IAPP CIPP-E Exam - Topic 5 Question 39 Discussion

Actual exam question for IAPP's CIPP-E exam

Question #: 39
Topic #: 5

Bioface is a company based in the United States. It has no servers, personnel or assets in the European Union. By collecting photographs from social media and other web-based services, such as newspapers and blogs, it uses machine learning to develop a facial recognition algorithm. The algorithm identifies individuals in photographs who are not in its data set based the algorithm and its existing dat

a. The service collects photographs of data subjects in the European Union and will identify them if presented with their photographs. Bioface offers its service to government agencies and companies in the United States and Canada, but not to those in the European Union. Bioface does not offer the service to individuals.

Why is Bioface subject to the territorial scope of the General Data Protection Regulation?

AIt collects data from European Union websites, which constitutes an establishment in the European Union.

BIt offers services in the European Union by identifying data subjects in the European Union.

CIt collects data from subjects and uses it for automated processing.

DIt monitors the behavior of data subjects in the European Union.

Show Suggested Answer

Suggested Answer: A

by Marti at May 06, 2022, 11:35 PM

Limited Time Offer

25%

Off

Get Premium CIPP-E Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Stephane

4 months ago

Totally agree with B, they’re still processing EU data!

upvoted 0 times

...

Shenika

5 months ago

Wait, how can they be regulated if they have no presence in the EU?

upvoted 0 times

...

Ula

5 months ago

Definitely A! Just scraping data makes them subject to EU laws.

upvoted 0 times

...

Cathrine

5 months ago

I think it's B, they identify EU data subjects directly.

upvoted 0 times

...

Lizbeth

5 months ago

Bioface collects data from EU websites, so it falls under GDPR.

upvoted 0 times

...

Avery

5 months ago

I practiced a similar question where the focus was on data collection from EU citizens. It seems like option A could be relevant too.

upvoted 0 times

...

Kattie

5 months ago

I’m not entirely sure, but I think option B makes sense since they identify individuals in the EU, right?

upvoted 0 times

...

Brandon

5 months ago

I remember discussing how the GDPR applies to companies outside the EU if they process data of EU citizens.

upvoted 0 times

...

Luisa

5 months ago

I’m a bit lost on this one. Does collecting data from EU websites really mean they have to comply with GDPR?

upvoted 0 times

...

Ludivina

5 months ago

I'm a bit confused on this one. Is it creating a new interaction, incident, or case? The options seem a bit similar. I'll have to re-read the question carefully and think it through step-by-step.

upvoted 0 times

...

Elli

5 months ago

I'm not sure about this one. I'll have to review the concepts around VPLS and IES to figure out the right approach.

upvoted 0 times

...