- Home
- IAPP
- Certified Information Privacy Professional/Europe (CIPP/E)
- IAPP.CIPP-E.v2025-07-14.q134
- Question 98
Valid CIPP-E Dumps shared by ExamDiscuss.com for Helping Passing CIPP-E Exam! ExamDiscuss.com now offer the newest CIPP-E exam dumps, the ExamDiscuss.com CIPP-E exam questions have been updated and answers have been corrected get the newest ExamDiscuss.com CIPP-E dumps with Test Engine here:
Access CIPP-E Dumps Premium Version
(310 Q&As Dumps, 35%OFF Special Discount Code: freecram)
<< Prev Question Next Question >>
Question 98/134
SCENARIO
Please use the following to answer the next question:
Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.
After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents * In relation to the emails Jack listed six members of the management team whose inboxes he required access.
The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester.
What would be the most appropriate response to Jacks data subject access request?
Please use the following to answer the next question:
Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.
After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents * In relation to the emails Jack listed six members of the management team whose inboxes he required access.
The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester.
What would be the most appropriate response to Jacks data subject access request?
Correct Answer: B
According to Article 15 of the GDPR, data subjects have the right to access and receive a copy of their personal data, and other supplementary information, from the data controller1. However, this right is not absolute and may be subject to limitations or restrictions. One of the grounds for refusing or limiting a data subject access request (DSAR) is when the request is manifestly unfounded or excessive, in particular because of its repetitive character1. In such cases, the controller may either charge a reasonable fee, taking into account the administrative costs of providing the information, or refuse to act on the request1. The controller must inform the data subject of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy1.
In this scenario, Jack's DSAR is likely to be considered excessive, as he requests a copy of all personal data, including internal emails, that were sent or received by him or where he is directly or indirectly identifiable from the contents. This is a very broad and vague request, which would require the company to search and review a large amount of information, and potentially disclose confidential or sensitive data about other employees or third parties. The company has already contacted Jack, asking him to be more specific about what information he requires, but he refused to narrow the scope of his request. Therefore, the company has a valid reason to decline to provide any information, as the amount of information requested is too excessive to provide in one month, which is the general time limit for responding to a DSAR under the GDPR1. Therefore, option B is the correct answer.
Option A is incorrect because the company's headquarters location is irrelevant for the purpose of the DSAR, as the GDPR applies to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not2. The company has an establishment in Ireland, where Jack worked, and therefore is subject to the GDPR.
Option C is incorrect because the company cannot agree to provide the information requested in Jack's original DSAR within a period of 3 months, as this would violate the data subject's right of access and the principle of accountability under the GDPR. The company can only extend the time limit to respond to a DSAR by a further two months if the request is complex or if the controller receives a number of requests from the same data subject1. However, the company must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay1. In this case, the company has not done so, and has instead asked Jack to be more specific about his request.
Option D is incorrect because the company cannot provide all requested information except for the emails, as this would not comply with the data subject's right of access and the principle of transparency under the GDPR. The company must provide the data subject with a copy of the personal data undergoing processing, unless this adversely affects the rights and freedoms of others1. The emails are part of the personal data undergoing processing, and the company cannot exclude them from the DSAR without a valid reason. The company must also provide the data subject with the following supplementary information, unless the data subject already has it1:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Reference:
Right of access
Territorial scope
In this scenario, Jack's DSAR is likely to be considered excessive, as he requests a copy of all personal data, including internal emails, that were sent or received by him or where he is directly or indirectly identifiable from the contents. This is a very broad and vague request, which would require the company to search and review a large amount of information, and potentially disclose confidential or sensitive data about other employees or third parties. The company has already contacted Jack, asking him to be more specific about what information he requires, but he refused to narrow the scope of his request. Therefore, the company has a valid reason to decline to provide any information, as the amount of information requested is too excessive to provide in one month, which is the general time limit for responding to a DSAR under the GDPR1. Therefore, option B is the correct answer.
Option A is incorrect because the company's headquarters location is irrelevant for the purpose of the DSAR, as the GDPR applies to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not2. The company has an establishment in Ireland, where Jack worked, and therefore is subject to the GDPR.
Option C is incorrect because the company cannot agree to provide the information requested in Jack's original DSAR within a period of 3 months, as this would violate the data subject's right of access and the principle of accountability under the GDPR. The company can only extend the time limit to respond to a DSAR by a further two months if the request is complex or if the controller receives a number of requests from the same data subject1. However, the company must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay1. In this case, the company has not done so, and has instead asked Jack to be more specific about his request.
