A controller wants to switch processors. What is necessary to review before making this change, so that it remains GDPR compliant?
A. The matrix location of this new processor.
B. Require the old processor to erase data.
C. Require the old processor to port the data.
D. Verify that the new processor has sufficient security guarantees.
Correct Answer: D
Verify that the processor has sufficient security guarantees that are essential for the Controller to remain in compliance with the GDPR. Remember that the responsibility is always of the controller who must take care of the data of the data subjects that have been entrusted to him.
Recital 81 mentions the following:
(81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organizational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.
Question 42:
Who should ask for an opinion after conducting an impact assessment on the protection of personal data (DPIA)?
A. DPO
B. Controller
C. Supervisory Authority
D. Processor
Correct Answer: A
The controller is responsible for performing the DPIA. However, after executing it, it is necessary to have the opinion of the DPO ?in charge of Data Protection, so that it can give its opinion, favorable or not for the continuity of processing.
Article 35 of GDPR
2. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.
Question 43:
Subcontracting treatment is regulated by contract or other regulatory act under Union or Member State law, which links the processor to the controller.
What this contract or other regulatory act stipulates?
A. A process for testing, assessing and regularly evaluating the effectiveness of technical and organizational measures to ensure safe treatment.
B. The processor assists the driver through technical and organizational measures to enable it to fulfill its obligation to respond to requests from data subjects.
C. The description of categories of data subjects and categories of personal data
D. The purpose of data processing
Correct Answer: B
Article 28 of the GDPR in its paragraph 3 mentions:
This contract or other normative act stipulates, inter alia, that the subcontractor:
a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
c) takes all measures required pursuant to Article 32;
d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;
f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
Question 44:
What is the main reason for performing data protection by design (from conception)?
A. Develop technical measures for the protection of personal data.
B. Enable better marketing campaigns targeted at customers.
C. Collect as much data as possible for data processing.
D. Reduce the risk of not meeting legal obligations.
Correct Answer: D
When we talk about protection by design, we are considering data protection throughout the data lifecycle, from collection, processing, sharing, storage and deletion.
When we focus on protecting data at all of these stages, the risk of not meeting any legal obligations is significantly reduced.
Question 45:
We know that when browsing the internet there is a lot of personal data that is collected. One mechanism for collecting this data is cookies.
How do marketers use this collected personal data?
A. Collecting logs from web servers and running campaigns promoting products on social media.
B. Collecting the logs from the web servers, they analyze which products are most visited and sold, promoting marketing campaigns for these products.
C. They create behavioral profiles, applying tags to web page visitors. These profiles can be marketed and used in targeted marketing campaigns.
Correct Answer: C
There are some types of cookies, each with its own purpose.
Cookies are considered personal data, as they can identify a person.
In the case of the issue we are talking about the Tracking Cookies. These monitor our browsing activities
and bombard us with advertisements and advertisements.
You may have already encountered the situation of searching for a particular product on the internet and
then seeing ads for that product or similar on various websites.
Question 46:
The Traffic Department of a city wants to know how many cars travel daily in order to plan the number of spaces needed to implement a rotating parking system.
To do this, cameras were installed at strategic points. Through image recognition software it is possible to capture the license plate and know how many cars traveled in the city. A monthly report is issued with the average number of cars present each day.
Signs and posters were spread around the city informing drivers and citizens what is the purpose of processing and that the data will be stored for up to five years, for future comparison.
What basic principle of legitimate processing of personal data is being violated in this case?
A. Personal data must be kept in a way that allows the identification of data subjects for a period not longer than necessary.
B. Personal data must be processed transparently in relation to the data subject.
C. Personal data must be processed in a way that guarantees the appropriate security of personal data.
D. Personal data must be collected for specific, explicit and legitimate purposes and must not be further processed for incompatible purposes.
Correct Answer: A
Here we have a very common catch in EXIN exams.
As stated "monthly a report is issued". Therefore, the report issued and with the average number of cars for each day is known, there is no longer a need to keep the license plate records. The information on the average number of cars per day is already sufficient for the planning of rotating parking as well as sufficient for a future comparison. So, there is no need to keep personal data stored for 5 years.
You may be wondering if a license plate is personal data. The answer is yes. Any information that makes it possible to identify a person is considered personal data.
A real and interesting example was a wife who identified her husband's car at a friend's house through Google Maps. The license plates on Google Maps are erased for security, but the car had a specific sticker. See that the wife gathered two pieces of information: car model and sticker, to identify her husband. In isolation neither of these two is a personal data, but together they become, because it was possible to identify it.
Luckily for his wife, who discovered his affair with her friend.
Question 47:
What is the main purpose of cookies?
A. Identify user preferences, identify the user and it can also save login to a website.
B. Save the browser history, making it easier for the user to access the page again in the future.
C. Display advertisements directed to the user, using information collected from the browser.
D. Infect computers so that unsolicited advertisements are displayed in the browser.
Correct Answer: A
There are some types of cookies, each with its own purpose.
Cookies are considered personal data, as they can identify a person.
They are stored on our computers.
You may have come across the situation of searching for a particular product on the internet and then
seeing ads for that product or similar on various websites.
Cookies are used to provide this information.
Question 48:
Which of the options below best represents data protection by design?
A. It aims to incorporate security measures to protect data from the moment it is collected, throughout the processing and until its destruction at the end of the process
B. It aims to ensure that personal data is automatically part of a protection process.
C. It aims to create privacy impact analysis procedures (DPIA), notifications of breaches of privacy and fulfil requests from data subjects.
Correct Answer: A
When we talk about protection by design, we are considering data protection throughout the data lifecycle, from collection, processing, sharing, storage and deletion.
Question 49:
A company located in France wishes to enter into a compulsory contract with a processor located in Portugal. This contract aims to process sensitive French personal data. The Portuguese Supervisory Authority is informed about this contract and the type of processing.
How should Portuguese Supervisory Authority proceed, in accordance with the General Data Protection Regulation (GDPR)?
A. Supervise the processing of personal data according to the guidelines of the Supervisory Authority of Portugal.
B. Report the data processing to the French Supervisory Authority, which must take over the supervision.
C. Verify that adequate compulsory contracts have been established and leave supervision to the French Supervisory Authority.
D. Supervise the processing of personal data in accordance with the French Supervisory Authority legislation.
Correct Answer: C
When there is a processor and an operator in EEA countries, the competent authority will be the location of the Controller, however the Supervisory authority of the Controller is considered to be a concerned Supervisory Authority (who has interests).
Therefore, the Processor Supervisory Authority evaluates and approves the rules of the contract, in accordance with Article 57 of the GDPR, and must notify the Controller Supervisory Authority.
In its Article 57, the GDPR legislates on the Responsibilities of the Supervisory Authority.
In its first paragraph, items "r" and "s":
r) Authorise contractual clauses and provisions referred to in Article 46(3);
s) Approve binding corporate rules pursuant to Article 47.
Question 50:
Regarding the Portability Law for data subjects, which option is correct?
A. The data subject has the right to object at any time, for reasons related to their particular situation, so that the data is not shared between controllers.
B. The data subject has the right to ask the controller to rectify, erase or limit the processing of personal data with respect to the data subject if he has shared his data.
C. The data owner has the right to transmit his data to another controller without the controller that already has the personal data provided being able to prevent it.
D. The data subject has the right to obtain from the controller the limitation of processing so that the data is shared.
Correct Answer: C
Article 20 Right to data portability:
1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only EXIN exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PDPF exam preparations and EXIN certification application, do not hesitate to visit our Vcedump.com to find your solutions here.