Reliable IAPP CIPP-E Exam Dumps - Pass in 1st Attempt

Question No: 1

MultipleChoice

What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

Options

AThe controller will be liable to pay an administrative fine

BThe processor will be liable to pay compensation to affected data subjects

CThe processor will be considered to be a controller in respect of the processing concerned

DThe controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved

Question No: 2

MultipleChoice

SCENARIO

Please use the following to answer the next question:

Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.

After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed

Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents. In relation to the emails Jack listed six members of the management team whose inboxes the required access.

How should the company respond to Jack's request to be forgotten?

Options

AThe company should not erase the data at this time as it may be required to defend a legal claim of unfair dismissal.

BThe company should claim that the right to be forgotten is not applicable to them, as only a fraction of their global workforce resides in the European Union.

BThe company should erase all data relating to Jack without undue delay as the right to be forgotten is an absolute right.

DThe company should ensure that the information is stored outside of the European Union so that the right to be forgotten under the GDPR does not apply.

Question No: 3

MultipleChoice

What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) in relation to their roles and functions?

Options

AECHR can rule on issues concerning privacy as a fundamental right, while the CJEU cannot.

BCJEU can force national governments to implement and honor EU law, while the ECHR cannot.

CCJEU can hear appeals on human rights decisions made by national courts, while the ECHR cannot.

DECHR can enforce human rights laws against governments that fail to implement them, while the CJEU cannot.

Question No: 4

MultipleChoice

According to the AI Act, a provider of a high-risk AI system has all of the following obligations EXCEPT?

A. Ensuring users understand how the system mitigates bias. B. Registering the system in the European AI Board's database. C. Providing detailed documentation about the system to the users. D. Conducting a conformity assessment before placing the system on the market.

Options

Question No: 5

MultipleChoice

What is the main purpose of the EU Data Act?

A. To enable the processing and transfer of non-personal data within the EU. B. To allow users of connected devices to access data generated by their use. C. To facilitate the voluntary sharing of data between individuals and businesses. D. To regulate individuals' privacy rights and the processing of their personal data.

Options

Question No: 6

MultipleChoice

Once an organization has conducted an internal investigation to determine the scope of a ransomware attack, what is the appropriate next step in the process?

A. Assess the risks associated with the breach and, if necessary, notify affected individuals and regulatory bodies within the relevant timeframes. B. Notify law enforcement and consult with legal counsel to understand the implications of the breach and the notification requirements. C. Inform all customers and the public via social media platforms to ensure rapid dissemination of relevant information. D. Wait for law enforcement to provide guidance on notification procedures before taking any further action.

Options

Question No: 7

MultipleChoice

The Murla HB Club should have carried out a DPIA before the installation of the new access system AND at what other time?

A. After the complaint of the supporter B. Periodically, when new risks were foreseen C. At the end of every match of the season. D. After the AEPD notification of the investigation.

Options

Question No: 8

MultipleChoice

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, US

Options

AToday, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
Ben's collection of additional data from customers created several potential issues for the company, which would most likely require what?

ANew corporate governance and code of conduct.

BA data protection impact assessment.

CA comprehensive data inventory.

DHiring a data protection officer.

Question No: 9

MultipleChoice

SCENARIO

Please use the following to answer the next question:

Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.

Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:

Name

Address

Date of Birth

Payroll number

National Insurance number

Sick pay entitlement

Maternity/paternity pay entitlement

Holiday entitlement

Pension and benefits contributions

Trade union contributions

Jenny is the compliance officer at Company

Options

AShe first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

AHiring companies whose measures are consistent with recommendations of accrediting bodies.

BRequesting advice and technical support from Company A's IT team.

CAvoiding the use of another company's data to improve their own services.

DVetting companies' measures with the appropriate supervisory authority.

Question No: 10

MultipleChoice

SCENARIO

Please use the following to answer the next question:

Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.

Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:

Name

Address

Date of Birth

Payroll number

National Insurance number

Sick pay entitlement

Maternity/paternity pay entitlement

Holiday entitlement

Pension and benefits contributions

Trade union contributions

Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.

Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.

Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.

This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.

Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.

Under the GDPR, which of Company B's actions would NOT be likely to trigger a potential enforcement action?

Options

ATheir omission of data protection provisions in their contract with Company C.

BTheir failure to provide sufficient security safeguards to Company A's data.

CTheir engagement of Company C to improve their payroll service.

DTheir decision to operate without a data protection officer.

Answer
CExplanation

While Company B made several mistakes in handling Company A's employee data, not all of them would likely trigger a potential enforcement action under the GDPR. Here's an analysis of each option:

A . Omission of data protection provisions in the contract with Company C: This is a clear violation of the GDPR. Company B, as the data controller, is responsible for ensuring that any third-party processors comply with data protection requirements. By omitting data protection provisions in the contract, Company B failed to take appropriate steps to ensure the security and privacy of the personal data. This would be a likely trigger for an enforcement action.

B . Failure to provide sufficient security safeguards to Company A's data: This is another violation of the GDPR. Company B has a legal obligation to implement appropriate technical and organizational security measures to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. The outdated IT security system at Company C's U.S. server demonstrates a failure to meet this obligation. This would also be a likely trigger for an enforcement action.

C . Engagement of Company C to improve their payroll service: While outsourcing certain aspects of data processing is permitted under the GDPR, the data controller remains ultimately responsible for compliance. However, simply engaging another company to improve a service itself isn't necessarily a violation. As long as the proper safeguards are in place and the data processing is carried out in accordance with the GDPR, this action alone would not likely trigger an enforcement action.