Option D is incorrect because the company cannot provide all requested information except for the emails, as this would not comply with the data subject's right of access and the principle of transparency under the GDPR. The company must provide the data subject with a copy of the personal data undergoing processing, unless this adversely affects the rights and freedoms of others1. The emails are part of the personal data undergoing processing, and the company cannot exclude them from the DSAR without a valid reason. The company must also provide the data subject with the following supplementary information, unless the data subject already has it1:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Reference:
Right of access
Territorial scope
- Question List (134q)
- Question 1: Please use the following to answer the next question: Wonder...
- Question 2: SCENARIO Please use the following to answer the next questio...
- Question 3: What is the key difference between the European Council and ...
- Question 4: The GDPR forbids the practice of "forum shopping", which occ...
- Question 5: Start-up company MagicAI is developing an AI system that wil...
- Question 6: SCENARIO Please use the following to answer the next questio...
- Question 7: In relation to third countries and international organizatio...
- Question 8: An entity's website stores text files on EU users' computer ...
- Question 9: SCENARIO Please use the following to answer the next questio...
- Question 10: SCENARIO Please use the following to answer the next questio...
- Question 11: What is a reason the European Court of Justice declared the ...
- Question 12: With the issue of consent, the GDPR allows member states som...
- Question 13: SCENARIO Please use the following to answer the next questio...
- Question 14: SCENARIO Please use the following to answer the next questio...
- Question 15: SCENARIO Please use the following to answer the next questio...
- Question 16: All of the following will be established by the second Netwo...
- Question 17: If a company chooses to ground an international data transfe...
- Question 18: When may browser settings be relied upon for the lawful appl...
- Question 19: A news website based m (he United Slates reports primarily o...
- Question 20: A company wishes to transfer personal data to a country outs...
- Question 21: A mobile device application that uses cookies will be subjec...
- Question 22: SCENARIO Please use the following to answer the next questio...
- Question 23: According to the European Data Protection Board, if a contro...
- Question 24: Which of the following is NOT one of the 4 principles develo...
- Question 25: Article 58 of the GDPR describes the power of supervisory au...
- Question 26: For which of the following operations would an employer most...
- Question 27: In the Planet 49 case, what was the man judgement of the Coo...
- Question 28: Which of the following countries will continue to enjoy adeq...
- Question 29: SCENARIO Please use the following to answer the next questio...
- Question 30: Under the Data Protection Law Enforcement Directive of the E...
- Question 31: Under the GDPR, where personal data is not obtained directly...
- Question 32: SCENARIO Please use the following to answer the next questio...
- Question 33: SCENARIO Please use the following to answer the next questio...
- Question 34: Which of the following would most likely NOT be covered by t...
- Question 35: Which of the following is NOT considered a fair processing p...
- Question 36: Which of the following describes a mandatory requirement for...
- Question 37: According to the Personal Data Protection Commission's (PDPC...
- Question 38: Through a combination of hardware failure and human error, t...
- Question 39: To receive a preliminary interpretation on provisions of the...
- Question 40: SCENARIO Please use the following to answer the next questio...
- Question 41: What is one major goal that the OECD Guidelines, Convention ...
- Question 42: Which of the following is NOT an explicit right granted to d...
- Question 43: SCENARIO Please use the following to answer the next questio...
- Question 44: What is the consequence if a processor makes an independent ...
- Question 45: Under Article 9 of the GDPR, which of the following categori...
- Question 46: Articles 13 and 14 of the GDPR provide details on the obliga...
- Question 47: SCENARIO Please use the following to answer the next questio...
- Question 48: What is the primary purpose of Convention 108+, which amends...
- Question 49: Which kind of privacy notice, originally advocated by the Ar...
- Question 50: SCENARIO Please use the following to answer the next questio...
- Question 51: Under the GDPR, which of the following is true in regard to ...
- Question 52: SCENARIO Please use the following to answer the next questio...
- Question 53: Which of the following entities would most likely be exempt ...
- Question 54: Which GDPR principle would a Spanish employer most likely de...
- Question 55: When collecting personal data in a European Union (EU) membe...
- Question 56: A grade school is planning to use facial recognition to trac...
- Question 57: An organization conducts body temperature checks as a part o...
- Question 58: SCENARIO Please use the following to answer the next questio...
- Question 59: SCENARIO Please use the following to answer the next questio...
- Question 60: In which case would a controller who has undertaken a DPIA m...
- Question 61: How can the relationship between the GDPR and the Digital Se...
- Question 62: SCENARIO Please use the following to answer the next questio...
- Question 63: An organization receives a request multiple times from a dat...
- Question 64: A German data subject was the victim of an embarrassing pran...
- Question 65: Once an organization has conducted an internal investigation...
