EXIN EXIN Certifications PDPF Questions & Answers

• Question 51:

  The General Data Protection Regulation (GDPR) is related to the protection of personal data. What is the definition of personal data?

  A. Preservation of confidentiality, integrity and availability of information

  B. Any information regarding an identified or identifiable natural person

  C. Any information that European citizens want to protect

  D. Data that directly or indirectly reveals racial or ethnic origins, someone's religious views, and their data related to sexual health and habits

  Correct Answer: B

  In its first paragraph of Article 4, the GDPR defines:

  `personal data' means any information relating to an identified or identifiable natural person...

• Question 52:

  The illegal collection, storage, modification, disclosure or dissemination of personal data is an offense under European law.

  What kind of offense is this?

  A. An offense related to content

  B. An offense to intellectual property

  C. An economic offense

  D. An offense to privacy

  Correct Answer: D

  An offense to privacy, as any illegal processing of personal data is considered an offense.

• Question 53:

  What is the purpose of Data Lifecycle Management (DLM)?

  A. Ensure data integrity and its periodic update

  B. Ensure data confidentiality and availability throughout its useful life.

  C. Ensure that the processing of personal data, throughout its useful life complies with the GDPR

  D. Ensure data confidentiality throughout its useful life, from collection to deletion.

  Correct Answer: C

  It aims to manage the flow of data throughout the life cycle, from collection, processing, sharing, storage and deletion.

  Having the knowledge where the data travels, who is responsible, who has access, helps and a lot to implement security measures.

• Question 54:

  A controller asks a processor to produce a report containing customers who have purchased a particular product more than once in the past 6 months.

  The processor provides services to several companies (which in this case are the controllers).

  When generating the requested report, it uses customer data collected by another controller, that is, for a different purpose.

  Fortunately, the error is noticed in time, the report is not sent, and nobody has had access to this data.

  In this case, how does the processor need to proceed and what action should the controller take?

  A. The processor notifies the Supervisory Authority that a violation has occurred. The controller will be notified and must perform a Data Protection Impact Assessment (DPIA).

  B. The processor needs to notify the controller. And the controller can assess whether there were risks to the data subjects.

  C. The processor needs to notify the controller so that the controller notifies the Supervisory Authority of the personal data breach.

  D. As the error was noticed in time and the report was not sent, there is no need for the processor to inform the controller. The processor must delete the wrong report and generate a new one, this time with the correct data.

  Correct Answer: B

  In the example of this question, there is likely to be no risk to the data subjects or if it exists it will be very low, but this does not exempt the processor from notifying the Controller. However, at least the Controller should assess whether there is a need to notify the Supervisory Authority.

• Question 55:

  Article 33 of the GDPR deals with "Notification of a personal data breach to the supervisory authority".

  Paragraph 3 sets out the minimum information that must be included in this notification.

  Which of the below is one of these?

  A. The contact of the data protection officer or another point of contact where more information could be obtained.

  B. Contact information for all data subjects.

  C. A copy of the breached personal data to be analyzed.

  Correct Answer: A

  These are the minimum information that a notification of personal data breach to the supervisory authority must contain:

  3. The notification referred to in paragraph 1 shall at least:

  a) Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

  b) Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

  c) Describe the likely consequences of the personal data breach;

  d) Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

• Question 56:

  According to the General Data Protection Regulation (GDPR) which covers the concept "Compulsory Corporate Rules"?

  A. Decision made by a corporation to transfer data to another country.

  B. Contractual clauses to transfer data to a country that does not have a data protection law.

  C. A set of rules used by a group of companies regarding the protection of personal data in international transfers

  D. Rules covering data transfers between several countries.

  Correct Answer: C

  Compulsory Corporate Rules are rules used internally by multinational companies to transfer personal data. Thus, it is possible to transfer data between them, even if the destination company is in a country that does not have an adequate level of data protection. These rules are like an internal corporate code of conduct and do not cover transfers of personal data outside the corporate group.

  Do not confuse "Compulsory Corporate Rules" with "Standard Contractual Clauses". The last are clauses in contracts for international data transfer between companies (customer and supplier relationship) where the destination country does not have an adequate level of data protection, and depends on authorization from the Supervisory Authority.

  Article 58 of GDPR

  3. supervisory authority shall have all of the following authorisation and advisory powers:

  a) to advise the controller in accordance with the prior consultation procedure referred to in Article 36.

• Question 57:

  Regarding the Supervisory Authority's "Investigative Powers", it is correct to state:

  A. it has the power to order the suspension of sending data to recipients in third countries or to international organizations

  B. you have the power to order the controller to report a personal data breach to the data subject

  C. it has the power to notify the controller or processor of alleged GDPR violations

  D. it has the power to conduct impact assessments on data privacy

  Correct Answer: C

  The numerous powers of the Supervisory Authority are divided into:

  -Investigative powers;

  -Correcting powers;

  -Advisory and authorization powers.

  The investigative powers provided for in Article 58, Paragraph 1 are:

  a) To order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks; b) To carry out investigations in the form of data protection audits; c) To carry out a review on certifications issued pursuant to Article 42(7); d) To notify the controller or the processor of an alleged infringement of this Regulation; e) To obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks; f) To obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.

• Question 58:

  The General Data Protection Regulation (GDPR) in its Article 30 legislates on the Records of treatment activities.

  If requested, the controller must provide these records:

  A. To the data processor

  B. To the Data Protection Officer (DPO)

  C. The supervisory authority

  D. To the European Commission

  Correct Answer: C

  Article 30 in its first paragraph legislates:

  1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility.

  Recital 82 mentions:

  In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

• Question 59:

  What is the main difference between Directive 95/46 / EC and the General Data Protection Regulation (GDPR)?

  A. The GDPR offers guidance for EU Member States and can create their own laws to comply with the regulation. Directive 95/46 / EC has the force of law and all EU Member States must follow it without changing.

  B. Directive 95/46 / EC offers guidance for EU Member States and can create their own laws to suit the directive. The GDPR has the force of law and all EU Member States must follow it without changing it.

  Correct Answer: B

  When we have a Regulation, such as the GDPR, all EU Member States are obliged to follow it and have a fixed date to entry into force. The regulation is a law and Member States cannot create laws that oppose it. Unlike the Directives that set objectives to be achieved, however, each Member State is free to decide how to apply them in their countries.

  Important

  Prior to the GDPR, there was a Directive "95/46 / EC First Data Protection Directive. Approved in 1995, it was already aimed at protecting personal data. This directive was replaced by GDPR.

  "Article 94: 1. Directive 95/46 / EC is repealed with effect from 25 May 2018."

  In the EXIN PDPF exam this is an issue that is routinely asked. "Which directive has been replaced by GDPR?" Answer: 95/46 / EC.

• Question 60:

  What is the definition of Processor according to GDPR?

  A. Individual or legal entity that is not authorized to process personal data

  B. An independent public authority created by a Member State

  C. Individual or legal entity that processes personal data on behalf of the person responsible for processing personal data.

  D. Individual or legal entity that, individually or in conjunction with others, determines the purposes and means of processing personal data.

  Correct Answer: C

  Article 4 dealing with the GDPR Definitions says in its paragraph 8: `processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.