Free IAPP CIPP-E Actual Exam Questions - Question 8 Discussion
SCENARIO Please use the following to answer the next question: Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best. Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status. If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out. Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland. Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S. Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm. As a result of Sam’s actions, the Gummy Bear Company potentially violated Articles 33 and 34 of the GDPR and will be required to do what?
Good point about timing affecting notification, but C still fits best here.
C/D? I think C is the safest since the company needs to figure out the scope of the breach before deciding who to notify, if anyone. They have to analyze the impact on all customers, not just Ireland, to comply properly. D feels too broad because not every EU customer may be affected or at risk. Plus, GDPR talks about notifying authorities first, then possibly customers if there’s high risk. So jumping straight to notifying all EU customers might be premature without the full evaluation. Better to do a thorough breach notification assessment first.
Yeah, gotta agree with going with C here. Before notifying anyone, the company has to figure out exactly what notifications are required based on the breach’s details. Just immediately alerting the authority or all EU customers could be premature without understanding the full scope and risk.
C The company needs to fully assess all breach notification duties first before deciding on notifying authorities or customers, especially since the impact or risk level isn’t clear from the scenario.
Maybe C makes the most sense here since Articles 33 and 34 require a thorough assessment of what kind of notifications are necessary after a breach. They can’t just jump to notifying the Data Protection Authority or customers without evaluating the risk and scope first. It’s about figuring out all obligations, not just one step. The scenario also doesn’t specify if the breach is high risk, so C feels like the safest call.
Probably A here. Articles 33 and 34 specifically talk about breach notification to the Data Protection Authority and potentially to individuals if there’s high risk. Since Sam copied the data without authorization, that’s a breach, so notifying the authority seems like a must. The question says “potentially violated,” so starting with the authority makes sense before involving customers or doing a full evaluation, which would come after notifying or at least informing the regulators.
C imo, but does the question specify if the breach was likely to result in a risk to individuals’ rights? Because that impacts notification requirements under GDPR.