According to the GDPR, what is a task of a supervisory authority?
A. Investigate security breaches of corporate information
B. Implement technical and organizational measures to ensure compliance
C. Monitor and enforce the application of the GDPR
Correct Answer: C
Implement technical and organizational measures to ensure compliance. Incorrect. This is the task of the controller.
Investigate security breaches of corporate information. Incorrect. Only breaches of personal data are a concern of the supervisory authority.
Monitor and enforce the application of the GDPR. Correct. This is the main task of any supervisory authority. (Literature: A, Chapter 7)
Question 22:
A Belgian company has their headquarters in France for tax purposes. They enter into a legally binding contract with a processor in the Netherlands for the processing of personal data of data subjects with various nationalities. A personal data breach occurs. The supervisory authorities start an investigation. Why is the French supervisory authority seen as the lead supervisory authority?
A. Because the company has their headquarters in France
B. Because France is located in the middle of Europe
C. Because France is the largest of the three EEA countries
Correct Answer: A
Because France is located in the middle of Europe. Incorrect. The geographical position of the countries is irrelevant.
Because France is the largest of the three EEA countries. Incorrect. The size of the countries is irrelevant. Because the company has their headquarters in France. Correct. The country of the main establishment determines the lead supervisory authority. The `main establishment' is the place of the central administration of that organization, or in other words: headquarters. (Literature: A, Chapter 7)
Question 23:
To plan the amount of parking space needed, a local government monitors and saves the license plate number of every car that enters and leaves the city center. They have obtained permission to collect data on the number of cars present in the city center. By comparing the license plate time of entry and exit the number of cars present every moment of each day is calculated. Each month a report is created detailing the average number of cars in the city center at specific moments for every day of the week. At every entrance to the city center, a billboard clearly states what data is collected by whom, the purpose of the processing and the fact that the license plate numbers are saved securely for up to two years, because the measurements will be repeated next year. Which of the basic principles for legitimate processing of personal data is violated in this scenario?
A. Personal data are processed in a manner that ensures appropriate security of the personal data.
B. Personal data are processed in a transparent manner in relation to the data subject
C. Personal data are kept in a form permitting identification of data subjects for no longer than is necessary.
D. Personal data are collected for specified, explicit and legitimate purposes and not further processed.
Correct Answer: C
Personal data are collected for specified, explicit and legitimate purposes and not further processed. Incorrect. The local government is entitled to collect data on the number of cars present.
Personal data are kept in a form permitting identification of data subjects for no longer than is necessary. Correct. In the given scenario, there is no need to retain the data of a specific car identifying the owner once it has left the area (Literature: A, Chapter 2; GDPR Article 5)
Personal data are processed in a manner that ensures appropriate security of the personal data. Incorrect. The scenario does not suggest inappropriate security.
Personal data are processed in a transparent manner in relation to the data subject. Incorrect. The processing is taking place transparently, since it is communicated properly to the data subjects.
Question 24:
In the GDPR, some types of personal data are regarded as special category personal data. Which personal data are considered special category personal data?
A. An address list of members of a political party
B. A genealogical register of someone's ancestors
C. A list of payments made using a credit card
Correct Answer: A
A list of payments made using a credit card. Incorrect. Credit card data is personal data, but not special category data.
An address list of members of a political party. Correct. Personal data revealing political opinions is special personal data (Literature: A, Chapter 1; GDPR Article 9(1))
A genealogical register of someone's ancestors. Incorrect. Genealogical information on living persons is personal data, but not special category. The GDPR does not apply to data on deceased persons.
Question 25:
What is the main use of a persistent cookie?
A. To save the pages a user has bookmarked in the user's browser history
B. To record every keystroke made by a computer user to find out passwords
C. To ensure that the user's personal data are stored securely on the server
D. To personalize the user's experience of the website during the next visit
Correct Answer: D
To ensure that the user's personal data are stored securely on the server. Incorrect. Cookies are not used to store data on the server.
To personalize the user's experience of the website during the next visit. Correct. This is the main purpose of a persistent cookie. (Literature: A, Chapter 8)
To record every keystroke made by a computer user to find out passwords. Incorrect. Cookies are not malicious by nature, but the mechanism can be exploited maliciously.
To save the pages a user has bookmarked in the user's browser history. Incorrect. The bookmarks and browser history are saved, but not in a cookie.
Question 26:
On July 12, 2016 the European Commission implemented a ruling regarding the transfer of personal data between the EEA and the US. The ruling is based on the data protection measures described in the EUUS Privacy Shield. What kind of a ruling is this?
A. Derogation
B. Legally binding contract
C. Treaty superseding the GDPR
D. Adequacy decision
Correct Answer: D
Adequacy decision. Correct. The ruling is an adequacy decision regarding processing in third countries. (Literature: A, Chapter 7; GDPR Article 45 and Recitals (104) and (106)
Derogation. Incorrect. A derogation is for specific situations where a transfer is necessary, but there is no ruling permitting it. (Literature: GDPR Article 49(1)(q))
Legally binding contract. Incorrect. The ruling is an adequacy decision. A legally binding contract is between a processor and a controller.
