The word privacy is never mentioned in the General Data Protection Regulation (GDPR) text.
Despite this, what would be the best definition of the privacy according to the Regulation?
A. The right not to have your life monitored by technologies.
B. Have freedom of expression.
C. The right to respect for private and family life, for home and communications.
D. The right to have your personal data protected.
Correct Answer: C
Privacy is a right that must be protected, and Data Protection are the measures that will be used to achieve this protection.
Data protection and privacy complement each other, but they are not the same.
A well-known phrase is: "You can have security without privacy, but you cannot have privacy without security".
Recital 4 of the GDPR says:
The processing of personal data should be designed to serve individuals. The right to protection of personal data is not absolute; it must be considered in relation to its role in society and balanced with other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedom and principles recognized in the Charter, enshrined in the Treaties, namely respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom of business, the right to action and an impartial tribunal, and cultural, religious and linguistic diversity.
Question 82:
When personal data are processed, who is ultimately responsible for demonstrating compliance with the GDPR?
A. Data protection officer (DPO)
B. Supervisory authority
C. Processor
D. Controller
Correct Answer: D
Controller. Correct. The controller is responsible for adequate data security measures and must be able to demonstrate compliance with the GDPR. (Literature:A, Chapter 2)
Data protection officer (DPO). Incorrect. The DPO has expert knowledge and assists the controller or processor to monitor internal compliance.
Processor. Incorrect. The processor is the one who processes personal data according to the instructions of the controller. The controller remains ultimately responsible though.
Supervisory authority. Incorrect. The controller needs to demonstrate compliance with the GDPR if requested by the supervisory authority.
Question 83:
Which condition below allows personal data to be processed legally?
A. A Data Privacy Impact Assessment (DPIA) should be performed prior to data collection.
B. Data processing must be previously authorized by the Supervisory Authority.
C. Holders' rights must be protected by a privacy policy.
D. There must be a legitimate basis for data processing.
Correct Answer: D
Article 6 legislates on the lawfulness of treatment and in it cites the 6 legal bases provided:
1 - the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering a contract
3 - processing is necessary for compliance with a legal obligation to which the controller is subject;
4- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5 - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6 - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which requires protection of personal data, in particular where the data subject is a child.
Question 84:
A company's director's notebook is accidentally wet, which permanently damages the equipment so that it cannot recover its data.
The lost data concerned the financial reports of the company.
What happened in this case according to GDPR?
A. A vulnerability
B. A threat
C. A security incident D. A data violation
Correct Answer: C
The lost reports did not contain personal data, in this case GDPR is not applicable and is a security incident.
Important
A data breach is whenever something that has not been planned with personal data happens, be it improper processing, improper sharing, loss of data, deletion, etc. In other words, personal data must be used for a specific purpose, respecting the life cycle of the same (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach.
Question 85:
What is the main purpose of the General Data Protection Regulation (GDPR)?
A. Protecting the data of everyone in Europe.
B. Protect the data of everyone in the world.
C. Protect data of data subjects located in the European Economic Area (EEA), regardless of the country of processing.
D. Protect confidential business data.
Correct Answer: C
Besides to what many persons think, the GDPR does not apply only to the EU, but to all member countries of the European Economic Area (EEA) that includes, in addition to the EU member countries, Iceland, Liechtenstein and Norway.
Question 86:
The GDPR contains several items. Which of these contains mandatory requirements?
A. Recitals
B. Articles
Correct Answer: B
The GDPR has 173 recitals. The Recitals introduce a better understanding of the law and its articles. The Articles, which are 99 in total, contain the mandatory requirements of the law.
Question 87:
Which of the following options is provided for in the GDPR and can be made by Member States?
A. Approve national provisions for implementation of GDPR.
B. Forcing the controller to notify the data subject of a breach.
C. Audit controller and processor safety processes.
D. Penalize controllers and processors.
Correct Answer: A
Recital 10 of GDPR states:
"Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation."
It also says: "This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (`sensitive data').
However, this does not mean that Member States can approve a rule that goes against a GDPR guideline. Note that these national provisions are measures to increase the effectiveness of the law. Here is an example the case of Ireland where it was established that the DPO is responsible for data breaches, something that is not provided for in the GDPR.
Question 88:
A person buys a product at a store located in the European Economic Area (EEA). At the time of purchase, you are asked to fill out a registration form and he informs his personal email.
As is usual in many stores, in the next few days this person will start receiving several marketing emails. He considers the frequency of these emails to be very high. Demanding his rights, he asks the store to delete all his personal data.
What the store must do according to the General Data Protection Regulation (GDPR)?
A. The owner does not have this right, since he bought a product in the store, he has the right to send emails with new promotions.
B. The store has 30 days from the date of receipt of the customer's request to delete all data at no cost to the customer.
C. The store must delete customer data from its advertising list. Purchase data cannot be deleted, as financial data has to be kept longer.
Correct Answer: C
Companies have tax obligations to be fulfilled, so financial data cannot be deleted.
The data subject has several rights under the GDPR, however there are limitations. These rights cannot run counter to other specific legislation. In this case, the holder can exercise the right of Opposition instead of Exclusion. In the Right of Opposition, he requests the Controller to cease the processing of his data for non-consented purposes. An example of Opposition: in Brazil there was the website naomeperturbe.com.br, where millions of Brazilians could oppose the inconvenient calls made by the telecommunication service providers.
Question 89:
The Control Authority may impose fines on organizations that are not meeting the mandatory requirements of the General Data Protection Regulation (GDPR).
A. False
B. True
Correct Answer: B
Article 83 of GDPR
5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher...
Article 51 of GDPR
2. Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union.
Question 90:
When a data breach occurs in a company that has branches in several countries of the European Union, which supervisory authority is competent to take the appropriate measures?
A. The Supervisory Authority of the country where the company's main establishment is located.
B. The Supervisory Authority of the country where the subsidiary with the largest number of affected holders is located.
C. The Supervisory Authority of the country that had the most affected holders.
D. The Supervisory Authority of the country where the company's largest subsidiary is located.
Correct Answer: A
Recital 124 tells us:
“Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union and the controller or processor is established in more than one Member State, or where processing taking place in the context of the activities of a single establishment of a controller or processor in the Union substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the controller or processor should act as lead authority...”
But what is Main Establishment?
Article 4, paragraph 16, gives us the definitions:
16) «Main establishment»:
a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only EXIN exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PDPF exam preparations and EXIN certification application, do not hesitate to visit our Vcedump.com to find your solutions here.