The GDPR does not define privacy as a term but uses the concept implicitly throughout the text. What is a correct definition of privacy as implicitly used throughout the GDPR?
A. The right to respect for one's private and family life, home and personal correspondence
B. The right not to be disturbed by uninvited people, nor being followed, spied on or monitored
C. The fundamental right to protection of personal data, regardless of how it was obtained
D. The right to freedom of opinion and expression and to seeking, receiving and imparting information
Correct Answer: A
The fundamental right to protection of personal data, regardless of how it was obtained. Incorrect. This is a definition of data protection.
The right not to be disturbed by uninvited people, nor being followed, spied on or monitored. Incorrect. This is a definition of physical privacy. However, the GDPR does not concern itself with physical privacy.
The right to respect for one's private and family life, home and personal correspondence. Correct. This is the definition as implicitly used throughout the GDPR. (Literature: A, Chapter 1)
The right to freedom of opinion and expression and to seeking, receiving and imparting information. Incorrect. This is a short version of Universal Declaration of Human Rights Article 19: freedom of opinion and expression.
Question 12:
A security breach has occurred in an information system that also holds personal data. According to the GDPR, what is the very first thing the controller must do?
A. Assess the risk of adverse effects to the data subjects using a data protection impact assessment (DPIA)
B. Ascertain whether the breach may have resulted in loss or unlawful processing of personal data
C. Report the breach immediately to all data subjects and the relevant supervisory authority
D. Assess whether personal data of a sensitive nature has or may have been unlawfully processed
Correct Answer: B
Ascertain whether the breach may have resulted in loss or unlawful processing of personal data: Correct. The very first thing that needs to be done is ascertain that the security incident is in fact a personal data breach. (Literature: A, Chapter 5)
Assess the risk of adverse effects to the data subjects using a data protection impact assessment (DPIA): Incorrect. A DPIA is conducted when designing personal data processing operations. It is not a part of the procedure for a data breach.
Assess whether personal data of a sensitive nature has or may have been unlawfully processed. Incorrect. This is the next step if the incident proves to be a personal data breach - ascertain what type of data breach.
Report the breach immediately to all data subjects and the relevant supervisory authority. Incorrect. Whether the data breach needs to be reported and to whom depends on whether it is a data breach and if so, the type of data breach.
Question 13:
Organizations are obliged to keep a number of records to demonstrate compliance with the GDPR. Which record is not obligatory according to the GDPR?
A. A record of notifications sent to the supervisory authority regarding processing of personal data
B. A record of all intended processing together with the processing purpose(s) and legal justifications
C. A record of processors including personal data provided and the period this data can be retained
D. A record of data breaches with all relevant characteristics, including notifications
Correct Answer: A
A record of all intended processing together with the processing purpose(s) and legal justifications.
Incorrect. A record of all intended processing with the purpose(s) and legal justifications must be kept.
A record of data breaches with all relevant characteristics, including notifications. Incorrect. A record of
data breaches must be kept.
A record of notifications sent to the supervisory authority regarding processing of personal data. Correct.
Prior consultation of high-risk processing is obligatory, but there is no need for a separate record of
notifications sent.
(Literature: A, Chapter 6;GDPR Article 36(1))
A record of processors including personal data provided and the period this data can be retained.
Incorrect. A record of processors and data provided must be kept.
Question 14:
According to the GDPR, when is a data protection impact assessment (DPIA) obligatory?
A. When a project includes technologies or processes that use personal data
B. When processing is likely to result in a high risk to the rights of data subjects
C. When similar processing operations with comparable risks are repeated
Correct Answer: B
When a project includes technologies or processes that use personal data. Incorrect. Only for technologies
and processes that are likely to result in a high risk to the rights of data subjects is the DPIA mandatory.
When processing is likely to result in a high risk to the rights of data subjects. Correct. For processing
operations which are likely to result in a high risk, a DPIA is obligatory to assess those risks and to design
mitigation measures.
(Literature: A, Chapter 6; GDPR Article 35)
When similar processing operations with comparable risks are repeated. Incorrect. This is a case in which
a DPIA does not need to be repeated.
Question 15:
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Which data processing principle is described here?
A. Purpose limitation
B. Data minimization
C. Accuracy
D. Fairness and transparency
Correct Answer: B
Accuracy. Incorrect. Accuracy is the principle that personal data shall be accurate and kept up to date.
Data minimization. Correct. Data minimization means that personal data shall be adequate, relevant and limited to what is necessary. (Literature: A, Chapter 2; GDPR Article 5(1))
Fairness and transparency. Incorrect. Fairness and transparency mean that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose limitation. Incorrect. Purpose limitation means that personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with GDPR Article 89(1), not be considered to be incompatible with the initial purposes.
Question 16:
A shopkeeper wants to register how many visitors enter his shop every day. A system detects the MAC-address of each visitor's smartphone. It is impossible for the shopkeeper to identify the owner of the phone from this signal, but telephone providers can link the MAC-address to the owner of the phone. According to the GDPR, is the shopkeeper allowed to use this method?
