EXIN EXIN Certifications PDPF Questions & Answers

• Question 31:

  Which EU legislation allows data to be transferred between the European Economic Area (EEA) and the United States (USA)?

  A. A suitability decision based on the Privacy Shield program

  B. A transfer made on the basis of World Trade Organization legislation.

  C. European Union Directive 95/46 / EC.

  D. A transfer made under UN law.

  Correct Answer: A

  In July 2016, Implementing Decision 2016/1250 came into force, which legislates that the United States must ensure an adequate level of protection for personal data transferred from the Union to United States organizations under the EU-US Privacy Protection Shield (Privacy Shield).

  This is because the United States does not have a single law on the protection of personal data, since because of its internal policy, each state can create its own laws. Privacy Shield aims to standardize this, so that companies in the European Union and the United States can offer their services.

  Article 1 of the Implementing Decision 2016/1250:

  1. For the purposes of Article 25(2) of Directive 95/46 / EC, the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU

  U.S. Privacy Shield.

  2.

  The EU-U.S. Privacy Shield is constituted by the Principles issued by the U.S. Department of Commerce on 7 July 2016 as set out in Annex II and the official representations and commitments contained in the documents listed in Annexes I, III to VI.

  3.

  For the purpose of paragraph 1, personal data are transferred under the EU-U.S. Privacy Shield where they are transferred from the Union to organisations in the United States that are included in the `Privacy Shield List', maintained and made publicly available by the U.S. Department of Commerce, in accordance with Sections I and III of the Principles set out in Annex II.

• Question 32:

  When is a Data Protection Impact Assessment (DPIA) under the General Data Protection Regulation (GDPR) mandatory?

  A. Application of new technologies that may imply a high risk to the rights and freedoms of data subjects.

  B. There is no security policy and information security risk analysis.

  C. In all types of personal data processing.

  Correct Answer: A

  Whenever a new technology is applied, a DPIA must be performed. In addition, a DPIA must be performed before starting the processing of personal data. This is important to check for risks to data subjects since data collection.

  In its Article 35 the GDPR legislates on the Impact assessment on data protection.

  1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

• Question 33:

  What is the term used in the General Data Protection Regulation (GDPR) for the disclosure of, or unauthorized access to, personal data?

  A. Security incident

  B. Incident

  C. Breach of confidentiality

  D. Data breach

  Correct Answer: D

  GDPR uses the term data breach.

  Article 4 paragraph 12

  `personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

• Question 34:

  According to the General Data Protection Regulation (GDPR), which category of personal data is considered to be sensitive data?

  A. Labor union association

  B. Passport number

  C. Credit card details

  D. Social security number

  Correct Answer: A

  Article 9: Processing of special categories of personal data:

  1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

• Question 35:

  A person who works for a union took home a draft newsletter to finish it. The thumb drive containing the draft and contact list has been lost. To whom, among others, this data breach should be reported?

  A. To all members of the contact list

  B. To the Union staff

  C. To the police

  Correct Answer: A

  This is sensitive data, so the loss must be reported to both the responsible authority and the data subjects.

• Question 36:

  Which of these should appear in a Data Protection Impact Assessment (DPIA) according to the General Data Protection Regulation (GDPR)?

  A. An assessment of the need and proportionality of treatment operations in relation to the objectives.

  B. Data Protection Officer (DPO) contact and responsibilities.

  C. An inventory and the flow of personal data within the organization.

  D. A survey of other laws that must be taken into account in addition to the GDPR.

  Correct Answer: A

  In its Article 35 the GDPR legislates on the Impact assessment on data protection.

  7) The assessment shall contain at least:

  a) a systematic description of the envisaged processing operations and the purposes of the processing,

  including, where applicable, the legitimate interest pursued by the controller;

  b) an assessment of the necessity and proportionality of the processing operations in relation to the

  purposes;

  c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and

  d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

• Question 37:

  To comply with the General Data Protection Regulation (GDPR) it is necessary to create a procedure for reporting data breaches to the Supervisory Authority.

  As the controller is a public administration agency, which option is a requirement for this procedure?

  A. It must contain a step to perform a Data Protection Impact Analysis (DPIA).

  B. It must include an audit step.

  C. It should include a step to consult the Data Protection Officer (DPO) in order to determine whether notification to the Supervisory Authority is necessary.

  D. It must contain a step to notify the data subject.

  Correct Answer: C

  It is not necessary to inform the Supervisory Authority of any violation that occurs. But every violation must be analyzed with caution and attention. It is not necessary to notify the Supervisory Authority only if it does not present risks to the data subjects.

  The DPO must always be involved to guide the best strategy and action for each violation that occurs.

  Article 38 legislates on the position of the data protection officer:

  1. The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

  It is clear that the DPO ?Data Protection Officer, must be involved in the entire data processing life cycle. From its collection to its exclusion.

• Question 38:

  Who is responsible for demonstrating the compliance of personal data processing with the General Data Protection Regulation (GDPR)?

  A. The Data Protection Officer (DPO)

  B. The processor

  C. The controller

  D. The supervisory authority

  Correct Answer: C

  The front line with the data holder is the Controller, see image. So, it is he who has to show compliance, who must be concerned with the legality of processing, who must implement security measures.

  

• Question 39:

  What is the definition of Supervisory Authority according to the GDPR?

  A. Individual or legal entity processing personal data on behalf of the person responsible for processing personal data.

  B. An independent public authority created by a Member State.

  C. Individual or legal entity that is not authorized to process personal data

  D. Individual or legal entity that, individually or in conjunction with others, determines the purposes and means of processing personal data.

  Correct Answer: B

  Article 4 dealing with the GDPR Definitions says in its paragraph 21:

  `supervisory authority' means an independent public authority which is established by a Member State pursuant to Article 51.

• Question 40:

  A person buys a product at a store located in the European Economic Area (EEA). At the time of purchase, you are asked to fill out a registration form and he informs his personal email.

  As is usual in many stores, in the next few days this person will start receiving several marketing emails. He considers the frequency of these emails to be very high. Demanding his rights, he asks the store to delete all his personal data.

  What is the right required by the data subject?

  A. Right to erasure

  B. Data subject's right of access

  C. Right to limitation of treatment

  D. Right to rectification

  Correct Answer: A

  Article 17

  The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.