Exam CIPP-E All QuestionsBrowse all questions from this exam
Question 38

SCENARIO -

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.

JaphSoft’s use of pseudonymization is NOT in compliance with the CDPR because?

    Correct Answer: D

    JaphSoft's use of pseudonymization is not in compliance with the GDPR because it failed to keep personally identifiable information (PII) in a separate database. Pseudonymization according to GDPR requires that the identifying information be kept separately and be subject to technical and organizational measures ensuring it cannot be attributed to an individual without additional information. Since JaphSoft's engineers maintain all contact information in the same database as the identifying information, re-identification of individuals is possible, thereby not complying with GDPR's requirements.

Discussion
semiliasOption: D

answer should be D. GDPR Article 4.5 ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

td9Option: D

If japhsoft is not in possesion of the entire data set then its annonymized and GDPR doesnot apply so C is out D makes sense they can be in possesion but data should be segregated with different db/tables

HARRINISOption: D

Answer is D

58ad832Option: D

Separate database would have still made it pseudonymous but GDPR compliant

ME79Option: C

The correct answer is C. JaphSoft’s use of pseudonymization is not in compliance with the GDPR because it was in possession of information that could be used to identify data subjects. Although JaphSoft pseudonymized the personal data by removing identifying information, the engineers maintained all contact information in the same database as the identifying information. This means that the pseudonymization was not effective in fully protecting the personal data of individuals since it was possible to re-identify them through the combination of the contact information with the identifying information. GDPR requires that pseudonymization be done in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information.

numOption: C

JaphSoft's engineers maintain all contact information in the same database as the identifying information, which means that the personal data can be linked to the individual to whom it relates.