IAPP CIPP-E Exam - Topic 8 Question 44 Discussion

Actual exam question for IAPP's CIPP-E exam

Question #: 44
Topic #: 8

SCENARIO

Please use the following to answer the next question:

ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.

Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain's locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.

Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.

In which of the following situations would ABC Hotel Chain and XYZ Travel Agency NOT have to honor Mike's data access request?

AThe request is to obtain access and correct inaccurate personal data in his profile.

BThe request is to obtain access and information about the purpose of processing his personal data.

CThe request is to obtain access and erasure of his personal data while keeping his rewards membership.

DThe request is to obtain access and the categories of recipients who have received his personal data to process his rewards membership.

Show Suggested Answer

Suggested Answer: C

by Roselle at May 08, 2022, 01:00 PM

Limited Time Offer

25%

Off

Get Premium CIPP-E Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Ma

4 months ago

I thought companies had to provide all info if asked, what's the deal?

upvoted 0 times

...

Harris

5 months ago

Option C seems tricky, they can't just erase data and keep the membership!

upvoted 0 times

...

Darci

5 months ago

Wait, can they really deny access if he wants to keep his rewards?

upvoted 0 times

...

Sharee

5 months ago

Totally agree, Mike has rights here!

upvoted 0 times

...

Alton

5 months ago

They have to honor requests for access to personal data under GDPR.

upvoted 0 times

...

Yolando

5 months ago

I’m not completely clear on this, but I think they might not have to honor the request in option C because it conflicts with the rewards program.

upvoted 0 times

...

Elroy

5 months ago

This reminds me of a practice question we did about data access requests. I feel like they have to provide information about the purpose of processing, so that might rule out option B.

upvoted 0 times

...

Jacklyn

5 months ago

I'm a bit unsure, but I think option C might be the right answer since asking for erasure while keeping the membership seems contradictory.

upvoted 0 times

...

Kristeen

5 months ago

I remember studying data subject rights, and I think they have to honor requests for access to personal data unless there's a specific legal reason not to.

upvoted 0 times

...

Monte

5 months ago

Okay, let me re-read the question closely. I need to ensure SecAdmin1 can manage Defender for Office 365 settings and policies, not just general admin tasks.

upvoted 0 times

...

Dana

5 months ago

This one seems pretty straightforward. The question is asking about the RESTCONF operation that replaces the NETCONF "edit-config" operation with the "create" parameter, so the answer must be POST.

upvoted 0 times

...

Luis

5 months ago

I'm a bit confused on this question. I'm not entirely sure how the 7750 SR handles VLAN tags in this scenario. I'll need to carefully read through the options and try to reason it out.

upvoted 0 times

...