Exam CIPP-E All QuestionsBrowse all questions from this exam
Go to Exam
Question 16

SCENARIO -

Please use the following to answer the next question:

You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is due to international sales.

The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.

When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated speakers, making it appear as though that the toy is actually responding to the child’s question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.

In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character’s abilities remain intact.

What presents the BIGGEST potential privacy issue with the company’s practices?

    Correct Answer: B

    The biggest potential privacy issue with the company’s practices is that the information about the data processing involved has not been specified. This lack of transparency breaches fundamental principles of data protection such as informed consent and transparency, outlined in many privacy regulations globally, including the GDPR. Without informing consumers about data processing activities, especially those involving sensitive data like children's interactions, the company risks violating privacy laws and losing consumer trust.

Discussion
nezu_ko42Option: B

The answer should be B. Adequacy is not the only parameter to see a cross-border data transfer.

djflexybOption: B

The Answer is B. Not C The fact that the cloud service provider is located in a country that has not been deemed adequate may raise concerns about cross-border data transfers. However, without further details, it is unclear whether personal data is being transferred to the cloud service provider or if the data processing is solely taking place within the toy itself. Therefore, while this could be a potential issue, it is not as significant as the lack of information about the data processing.

pauldhugOption: B

Answer in B

K_1987bOption: B

Transparency!! Art. 5 para. 1 lit. a) GDPR

GraciouslyGold1Option: C

The very fact that data processing will be carried out in a country that is not deemed adequate is definitely the biggest concern because the data being processed is at risk to their inadequate data protection laws. We don’t need further details on the actual data that is being processed because we know that considering it has a microphone, it is probably actively recording everything and the person using the doll could divulge personal information that will be processed regardless through the recording.

SsouravOption: B

B. The information about the data processing involved has not been specified While both B & C issues are significant, B is likely the biggest potential privacy issue because it fundamentally breaches the principles of transparency and informed consent, which are foundational to the GDPR. Without proper information, data subjects are unable to understand or control how their data is being used, which undermines all other data protection efforts.

sbe3Option: C

Question is about privacy issue