A company CEO travels to a meeting in another city. He takes a notebook with information about the company's new projects and acquisitions, which will be the subject of discussion at this meeting. These are the only data stored on the notebook.
The notebook accidentally falls into the hotel's pool and all data is lost.
What happened, considering the General Data Protection Regulation (GDPR)?
A. A security incident
B. A vulnerability
C. A data breach
D. A security risk
Correct Answer: A
The purpose of GDPR is to protect personal data. In the case of this issue there was no loss of personal data, so it is not a data breach.
Important
A data breach is whenever something happens that has not been planned with the personal data, be it improper processing, improper sharing, loss of data, deletion, etc. That is, personal data must be used for a specific purpose, respecting the life cycle (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach.
Question 92:
How does GDPR regulate this specific case?
A woman uses the services of a gym in the city where she lives. Yet she will move to another town. So, she requests the current gym to transfer all her data, exercises, eating plans, physical evaluations, etc. to another gym in the new town.
A. The current gym is not obliged to answer the holder request, because this could jeopardize the secret of its business.
B. The current gym should send all her data directly to the new gym.
C. The gym of the new town should get in contact with the gym and request the data.
D. The current gym should provide the data to her.
Correct Answer: B
The Article 20 of GDPR establishes the Right to data portability.
The second paragraph mentions:
In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
However, it is worth noting that the paragraph 1 of this article mentions:
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format...
The utterance explains that she requested that the data was transferred, that is why the correct answer is "The current gym should send all her data directly to the new gym." (B)
Yet she has the right to request her own data, so if the utterance was referenced in that way, the correct answer would be: "The current gym should provide the data to her." (D)
Question 93:
Which of the alternatives describes one of the Supervisory Authority's responsibilities?
A. Supervise the processing of data of holders residing in a country belonging to the European Economic Area (EEA).
B. Consider the nature of the treatment, and as far as possible, assist the controller in order to enable the controller to fulfill his obligation.
C. Provide the controller with all necessary information to demonstrate compliance with obligations.
D. Apply technical and organizational measures to ensure that only personal data that are necessary for each specific purpose of processing are processed.
Correct Answer: A
The correct option is the responsibility of the Supervisory Authority, the others are the responsibility of the processor.
GDPR Article 3 decrees:
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or;
b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
Question 94:
How does a Supervisory Authority collaborate to the application of GDPR?
A. Assists in the implementation of a data protection management system (at controller request).
B. Monitor and enforce the application of this Regulation.
C. Perform a Data Privacy Impact Analysis (DPI) at the request of the Data Protection Officer ?DPO.
D. Determines technical safety measures to be applied to the controller.
Correct Answer: B
Article 57 legislates on the Responsibilities of the Supervisory Authority. In paragraph 1, item "a" says: "monitor and enforce the application of this Regulation".
Question 95:
What year did the General Data Protection Regulation (GDPR) come into force?
A. 2016
B. 2018
C. 2017
D. 2019
Correct Answer: B
The deadline for companies to adapt and comply with GDPR was May 25, 2018. This is an important date and should be memorized. It is common to have this question in this exam.
Article 99 of GDPR
1.
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
2.
It shall apply from 25 May 2018.
Question 96:
Which of the following conflicts with the principle of limiting the purposes?
A. The data is sold to another company without the consent of the data subject.
B. Adapt the data to the purpose of the treatment.
C. Store the data in a way that allows the identification of the data subjects.
D. Data is used in an obscure manner to the data subject.
Correct Answer: A
The principle of limitation of purposes says that personal data must be collected for specific, explicit and legitimate purposes and cannot be further processed in a way incompatible with those purposes.
When the data is sold to another company, we can conclude that it was acquired by a controller for a specific purpose and that it subsequently sold it without the owner's knowledge and consent.
Question 97:
After notifying the supervisory authority, what should be the first action the controller must take when it finds a security breach where unauthorized people have accessed personal data?
A. Contact the DPO for formal notification to the Supervisory Authority.
B. Analyze whether sensitive data has been accessed.
C. Register a Police Report at the cybercrime station.
D. Notify data subjects that have been subject to a security breach.
Correct Answer: B
It is necessary to check the extent of this personal data breach, what data has been accessed and what is the risk to his or her. Depending on this extension, in addition to notifying the supervisory authority, it will also be mandatory to notify the owners of the breached data.
Question 98:
Data protection and privacy are closely related terms. Which of these options best represent this relationship?
A. Privacy is a part of data protection that aims to keep personal data confidential.
B. Data protection is a part of privacy that aims to keep personal data confidential.
C. The two terms have the same meaning. They are synonymous.
D. Without protection of personal data there is no privacy.
Correct Answer: D
A very repeated phrase is: "It is possible to have security without privacy, but it is not possible to have privacy without security".
Privacy is a right that should be protected, and Data Protection are the measures that will be used to achieve this protection.
Question 99:
Which of these options is an example of a data breach?
A. Transfer of personal data outside the EU
B. Loss of personal data
C. A security incident related to corporate data.
Correct Answer: B
Here is a catch between the options "Loss of personal data" and "Transfer of personal data outside the EU".
A data breach is whenever something happens that has not been planned with the personal data, be it improper processing, improper sharing, loss of data, deletion, etc. That is, personal data must be used for a specific purpose, respecting the life cycle (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach.
The transfer of personal data outside the EU can also be considered a violation if there is no authorization from the data subject and if the destination country does not offer legislation like the GDPR. Although there is no specific legislation, the Supervisory Authority can authorize the transfer of data provided that the company in the destination country accepts standard contractual clauses for the processing of this data.
Article 46 of GDPR
1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
Article 58 of GDPR
3. Each supervisory authority shall have all of the following authorisation and advisory powers: to authorise contractual clauses referred to in point (a) of Article 46(3).
Question 100:
Which of the following types of transfers of personal data outside the European Economic Area (EEA) is allowed?
A. Transfer between country governments.
B. Transfers subject to the law of the countries involved.
C. Transfers conducted through Standard Contractual Clauses.
D. Transfers conducted under Compulsory Corporate Rules.
Correct Answer: D
Compulsory Corporate Rules are rules used internally by multinational companies to transfer personal data. Thus, it is possible to transfer data between them, even if the destination company is in a country that does not have an adequate level of data protection. These rules are like an internal corporate code of conduct and do not cover transfers of personal data outside the corporate group.
Do not confuse "Compulsory Corporate Rules" with "Standard Contractual Clauses". The last are clauses in contracts for international data transfer between companies (customer and supplier relationship) where the destination country does not have an adequate level of data protection, and depends on authorization from the Supervisory Authority.
Article 58 of GDPR
3. supervisory authority shall have all of the following authorisation and advisory powers:
a) to advise the controller in accordance with the prior consultation procedure referred to in Article 36.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only EXIN exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PDPF exam preparations and EXIN certification application, do not hesitate to visit our Vcedump.com to find your solutions here.