We know that when a personal data breach occurs, the data controller (Controller) must notify the Supervisory Authority within 72 hours, without justified delay. However, should the Controller do if it is unable to communicate within this time?
A. Send the notification with the date of the violation changed, to remain within 72 hours.
B. After 72 hours there is no longer any need to send notification of personal data breach.
C. Do not notify and seek ways to hide the violation so that the Supervisory Authority or the titleholders are made aware
D. Send the notification, even after 72 hours, accompanied by the reasons for the delay
Correct Answer: D
Article 33 which deals with "Notification of a personal data breach to the supervisory authority" in its paragraph 1 legislates:
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Question 72:
According to the GDPR, what is a description of binding corporate rules (BCR)?
A. A decision on the safety of transferring personal data to a non-EEA country
B. A set of approved rules on personal data protection used by a group of enterprises
C. A measure to compensate for the lack of personal data protection in a third country
D. A set of agreements covering personal data transfers between non-EEA countries
Correct Answer: B
A decision on the safety of transferring personal data to a non-EEA country. Incorrect. This refers to adequacy decisions.
A measure to compensate for the lack of personal data protection in a third country. Incorrect. This refers to appropriate safeguards.
A set of agreements covering personal data transfers between non-EEA countries. Incorrect. The GDPR does not cover agreements between non-EEA countries.
A set of approved rules on personal data protection used by a group of enterprises. Correct. BCR are a set of rules approved by the supervisory authorities. (Literature: A, Chapter 3; GDPR Article 47)
Question 73:
Which option below defines correctly data protection by design (from conception)?
A. It's a methodology of data protection according to its form
B. It's a concept that demonstrates the need to protect data since the beginning.
C. It's a methodology about how the data should be collected
D. Only data that is required for processing should be processed
Correct Answer: B
When we are talking about protection by design, we are considering a data protection throughout the data lifecycle, from the collection, processing, sharing, storage and deletion.
When we focus on protecting the data on all the phases risk of not fulfilling any legal obligations decreases significantly.
Question 74:
A good practice is to lock the computer automatically or manually when you are away from the workstation.
The company's DPO realizes that this procedure is not being followed by employees. This occurrence should be classified in which category?
A. Classified as a security vulnerability
B. Classified as a security incident
C. There is no specific category.
D. Classified as a data breach
Correct Answer: A
This occurrence should be classified as a security vulnerability, as it does not state whether an incident occurred for this reason.
However, the failure in this procedure can allow an incident to occur if an unauthorized person has access to the workstation.
Vulnerability is the means by which an attack can cause an information security incident.
Question 75:
In the European Union we have: Directives and Regulations. What is the difference between them?
A. The regulation provides guidance for EU Member States and they can create their own laws to conform to the regulation. A directive has the force of law and all EU Member States must follow it without changing it.
B. The directive provides guidance for EU member states and they can create their own laws to suit the directive. A regulation has the force of law and all EU Member States must follow it without changing it.
Correct Answer: B
When we have a Regulation, such as the GDPR, all EU member states are obliged to follow it and have a fixed date for entry into force. The regulation is a law and Member States cannot create laws that oppose it. Unlike the Directives that set objectives to be achieved, however, each Member State is free to decide how to apply them in its country.
Important
Prior to the GDPR, there was the "95/46 / EC First Data Protection Directive (European DP)". Approved in 1995, it was already aimed to protect personal data. This directive was replaced by the GDPR.
"Article 94: 1. Directive 95/46 / EC is repealed with effect from 25 May 2018."
In the EXIN PDPF exam this is a question that is routinely asked. "What directive has been replaced by GDPR?" Answer: 95/46 / EC.
Question 76:
A breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. What is the exact term that is associated with this definition in the GDPR?
A. Security breach
B. Personal data breach
C. Confidentiality violation
D. Security incident
Correct Answer: B
Confidentiality violation. Incorrect. GDPR uses the term personal data breach. Not every data breach is a confidentiality violation.
Personal data breach. Correct. This is the definition of a personal data breach. (Literature: A, Chapter 5; GDPR Article 4(12))
Security breach. Incorrect. GDPR uses the term personal data breach. Not every security breach is a data breach. Not every data breach is a personal data breach.
Security incident. Incorrect. GDPR uses the term personal data breach. Not every security incident is a data breach.
