Free IAPP CIPP-E Actual Exam Questions - Question 6 Discussion
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The
company is headquartered in Montreal, and all of its employees are located there. The company
offers its services to
Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks
internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian
traffic). It also declines to process orders that request the DNA report to be sent outside of Canada,
and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the
company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current
Canadian customer base. The expansion will allow its Canadian customers to use the app while
traveling abroad. He suggests that the company use this app to gather location information. If the
plan shows promise, Bob proposes to use push notifications and text messages to encourage existing
customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once
the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the
company’s app, like storage and sharing of DNA information with other applications and medical
providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer
new services and market them to customers. It also says that customers agree not to withdraw direct
marketing consent. Paul, the marketing director, suggests that the company should fully exploit
these provisions, and that it can work around customers’ attempts to withdraw consent because the
contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process.
It is in the process of purchasing the naming rights for a building in Germany, which would come with
a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t
include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held
unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canad
a. The reports include customer name, birthdate, ethnicity, racial background, names of relatives,
gender, and occasionally health information.
If Who-R-U decides to track locations using its app, what must it do to comply with the GDPR?
It’s A, consent is usually needed for tracking location under GDPR.
D imo, the idea that location data is a special category needing a court order seems off. GDPR does treat location info as personal data that requires a lawful basis, but a court order isn’t typically required. It’s more about having the right legal grounds, like consent or legitimate interest, plus transparency. So D doesn’t really fit. A and B both make sense, but since the question asks what it must do, providing clear notice (B) is essential regardless of consent. Without transparency, even consent might not be valid under GDPR.
Maybe A is right since location data is sensitive, so explicit consent is required, not just notice. Without clear consent, they can’t legally track users under GDPR.
B imo, transparency is a baseline under GDPR, consent alone won't cut it.
Maybe B works best here since GDPR really pushes for clear info upfront. Consent alone isn’t enough; users must know exactly what data is collected and why before using the app for location tracking.
It’s B because transparency is mandatory even if consent’s obtained.
Option B seems key too, since GDPR stresses transparency. Even if they get consent, users need clear info on what tracking involves before agreeing. So notice is a must along with consent.
I’m thinking D might be off since location data isn’t always special category data under GDPR, just personal data. So a court order seems unnecessary. Could consent (A) still be the main requirement here?
A consent is key here, GDPR treats location data as personal and sensitive.
A imo, since location data counts as sensitive info, just notifying users (B) isn’t enough. You’d need explicit consent to track locations legally under GDPR.
B Is just a transparent notice enough here though? Shouldn’t there be consent too since it involves location tracking, which is pretty sensitive?