A. Yes, because the shopkeeper cannot identify the owner of the telephone
B. No, because the telephone providers are the owners of the MAC-addresses.
C. No, because the telephone's MAC-address must be regarded as personal data.
D. Yes, because the visitor has automatically consented by connecting to the Wi-Fi
Correct Answer: C
Yes, because the shopkeeper cannot identify the owner of the telephone. Incorrect. The issue is not whether the shopkeeper can identify the visitor, but that it is technically possible to do so.
Yes, because the visitor has automatically consented by connecting to the Wi-Fi. Incorrect. Consent must be an active, informed and free act of agreement to the processing. To see a MAC-address, the visitor does not need to be logged onto the Wi-Fi.
No, because the telephones MAC-address must be regarded as personal data. Correct. The phone's signal is a unique code that can be linked to the owner of the phone. The data must be regarded as personal data, because it is technically possible to identify the visitor. (Literature: A, Chapter 3; GDPR Article 26 and 30)
No, because the telephone providers are the owners of the MAC-addresses. Incorrect. The shopkeeper is not allowed to keep the data or process it because it must be regarded as personal data. The telephone provider is not the owner of the MAC-address, nor is the telephone provider protected by the GDPR.
Question 17:
The GDPR refers to the principles of proportionality and subsidiarity. What is the meaning of subsidiarity in this context?
A. Personal data may only be processed when there are no other means to achieve the purposes.
B. Personal data cannot be reused without explicit and informed consent.
C. Personal data can only be processed in accordance with the purpose specification.
D. Personal data must be adequate, relevant and not excessive in relation to the purposes.
Correct Answer: A
Personal data can only be processed in accordance with the purpose specification. Incorrect. This is one of the legal limitations.
Personal data cannot be reused without explicit and informed consent. Incorrect. This is one of the legal limitations.
Personal data may only be processed when there are no other means to achieve the purposes. Correct. This is the definition of subsidiarity. (Literature: A, Chapter 3; GDPR Article 35(7))
Personal data must be adequate, relevant and not excessive in relation to the purposes. Incorrect. This is the definition of proportionality.
Question 18:
A company wishes to use personal data of their customers. They wish to start sending all female customers a customized newsletter. What right do all data subjects have in this scenario?
A. The right to rectification
B. The right to compensation
C. The right to object to profiling
Correct Answer: C
The right to compensation. Incorrect. It is unlikely that all data subjects will suffer harm that must be compensated in this scenario.
The right to object to profiling. Correct. All data subjects have a right to object to the processing of personal data for direct marketing, including profiling. This is clearly profiling. (Literature: A, Chapter 4)
The right to rectification. Incorrect. It is unlikely that the company has incorrect data on all data subjects, so the right to rectification does not apply.
Question 19:
What is the purpose of a data protection audit by the supervisory authority?
A. To monitor and enforce the application of the GDPR by assessing that processing is performed in compliance with the GDPR.
B. To fulfill the obligation in the GDPR to implement appropriate technical and organizational measures for data protection.
C. To advise the controller on the mitigation of privacy risks to protect the controller from liability claims for non-compliance.
Correct Answer: A
To advise the controller on the mitigation of privacy risks to protect the controller from liability claims for non-compliance. Incorrect. The supervisory authority has the task to monitor compliance and to advise on enhancements, but its purpose is not to protect the controller.
To fulfill the obligation in the GDPR to implement appropriate technical and organizational measures for data protection. Incorrect. The audit is not the implementation of the measures, but an assessment of the effectiveness of them.
To monitor and enforce the application of the GDPR by assessing that processing is performed in compliance with the GDPR. Correct. According to the GDPR this is an important task of a supervisory authority. (Literature: A, Chapter 7; GDPR Article 57 (1)(a))
Question 20:
One of the seven principles of data protection by design is Functionality - Positive-Sum, not Zero-Sum. What is the essence of this principle?
A. If different types of legitimate objectives are contradictory, the privacy objectives must be given priority over other security objectives.
B. Applied security standards must assure the confidentiality, integrity and availability of personal data throughout their lifecycle.
C. Wherever possible, detailed privacy impact and risk assessments should be carried out and published, clearly documenting the privacy risks.
D. When embedding privacy into a given technology, process, or system, it should be done in such a way that full functionality is not impaired.
Correct Answer: D
Applied security standards must assure the confidentiality, integrity and availability of personal data throughout their lifecycle. Incorrect. This is an aspect of End-to-End Security - Lifecycle Protection, one of the other six basic principles.
If different types of legitimate objectives are contradictory, the privacy objectives must be given priority over other security objectives. Incorrect. Data protection by design rejects the idea that privacy competes with other interests, design objectives, and technical capabilities.
When embedding privacy into a given technology, process, or system, it should be done in such a way that full functionality is not impaired. Correct. This is the essence. (Literature: A, Chapter 8; GDPR Article 25)
Wherever possible, detailed privacy impact and risk assessments should be carried out and published, clearly documenting the privacy risks. Incorrect. This is an aspect of Privacy Embedded into Design, one of the other six basic principles.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only EXIN exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PDPF exam preparations and EXIN certification application, do not hesitate to visit our Vcedump.com to find your solutions here.