What is the main objective of the "Lifecycle Protection" principle?
A. All appropriate measures shall be taken to ensure that inaccurate data, taking into account the purposes for which they are processed, are erased or rectified without a delay.
B. The processing of data must take place in a manner that ensures its security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage.
C. Security measures should be in place from the moment data are collected until they are deleted.
D. Data must be collected for specified, explicit and legitimate purposes and may not be further processed in a manner incompatible with those purposes.
Correct Answer: C
Data Life Cycle Management (DLM)
It aims to manage data flow throughout the lifecycle, from collection, processing, sharing, storage and deletion.
Having the knowledge where the data travels, who is responsible, who has access, helps a lot to implement security measures.
Question 103:
After appearing in a photo posted by a friend on a social network, a person felt embarrassed and decided that he wants the photo to be deleted.
According to the General Data Protection Regulation (GDPR), does that person have the right to delete this photo?
A. False
B. True
Correct Answer: B
GDPR does not apply to the use of personal data for domestic purposes, however in this example the controller is the Social Network, as it performs the processing of the photos. Therefore, the owner has the right to delete this photo.
For domestic purposes, data collection is not intended for professional or commercial purposes. Examples are the get-togethers of friends and family where we can collect names, phone numbers, e-mails to facilitate the organization, as well as taking pictures to record the moment. Now if you have a blog where you can record several moments with your friends and you monetize it in some way ?watch out! ?you are under the scope of GDPR.
Whereas Recital 18: "This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities."
Question 104:
Which of the parts below can implement data protection by design (from conception)?
A. The data subject.
B. The Data Protection Officer (DPO).
C. The processor.
D. The supervisory authority.
Correct Answer: C
It is the duty of the processor to guarantee security in the treatment of the data entrusted to it by the controller.
Question 105:
In the contract between the controller and processor for the processing of personal data, which of the options below represents the sole responsibility of the Controller?
A. Erase all personal data after the completion of treatment-related services, deleting existing copies.
B. Treat personal data only through documented instructions, including with regard to data transfers to third countries or international organizations.
C. Ensure that the persons authorized to process personal data have made a commitment to confidentiality.
D. Apply technical and organizational measures to ensure that only personal data that are necessary for each specific purpose of processing are processed.
Correct Answer: D
The correct option is exclusively for the Controller, the others are for the Processor in accordance with Articles 25 and 28 of the GDPR.
Question 106:
Which organizations need to comply with the General Data Protection Regulation (GDPR)?
A. Only organizations that have employees in the European Union (EU).
B. Only organizations that have their headquarters in the European Union (EU).
C. All organizations anywhere in the world.
D. All organizations located in the European Union and also organizations outside the European Union that offer goods or services to data subjects in the EU.
Correct Answer: D
This is a question that has the most doubts: "Who needs to adapt?". For example: 1 - If you have a company in Brazil and sell products or services and process personal data from residents in the EU, in this case your company must conform to the GDPR. 2- If you have a company located in the EU and handle personal data.
Transcribing here part of Article 3 of the GDPR:
1.
This Regulation applies to the processing of personal data carried out in the context of the activities of an establishment of a controller or a subcontractor located in the territory of the Union, regardless of whether the processing takes place inside or outside the Union.
2.
This Regulation applies to the processing of personal data of holders residing in the territory of the Union, carried out by a controller or processor not established in the Union, when the processing activities are related to:
a) The provision of goods or services to such data subjects in the Union, regardless of the requirement for data subjects to make a payment;
b) Control of their behavior, provided that such behavior takes place in the Union.
Question 107:
A company is planning to process personal data. The recently appointed data protection officer (DPO) executes a data protection impact assessment (DPIA). The DPO finds that all computers have a setting causing monitors to show a screen saver after five seconds of inaction. However, the computers are not locked automatically. When employees leave their desk, they usually do not lock their computers either. What is this an example of?
A. Security incident
B. Personal data breach
C. Security vulnerability
D. Data access
Correct Answer: C
Data access. Incorrect. The data have not been accessed.
Personal data breach. Incorrect. No personal data has been processed unauthorized yet, so it is not a breach.
Security incident. Incorrect. Processing has yet to begin, there is no reason to assume an incident has taken place.
Security vulnerability. Correct. Confidentiality of the data cannot be guaranteed if employees leave their workstation without locking the computer. (Literature: A, Chapter 2; GDPR Article 5(1)(f))
Question 108:
GDPR quotes in one of its principles that personal data should be adequate, relevant and limited to what is necessary in relation to its purpose. What principle is this?
A. integrity and confidentiality
B. purpose limitation
C. data minimization
D. lawfulness, loyalty and transparency
Correct Answer: C
In its Article 5, which deals with the Principles concerning the processing of personal data, paragraph 1, the GDPR describes:
1. Personal data shall be:
adequate, relevant and limited to what is necessary in relation to the purposes for which they are
processed (玠ata minimisation?;
In the Article 5 all the principles of GDPR for processing personal data are quoted.
The data minimization principle refers to the purpose of the law that only the data that is required for
processing should be collected.
This is also favorable to businesses. The less data is collected, the less likely violations are to occur and consequently the impacts also decrease. Reference: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
Question 109:
The General Data Protection Regulation (GDPR) came into effect on May 25, 2018, what is the legal status of this regulation?
A. The GDPR is a functional law in all EU member states and Member States cannot rectify it.
B. The GDPR is only a recommendation. Member States should create laws to suit
C. Some articles in the GDPR provide guidance and allow Member States to draft more specific laws to suit.
Correct Answer: A
When we have a Regulation, such as the GDPR, all EU member states are obliged to follow it. The regulation is a law and Member States cannot create laws that oppose it. Unlike the Directives that set objectives to be achieved, however, each Member State is free to decide how to apply them in its country.
Question 110:
A written contract between a controller and a processor is called a data processing agreement. According to the GDPR, what does not have to be covered in the written contract?
A. The contractor code of business ethics and conduct that is used.
B. Which data are covered by the data processing agreement
C. The information security and personal data breach procedures
D. The technical and organizational measures implemented
Correct Answer: A
The contractor code of business ethics and conduct that is used. Correct. Although the GDPR endorses
the use of codes of conduct and certification, it is not an obligation to have this clause to demonstrate
compliance with the GDPR.
(Literature: A, Chapter 8; GDPR Article 28(3))
The information security and personal data breach procedures. Incorrect. This is mandatory because it
describes the obligations of the processor regarding the notification of a personal data breach (by the
controller) to the supervisory authority.
The technical and organizational measures implemented. Incorrect. This is mandatory because it
describes technical and organizational measures the processor must take.
Which data are covered by the data processing agreement. Incorrect. This is mandatory because it
describes the personal data, including special category personal data, covered by the contract.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only EXIN exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PDPF exam preparations and EXIN certification application, do not hesitate to visit our Vcedump.com to find your solutions here.