The General Data Protection Regulation (GDPR) is often known as the "European privacy law". What is the relationship between `privacy' and `data protection'?
A. Privacy is a part of data protection that aims to keep personal data confidential.
B. Data protection is a part of privacy that aims to keep personal data confidential.
C. The two terms have the same meaning. They are synonyms.
D. Data protection is the necessary measures to protect an individual's privacy.
Correct Answer: D
Data protection and privacy are complementary, but not the same thing.
A very repeated phrase is: "It is possible to have security without privacy, but it is not possible to have privacy without security".
Privacy is a right that must be protected, and Data Protection are the measures that will be used to achieve this protection.
Question 2:
Your credit card has been cloned. A card contains various personal information. What category of data breach is this incident?
A. Material
B. Digital
C. Verbal
Correct Answer: B
Data breach categories:
Material: Loss of equipment or material with data, lost file folders, lost smartphones, etc.
Verbal: Indiscretion, shoulder surfing, intentional leakage of sensitive information, etc.
Digital (not material): Backdoors, incorrect coding, maladministration (e.g., patch management),
insufficient security measures, card cloning etc.
Question 3:
Which of the following has a data breach under the General Data Protection Regulation (GDPR)?
A. A processor, after terminating its contract with the controller, deletes personal data.
B. A collaborator goes away without locking his workstation.
C. A backup is restored by the controller to a corrupted personal data server.
D. A notebook with financial reports from a multinational is stolen.
Correct Answer: B
Question 4:
Some data processing falls outside of the material scope of the GDPR. What type of processing is not subject to the GDPR?
A. Creating a back-up of biometric data for data security purposes
B. Collecting name and address information for a gymnastics club
C. Editing personal photographs before printing them at home
Correct Answer: C
Collecting name and address information for a gymnastics club. Incorrect. Collecting is also considered processing data.
Creating a back-up of biometric data for data security purposes. Incorrect. Storage is also considered processing data.
Editing personal photographs before printing them at home. Correct. The GDPR is not applicable to home-use of your own photographs. (Literature: A, Chapter 1; GDPR Article 4)
Question 5:
The GDPR describes the principle of data minimization. How can organizations comply with this principle?
A. By applying the concept of least privilege to the personal data collected, stored or otherwise processed.
B. By limiting access rights to staff who need the personal data for the intended processing operations
C. By limiting the personal data to what is adequate, relevant and necessary for the processing purposes
D. By limiting file sizes, through saving all personal data that is processed in the smallest possible format
Correct Answer: C
By applying the concept of least privilege to the personal data collected, stored or otherwise processed. Incorrect. Data minimization does not address least privilege.
By limiting access rights to staff who need the personal data for the intended processing operations. Incorrect. This describes the concept of limiting authorization for instance to comply with the principle of integrity and confidentiality.
By limiting file sizes, through saving all personal data that is processed in the smallest possible format. Incorrect. Data minimization according to the GDPR is not about storage size, but about minimalizing the use of personal data.
By limiting the personal data to what is adequate, relevant and necessary for the processing purposes. Correct. This is the essence of the description in the GDPR. (Literature: A, Chapter 2; GDPR Article 5(1) (c))
Question 6:
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Which role in data protection is defined here?
A. Third party
B. Processor
C. Controller
D. Supervisory authority
Correct Answer: C
Controller: Correct. The controller determines the purpose and means of the processing. (Literature: A, Chapter 1; GDPR Article 4(7))
Processor: Incorrect. The controller determines the purpose of the processing, the processor works on the controller's instructions.
Supervisory authority: Incorrect. The supervisory authority monitors and enforces compliance with the GDPR requirements.
Third party: Incorrect. A third party has no role in determining the purpose of the processing. Any party that determines the purpose would become a new controller.
Question 7:
What is the relationship between data protection and privacy?
A. Data protection and privacy are synonyms and have the same meaning.
B. Data protection refers to the measures needed to protect a person's privacy.
C. Data protection is the part of privacy that protects a person's physical integrity.
Correct Answer: B
Data protection and privacy are synonyms and have the same meaning. Incorrect. Data protection helps to protect a person's privacy, but the terms are not synonyms.
Data protection is the part of privacy that protects a person's physical integrity. Incorrect. Data protection is not related to physical integrity or physical privacy.
Data protection refers to the measures needed to protect a person's privacy. Correct. Data protection are some of the measures needed to protect a person's privacy. (Literature: A, Chapter 1)
Question 8:
What is a description of data protection by design and by default?
A. Not holding more data than is strictly required for processing
B. An indication of timeframes if processing relates to erasure
C. Data may only be collected for explicit and legitimate purposes
D. An approach that implements data protection from the start (Correct)
Correct Answer: D
An approach that implements data protection from the start. Correct. This is a correct description. (Literature: A, Chapter 8; GDPR Article 25(1))
An indication of timeframes if processing relates to erasure. Incorrect. This is a description of a data protection impact assessment (DPIA).
Data may only be collected for explicit and legitimate purposes. Incorrect. This is a description of measures taken to comply with the principle of purpose limitation.
Not holding more data than is strictly required for processing. Incorrect. This is a description of procedures to comply with the principle of data minimization.
Question 9:
One of the objectives of a data protection impact assessment (DPIA) is to strengthen the confidence of customers or citizens in the way personal data is processed and privacy is respected. How can a DPIA strengthen the confidence?
A. The organization proves that it takes privacy seriously and aims for compliance with the GDPR.
B. The organization minimizes the risk of costly adjustments in processes or the redesign of systems in a later stage.
C. The organization prevents non-compliance with the GDPR and minimizes the risk of fines
Correct Answer: A
The organization minimizes the risk of costly adjustments in processes or the redesign of systems in a later stage. Incorrect. This aspect may strengthen the confidence of management, but not of customers or citizens.
The organization prevents non-compliance with the GDPR and minimizes the risk of fines. Incorrect. Preventing fines may strengthen the confidence of management, but not of customers or citizens.
The organization proves that it takes privacy seriously and aims for compliance with the GDPR. Correct. Doing a DPIA shows customers or citizens that the company is serious about data protection. (Literature: A, Chapter 8)
Question 10:
Which data subject right is explicitly defined by the GDPR?
A. A copy of personal data must be provided in the format requested by the data subject.
B. Personal data must always be erased if the data subject requests this.
C. Access to personal data must be provided free of charge for the data subject.
D. Personal data must always be changed at the request of the data subject.
Correct Answer: C
A copy of personal data must be provided in the format requested by the data subject. Incorrect. It must be provided in a structured, commonly used and machine-readable format, but not necessarily in any format the data subject specifies.
Access to personal data must be provided free of charge for the data subject. Correct. Data subjects have a right to a copy of their data free of charge. However, only the first copy has to be free. (Literature: A, Chapter 4)
Personal data must always be changed at the request of the data subject. Incorrect. Only erroneous data has to be rectified.
Personal data must always be erased if the data subject requests this. Incorrect. The right to erasure has several exceptions to this, for instance if the data are needed for the establishment, exercise or defense of legal claims.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only EXIN exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PDPF exam preparations and EXIN certification application, do not hesitate to visit our Vcedump.com to find your solutions here.