- Question 66: Which statement is correct when considering the right to pri...
- Question 67: Which statement provides an accurate description of a direct...
- Question 68: SCENARIO Please use the following to answer the next questio...
- Question 69: Which of the following is NOT exempt from the material scope...
- Question 70: Jerry the Chief Marketing Officer for a sports apparel and t...
- Question 71: According to the GDPR. Article 4(14). biometric data is defi...
- Question 72: The EDPB's Guidelines 8/2020 on the targeting of social medi...
- Question 73: SCENARIO Please use the following to answer the next questio...
- Question 74: SCENARIO Please use the following to answer the next questio...
- Question 75: According to the E-Commerce Directive 2000/31/EC, where is t...
- Question 76: Which of the following does NOT have to be included in the r...
- Question 77: Which of the following is NOT recognized as a common charact...
- Question 78: Which of the following is NOT recognized as being a common c...
- Question 79: In the Planet 49 case, what was the main judgement of the Co...
- Question 80: Which judicial body makes decisions on actions taken by indi...
- Question 81: If a data subject puts a complaint before a DPA and receives...
- Question 82: The GDPR requires controllers to supply data subjects with d...
- Question 83: SCENARIO Please use the following to answer the next questio...
- Question 84: SCENARIO Please use the following to answer the next questio...
- Question 85: Tanya is the Data Protection Officer for Curtains Inc., a GD...
- Question 86: According to the GDPR, how is pseudonymous personal data def...
- Question 87: A private company has establishments in France, Poland, the ...
- Question 88: The origin of privacy as a fundamental human right can be fo...
- Question 89: SCENARIO Please use the following to answer the next questio...
- Question 90: SCENARIO Please use the following to answer the next questio...
- Question 91: The European Data Protection Board (EDPB) recommends measure...
- Question 92: Which mechanism, introduced by the GDPR as a means of ensuri...
- Question 93: SCENARIO Please use the following to answer the next questio...
- Question 94: SCENARIO Please use the following to answer the next questio...
- Question 95: What was the main failing of Convention 108 that led to the ...
- Question 96: Read the following steps: Discover which employees are acces...
- Question 97: To comply with the GDPR and the EU Court of Justice's decisi...
- Question 98: SCENARIO Please use the following to answer the next questio...
- Question 99: With respect to international transfers of personal data, th...
- Question 100: When does the GDPR provide more latitude for a company to pr...
- Question 101: SCENARIO Please use the following to answer the next questio...
- Question 102: According to the GDPR, what is the main task of a Data Prote...
- Question 103: SCENARIO Please use the following to answer the next questio...
- Question 104: Which GDPR requirement will present the most significant cha...
- Question 105: Which area of privacy is a lead supervisory authority's (LSA...
- Question 106: Under Article 21 of the GDPR, a controller must stop profili...
- Question 107: Since blockchain transactions are classified as pseudonymous...
- Question 108: Which of the following is one of the supervisory authority's...
- Question 109: Which of the following is an example of direct marketing tha...
- Question 110: If a company is planning to use closed-circuit television (C...
- Question 111: It a company receives an anonymous email demanding ransom fo...
- Question 112: Which of the following is an accurate statement regarding th...
- Question 113: What is an important difference between the European Court o...
- Question 114: Pursuant to the EDPB Guidelines 8/2022, all of the following...
- Question 115: SCENARIO Please use the following to answer the next questio...
- Question 116: As per the GDPR, which legal basis would be the most appropr...
- Question 117: SCENARIO Please use the following to answer the next questio...
- Question 118: SCENARIO Please use the following to answer the next questio...
- Question 119: Under Article 80(1) of the GDPR, individuals can elect to be...
- Question 120: Which of the following would NOT be relevant when determinin...
- Question 121: Bioface is a company based in the United States. It has no s...
- Question 122: A homeowner has installed a motion-detecting surveillance sy...
- Question 123: Why is advisable to avoid consent as a legal basis for an em...
- Question 124: Which of the following demonstrates compliance with the acco...
- Question 125: SCENARIO Please use the following to answer the next questio...
- Question 126: There are three domains of security covered by Article 32 of...
- Question 127: SCENARIO Please use the following to answer the next questio...
- Question 128: Which change was introduced by the 2009 amendments to the e-...
- Question 129: Which of the following regulates the use of electronic commu...
- Question 130: SCENARIO Please use the following to answer the next questio...
- Question 131: Which of the following would require designating a data prot...
- Question 132: Which of the following would MOST likely trigger the extrate...
- Question 133: How is the retention of communications traffic data for law ...
- Question 134: According to Article 84 of the GDPR, the rules on penalties ...
