Personal information controllers should offer individuals choices and means to limit the use and disclosure of their personal information, where appropriate, and should respect the choices made by individuals.
* Integrity of personal information: Personal information controllers should take reasonable steps to ensure that personal information is accurate, complete, and up-to-date for the purposes for which it is used.
* Security safeguards: Personal information controllers should protect personal information with reasonable security safeguards against risks such as loss, unauthorized access, destruction, misuse, modification, and disclosure.
* Access and correction: Personal information controllers should give individuals the ability to access and, where appropriate, correct their personal information that is under their control, subject to reasonable limitations, such as where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy, or where the legitimate rights of persons other than the individual would be violated.
* Accountability: Personal information controllers should be accountable for complying with the privacy principles and should have in place mechanisms to ensure their implementation and compliance.
The APEC Privacy Framework is not a binding legal instrument, but rather a voluntary and flexible arrangement that allows each member economy to implement the principles according to its own domestic laws and regulations, applicable international frameworks, and cultural and social values. The APEC Privacy Framework also provides for cross-border cooperation and information sharing among member economies, as well as the development of mechanisms to facilitate the cross-border transfer of personal information,such as the APEC Cross-Border Privacy Rules (CBPR) System and the APEC Privacy Recognition for Processors (PRP) System. These mechanisms are based on a common set of rules and standards derived from the APEC Privacy Framework, and are intended to enhance the protection of personal information that flows across borders and to increase the interoperability among different privacy regimes in the region and beyond. References:
* APEC Privacy Framework (2015)
* APEC Cross-Border Privacy Rules (CBPR) System
* APEC Privacy Recognition for Processors (PRP) System
* APEC Privacy Framework: A New Model for Transborder Data Flows


NEW QUESTION # 65
The U.S. Supreme Court has recognized an individual's right to privacy over personal issues, such as contraception, by acknowledging which of the following?

  • A. The doctrine of stare decisis, which allows the U.S. Supreme Court to follow the precedent of previously decided case law.
  • B. Federal preemption of state constitutions that expressly recognize an individual right to privacy.
  • C. A "penumbra" of unenumerated constitutional rights as well as more general protections of due process of law.
  • D. An interpretation of the U.S. Constitution's explicit definition of privacy that extends to personal issues.

Answer: C


NEW QUESTION # 66
......

Try 100% Updated CIPP-US Exam Questions [2024]: https://www.actualtestsit.com/IAPP/CIPP-US-exam-prep-dumps.html

Pass CIPP-US Exam - Real Questions and Answers: https://drive.google.com/open?id=1hXMq2S4drNb4wcel54eMMKlNLLmnAhoG

Related Articles

more
IAPP CIPP-US Certification Practice Exam