D . Decision to operate without a data protection officer: The GDPR requires certain organizations to appoint a data protection officer (DPO). While Company B may be required to have a DPO depending on its size and activities, the absence of a DPO wouldn't automatically trigger an enforcement action. However, it could indicate a lack of compliance culture and contribute to other violations, increasing the likelihood of an enforcement action.

Therefore, while Company B made several mistakes, only the ones that directly violate specific data protection requirements, such as omitting data protection provisions in contracts or failing to implement appropriate security measures, are likely to trigger an enforcement action. Engaging a third-party to improve a service, as long as it's done in a compliant manner, isn't a violation in itself.

Question No: 11

MultipleChoice

Once an organization has conducted an internal investigation to determine the scope of a ransomware attack, what is the appropriate next step in the process?

Options

AAssess the risks associated with the breach and, if necessary, notify affected individuals and regulatory bodies within the relevant timeframes.

BNotify law enforcement and consult with legal counsel to understand the implications of the breach and the notification requirements.

CInform all customers and the public via social media platforms to ensure rapid dissemination of relevant information.

DWait for law enforcement to provide guidance on notification procedures before taking any further action.

Question No: 12

MultipleChoice

SCENARIO

Please use the following to answer the next question:

ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage

Why was Jackie correct in not completing a transfer impact assessment for HRYourWay?

Options

AHRYourWay was ultimately not selected

BHRYourWay is not located in a third country.

CProStorage will obtain consent for all transfers.

DProStorage can rely on its Binding Corporate Rules

Question No: 13

MultipleChoice

SCENARIO

Please use the following to answer the next question:

ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage

What transfer mechanism should Jackie recommend for using InstaHR?

Options

AAdequacy

BBinding corporate rules.

CExplicit consent of employees.

DStandard contractual clauses

Question No: 14

MultipleChoice

SCENARIO

Please use the following to answer the next question:

ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage

What transfer mechanism did ProStorage most likely rely on to transfer Ruth's medical information to the hospital?

Options

ARuth's implied consent.

BProtecting the vital interest of Ruth

CPerformance of a contract with Ruth.

DProtecting against legal liability from Ruth.

Question No: 15

MultipleChoice

SCENARIO

Please use the following to answer the next Question:

Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.

Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.

Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.

In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.

Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.

In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.

Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.

Based on the GDPR's position on the use of personal data for direct marketing purposes, which of the following is true about Louis's rights as a data subject?

Options

ALouis does not have the right to object to the use of his data because he previously consented to it.

BLouis has the right to object at any time to the use of his data and Bedrock must honor his request to cease use.

CLouis has the right to object to the use of his data, unless his data is required by Bedrock for the purpose
of exercising a legal claim.

DLouis does not have the right to object to the use of his data if Bedrock can demonstrate compelling legitimate grounds for the processing.

Question No: 16

MultipleChoice

Please use the following to answer the next question:

Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located m Malta |EU).

People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.

The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a

What is potentially wrong with the backup system operated in the AWS cloud?

Options

AThe AWS servers are located in the EU but in a country different than the location of the corporate headquarters.

BIt is unlawful to process any personal data in a cloud unless the cloud is certified as GOPR-compliant by a competent supervisory authority.

CThe data storage period has to be revised, and a data processing agreement w*h AWS must be signed

DAWS is a U S company, and no personal data of European residents may be transferred to it without explicit written consent from data subjects.

Question No: 17

MultipleChoice

Please use the following to answer the next question:

ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage

Why was Jackie correct in not completing a transfer impact assessment for HRYourWay?

Options

AHRYourWay was ultimately not selected

BHRYourWay is not located in a third country.

CProStorage will obtain consent for all transfers.

DProStorage can rely on its Binding Corporate Rules

Question No: 18

MultipleChoice

Please use the following to answer the next question:

Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta |EU).

People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.

The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a

Which of the following must be a component of the anti-money-laundering data-sharing practice of the platform?

Options

AThe terms of service shall also enumerate all applicable anti-money laundering few.

BCustomers shall have an opt-out feature to restrict data sharing with law enforcement agencies after the registration.

CThe terms of service shall include the address of the anti-money laundering agency and contacts of the investigators who may access me data.

DCustomers snail receive a clear and conspicuous notice about such data sharing before submitting their data during the registration process.

Question No: 19

MultipleChoice

Please use the following to answer the next question:

Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.

After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed

Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of 'all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents In relation to the emails Jack listed six members of the management team whose inboxes he required access.

The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester.

Under Article 82 of the GDPR ('Right to compensation and liability-), which party is liable for the damage caused by the data breach?

Options

ABoth parties are exempt, as the company is involved in human health research

BJack and the pharmaceutical company are jointly liable.

CThe pharmaceutical company is liable.

DJack is liable

Question No: 20

MultipleChoice

Please use the following to answer the next question:

Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.

After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed

Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of 'all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents * In relation to the emails Jack listed six members of the management team whose inboxes he required access.

The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester.

What would be the most appropriate response to Jacks data subject access request?

Options

AThe company should not provide any information, as the company is headquartered outside of the EU.

BThe company should decline to provide any information, as the amount of information requested is too excessive to provide in one month.

CThe company should cite the need for an extension, and agree to provide the information requested in Jack's original DSAR within a period of 3 months.

DThe company should provide all requested information except for the emails, as they are excluded from data access request requirements under the GDPR.

Free IAPP CIPP-E Exam Dumps April 2026