According to the principle of purpose limitation, data should not be processed beyond the legitimate purpose defined. However, further processing is allowed in a few specific cases, provided that appropriate safeguards for the rights and freedoms of the data subjects are taken. For which purpose is further processing not allowed?
A. For archiving purposes in the public interest
B. For generalized statistical purposes
C. For scientific or historical research purposes
D. For direct marketing and commercial purposes
Correct Answer: D
For archiving purposes in the public interest. Incorrect. With the safeguards in place, further processing is allowed for archiving purposes in the public interest.
For direct marketing and commercial purposes. Correct. This is not a purpose that is allowed, if it is not the original legitimate purpose of the processing. (Literature: A, Chapter 2)
For generalized statistical purposes. Incorrect. With the safeguards in place, further processing is allowed for generalized statistical purposes.
For scientific or historical research purposes. Incorrect. With the safeguards in place, further processing is allowed for research purposes.
Question 62:
How is Data Lifecycle Management (DLM) related to data protection?
A. The DLM makes it possible to create a profile of the data subject.
B. DLM manages the data flow throughout its life cycle.
C. DLM makes it possible to know the risks and plans how to mitigate them.
Correct Answer: B
It aims to manage the flow of data throughout the life cycle, from collection, processing, sharing, storage and deletion.
Having the knowledge where the data travels, who is responsible, who has access, helps and a lot to implement security measures.
Question 63:
How should data protection between the processor and controller be regulated in accordance with the General Data Protection Regulation (GDPR)?
A. Contract
B. Supervisory Authority endorsement.
C. Compulsory Corporate Rules.
D. Standard contractual clauses.
Correct Answer: A
GDPR requires that there is a contract between the processor and the controller. This contract establishes rules and responsibilities such as: the object and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, and the obligations and rights of the controller. Quote from Article 28:
3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
Question 64:
An Independent Supervisory Authority has several responsibilities. Which of the following is one of these?
A. Supervise the application of the General Data Protection Regulation (GDPR).
B. Assist in the elaboration and adaptation of the specific data protection laws of each country.
C. Conduct a Data Protection Impact Assessment (DPIA).
D. Assist in the planning of a Personal Data Protection Management System when requested by the Controller.
Correct Answer: A
It is up to a supervisory authority to inspect and take measures to compel companies to conform to the GDPR.
According to paragraph 1 of Article 51.
1. Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (`supervisory authority').
Chapter VI of the GDPR talks about laws on independent supervisory authorities.
Question 65:
A gentleman has a loan denied by the bank's system that he has been a customer for many years. He is disgusted, because the loan would make it possible to hold the wedding of his only granddaughter.
He contacts the bank and asks for explanations. He wants to know exactly why his loan was denied and based on what information.
What right is required by the data subject according to the GDPR?
A. Right to limitation of treatment
B. Right to rectification
C. Data subject's right of access D. Right to object and automated individual decision-making
Correct Answer: D
Article 22 provides for this type of damage to the data subject and legislates on "Automated individual decisions, including profiling":
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Question 66:
What is the definition of Controller according to GDPR?
A. An independent public authority created by a Member State
B. Individual or legal entity that, individually or in conjunction with others, determines the purposes and means of processing personal data.
C. Individual or legal entity that is not authorized to process personal data.
D. Individual or legal entity that processes personal data on behalf of the person responsible for processing personal data.
Correct Answer: B
Article 4 dealing with the GDPR Definitions says in its paragraph 7:
`controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Question 67:
While performing a backup, a data server disk crashed. Both the data and the backup are lost. The disk contained personal data, but no special category personal data. The processor states that this is a personal data breach. Is the statement of the processor true?