Treaty superseding the GDPR. Incorrect. The ruling is an adequacy decision. It does not supersede the GDPR.
Question 27:
What is the legal status of the GDPR?
A. The GDPR is functional law in all member states of the EEA. Some Articles allow for member states law to provide for more specific rules.
B. The GDPR sets out minimum conditions and requirements. Member states need to pass national laws to meet these minimum requirements.
C. The GDPR is a recommendation of the European Commission that EEA countries' law authorities improve their laws on the protection of personal data.
Correct Answer: A
The GDPR is functional law in all member states of the EEA. Some Articles allow for member states law to provide for more specific rules. Correct. The GDPR is European law but the Regulation does not exclude Member state law that sets out the circumstances for specific processing situations. (Literature: A, Chapter 1; GDPR Recital 10)
The GDPR is a recommendation of the European Commission that EEA countries' law authorities improve their laws on the protection of personal data. Incorrect. An EU recommendation is not binding. The GDPR is a functional European law in all member states.
The GDPR sets out minimum conditions and requirements. Member states need to pass national laws to meet these minimum requirements. Incorrect. This is the description of an EU Directive.
Question 28:
A controller wants to outsource processing of personal data to a processor. What must be done before outsourcing?
A. The processor must show the controller that all demands agreed in the service level agreement (SLA) are met.
B. The controller and processor must draft and sign a written contract guaranteeing the confidentiality of the data.
C. The controller must ask the supervisory authority for permission to outsource the processing of the data.
D. The controller must ask the supervisory authority if the agreed written contract is compliant with the regulations.
Correct Answer: B
The controller must ask the supervisory authority for permission to outsource the processing of the data. Incorrect. The controller does not have to ask the supervisory authority for permission for each instance of outsourcing.
The controller must ask the supervisory authority if the agreed written contract is compliant with the regulations. Incorrect. The supervisory authority is not a legal counsel and will not check contracts for compliance.
The controller and processor must draft and sign a written contract guaranteeing the confidentiality of the data. Correct. There must be a written contract guaranteeing the confidentiality of the data, listing the purposes and means of processing as defined by the controller and specifying that processor will only process on instruction of the controller. Both parties must sign this contract. (Literature: A, Chapter 8; GDPR Article 28(3))
The processor must show the controller that all demands agreed in the service level agreement (SLA) are met. Incorrect. An SLA is not enough as it will focus on operations, not necessarily on purposes.
Question 29:
A person is moving from city A to city B, within an EEA member state. In city A he was a patient of the local hospital A. In city B, he becomes a patient of hospital B. The patient has opted out of the national electronic patients file system. The patient asks hospital A to forward his medical file directly to hospital B. According to the GDPR, what is allowed?
A. The hospital in A can send the medical file to the data subject, but not to another hospital
B. The hospital in A can send the file to hospital B, before the patient has requested it
C. The hospital in A can send the data directly to hospital B, as requested by the patient.
D. The hospital in A cannot send the file, because there is no legitimate ground for processing
Correct Answer: C
The hospital in A can send the data directly to hospital B, as requested by the patient. Correct. The right to portability allows this. (Literature: A, Chapter 3)
The hospital in A can send the file to hospital B, before the patient has requested it. Incorrect. The hospital in B can only acquire the file from A with consent or if it is in the vital interest of the data subject and consent cannot be obtained.
The hospital in A can send the medical file to the data subject, but not to another hospital. Incorrect. The data subject can ask for the data to be sent directly.
The hospital in A cannot send the file, because there is no legitimate ground for processing. Incorrect. A request, which implies consent, of the data subject is a sufficient legitimate ground.
Question 30:
According to the GDPR, in what situation must data subjects always be notified of a personal data breach?
A. When personal data is processed at a facility of the processor that is not located within the borders of the EEA
B. When personal data is processed by a party that agreed to the draft processing contract but has not yet signed it
C. When the system on which the personal data is processed is attacked causing damage to its storage devices
D. When there is a significant probability that the breach will lead to a high risk for the privacy of the data subjects
Correct Answer: D
When personal data is processed at a facility of the processor that is not located within the borders of the EEA. Incorrect. The location where the data is processed is of no significance to the obligation to notify data subjects of personal data breaches.
When personal data is processed by a party that agreed to the draft processing contract but has not yet sign it. Incorrect. Personal data processed by another party than the controller without a valid written contract is considered a personal data breach. In the given situation however, negative consequences for the data subjects are unlikely. Notifying the data subject is not obligatory in that case.
When the system on which the personal data is processed is attacked causing damage to its storage devices. Incorrect. Damage to storage devices will make access to the data difficult or even impossible but does not imply illegal processing.
When there is a significant probability that the breach will lead to a high risk for the privacy of the data subjects. Correct. If there is a significant probability of negative impact on the data subjects, the controller is obliged to notify them of the breach. (Literature: A, Chapter 5)
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only EXIN exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PDPF exam preparations and EXIN certification application, do not hesitate to visit our Vcedump.com to find your solutions here.