Question 77:
A secretary at a pediatric cardiology clinic instead of sending the doctor the list of patients scheduled for the day, sends it to all those responsible registered for the children with scheduled appointments.
According to the GDPR, does the Supervisory Authority need to be notified? And those responsible for the data holders?
A. The Supervisory Authority must be notified, but there is no need to notify those responsible for the data subjects, as whoever had access to the data is also someone in the same situation.
B. The Supervisory Authority must be notified and also those responsible for the holders who had their data exposed.
C. There is no need to notify the Supervisory Authority, however those responsible for the holders who had their data exposed must be notified.
D. There is no need to notify the Supervisory Authority or those responsible for the data subjects, as whoever had access to the data is also someone in the same situation.
Correct Answer: B
This is an issue that addresses two very important points ?sensitive data and data from minors.
As these are, it is necessary to inform the Supervisory Authority and those responsible for the data subjects.
Article 34 mentions:
1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
Recital 38 says:
Children merit specific protection regarding their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.
Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.
Question 78:
In its Article 9 the GDPR categorizes some types of personal data as "sensitive".
Of these below which are considered sensitive?
A. Date of birth of a person.
B. A person's home address.
C. Soccer team that a person supports.
D. Result of a medical examination.
Correct Answer: D
As stated in the statement, Article 9 concerns the treatment of special categories of personal data, also called sensitive data.
This is a type of question that is often asked by EXIN. Important to remember which types of data are categorized as sensitive.
Article 9: Processing of special categories of personal data
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
Examples of sensitive data: Race, skin color, family tree, political party, political party affiliation, religious beliefs, illness, test results, digital, facial recognition and sexual preference. These are just a few examples.
Question 79:
The controller responsible for the UK Child Sexual Abuse Investigation body reported a data breach to the supervisory authority in the UK on 28 February 2019.
People who had registered their interest in participating in forums and debates for victims of child sexual abuse received an email that contained the email addresses of everyone else who had also registered.
Which category does this data breach fit into?
A. This data breach should only be reported to the Data Protection Authority.
B. This data breach should only be reported to data subjects.
C. It is not necessary to notify the Supervisory Authority, as this data breach presents minimal risks to the holders.
D. This data breach must be reported to the Data Protection Authority and the data subjects.
Correct Answer: A
Here we have a very common catch in EXIN exams.
In this matter, the personal data that was breached included the email addresses. Although the group is a subject considered sensitive by the GDPR, only other participants who had registered took notice. As it does not present a high risk to data subjects, there is no need to notify the data subject as well. Only the Supervisory Authority is enough. However, after notifying the Supervisory Authority, it may decide that the data subject should also be notified, but for that matter this is not considered.
Article 33 of the GDPR legislates on the topic "Notification of a personal data breach to the supervisory authority".
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Important
The deadline for notification of data breaches to the Supervisory Authority is generally charged in the EXIN exam. This period is 72 hours.
Question 80:
One of the basic principles of the General Data Protection Regulation (GDPR) is subsidiarity.
What is subsidiarity to GDPR?
A. Personal data can only be collected for explicit, legitimate and specific purposes and cannot be processed for any other purpose.
B. Only the personal data needed to achieve a specific purpose should be collected.
C. The least privacy-violating means should be used when processing personal data.
D. Personal data must be kept for a period not longer than necessary.
Correct Answer: C
Whereas Recital 170 mentions: "Since the objective of this Regulation, namely to ensure an equivalent
level of protection of natural persons and the free flow of personal data throughout the Union, cannot be
sufficiently achieved by the Member States and can rather, by reason of the scale or effects of the action,
be better achieved at Union level, the Union may adopt measures, in accordance with the principle of
subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle
of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order
to achieve that objective".
Subsidiarity is a principle that says that personal data can only be processed if there are no other means
to achieve the objective. Therefore, the less personal data used, the less the chances of violating privacy.
Note that in the quotation in Recital 170 above, the principle of proportionality was highlighted in bold.
Equally important to subsidiarity. Proportionality says that personal data must be collected according to the
purpose of processing, that is proportional, and data that will not be used for the purpose should not be
collected.
These two principles Subsidiarity and Proportionality are constantly charged in the EXIN exam.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only EXIN exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PDPF exam preparations and EXIN certification application, do not hesitate to visit our Vcedump.com to find your solutions here.