A. Yes, because there were no special category personal data stored on the disk.
B. No, because no personal data on the disk were processed, only destroyed
C. Yes, because the personal data on the disk were unlawfully processed.
D. No, because this is only a security incident and not a data breach
Correct Answer: C
Yes, because the personal data on the disk were unlawfully processed. Correct. Personal data irretrievably lost is regarded as `a breach of security leading to unlawful destruction of personal data, which also makes it a personal data breach. (Literature: A, Chapter 5; GDPR Article 4(12))
Yes, because there were no special category personal data stored on the disk. Incorrect. Accidental loss of data is a security incident (data is no longer available). According to the GDPR it is also unlawful processing of personal data, hence a personal data breach. Data do not have to belong to the category of special personal data to fall under the category personal data breach.
No, because no personal data on the disk were processed, only destroyed. Incorrect. A technical malfunction causing data to be no longer available is a security incident. The GDPR sees accidental loss of personal data as unlawful processing (not on instruction of the controller or processor) hence as a personal data breach.
No, because this is only a security incident and not a data breach. Incorrect. Personal data that are irretrievably lost, is regarded as unauthorized processing by the GDPR, hence a personal data breach. The fact that data was accidentally destroyed also makes the event a security incident.
Question 68:
Racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership, as well as the processing of genetic data, biometric data, health data or data relating to a person's sexual life or sexual orientation.
What does this sentence above refer to?
A. Available personal data categories.
B. Rights categories of data subjects.
C. Categories of purposes for the processing of personal data.
D. Personal data categories.
Correct Answer: A
Article 9 of the GDPR legislation on "Treatment of special categories of personal data".
Also called sensitive data.
In its first paragraph it quotes:
"Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited."
Question 69:
What is called the adequacy decision that allows data transfer between the United States and the European Economic Area (EEA)?
A. Regulation for transfer of personal data between EEA and USA/
B. Privacy Shield
C. General Data Protection Law (GDPL) D. General Data Protection Regulation (GDPR)
Correct Answer: B
This question is likely to be charged on the exam. Memorize this name: "Privacy Shield"
In July 2016, Implementing Decision 2016/1250 came into force, which legislates that the United States must ensure an adequate level of protection for personal data transferred from the Union to United States organizations under the EU-US Privacy Protection Shield (Privacy Shield).
This is because the United States does not have a single law on the protection of personal data, because of its internal policy, each state can create its own laws. Privacy Shield aims to standardize this, so that companies in the European Union and the United States can offer their services.
Article 1 of the Implementing Decision 2016/1250:
1. For the purposes of Article 25(2) of Directive 95/46 / EC, the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU
U.S. Privacy Shield.
2. The EU-U.S. Privacy Shield is constituted by the Principles issued by the U.S. Department of Commerce on 7 July 2016 as set out in Annex II and the official representations and commitments contained in the documents listed in Annexes I, III to VII.
3.For the purpose of paragraph 1, personal data are transferred under the EU-U.S. Privacy Shield where they are transferred from the Union to organisations in the United States that are included in the `Privacy Shield List', maintained and made publicly available by the U.S. Department of Commerce, in accordance with Sections I and III of the Principles set out in Annex II.
Question 70:
Which of the options below is classified as a personal data breach under the GDPR?
A. Personal data processed without the consent of the controller.
B. A server is attacked and exploited by a hacker.
C. Data accessed by employees without permission.
D. Strategic company data is mistakenly shared.
Correct Answer: A
One of the options says: "Data accessed by employees without permission", in this case the question does not specify whether the data is personal or not. It is very common for EXIN to ask such a question.
Another option says: "A server is attacked and exploited by a hacker", however, here it does not provide information if that server contained personal data.
The other wrong option is: "Strategic company data is mistakenly shared". Strategic data is not personal data.
For these reasons, the correct option is "Personal data processed without the consent of the controller". Note: even if the processor has a contract that authorizes the processing of personal data on behalf of the controller, it cannot perform any treatment to which it was not previously authorized, nor can it sub-process without the knowledge and consent of the controller.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only EXIN exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PDPF exam preparations and EXIN certification application, do not hesitate to visit our Vcedump.com to find your solutions here.