Exin PDPF Exam Practice Test Instant Access

Question 1

A shopkeeper wants to register how many visitors enter his shop every day. A system detects the MAC- address of each visitor's smartphone. It is impossible for the shopkeeper to identify the owner of the phone from this signal, but telephone providers can link the MAC-address to the owner of the phone. According to the GDPR, is the shopkeeper allowed to use this method?

AYes, because the shopkeeper cannot identify the owner of the telephone

BNo, because the telephone providers are the owners of the MAC-addresses.

CNo, because the telephone's MAC-address must be regarded as personal data.

DYes, because the visitor has automatically consented by connecting to the Wi-Fi

Answer : C

Yes, because the shopkeeper cannot identify the owner of the telephone. Incorrect. The issue is not whether the shopkeeper can identify the visitor, but that it is technically possible to do so.

Yes, because the visitor has automatically consented by connecting to the Wi-Fi. Incorrect. Consent must be an active, informed and free act of agreement to the processing. To see a MAC-address, the visitor does not need to be logged onto the Wi-Fi.

No, because the telephones MAC-address must be regarded as personal data. Correct. The phone's signal is a unique code that can be linked to the owner of the phone. The data must be regarded as personal data, because it is technically possible to identify the visitor. (Literature: A, Chapter 3; GDPR Article 26 and 30)

No, because the telephone providers are the owners of the MAC-addresses. Incorrect. The shopkeeper is not allowed to keep the data or process it because it must be regarded as personal data. The telephone provider is not the owner of the MAC-address, nor is the telephone provider protected by the GDPR.

Question 2

The GDPR refers to the principles of proportionality and subsidiarity. What is the meaning of subsidiarity in this context?

APersonal data may only be processed when there are no other means to achieve the purposes.

BPersonal data cannot be reused without explicit and informed consent.

CPersonal data can only be processed in accordance with the purpose specification.

DPersonal data must be adequate, relevant and not excessive in relation to the purposes.

Answer : A

Personal data can only be processed in accordance with the purpose specification. Incorrect. This is one of the legal limitations.

Personal data cannot be reused without explicit and informed consent. Incorrect. This is one of the legal limitations.

Personal data may only be processed when there are no other means to achieve the purposes. Correct. This is the definition of subsidiarity. (Literature: A, Chapter 3; GDPR Article 35(7))

Personal data must be adequate, relevant and not excessive in relation to the purposes. Incorrect. This is the definition of proportionality.

Question 3

A company wishes to use personal data of their customers. They wish to start sending all female customers a customized newsletter. What right do all data subjects have in this scenario?

AThe right to rectification

BThe right to compensation

CThe right to object to profiling

Answer : C

The right to compensation. Incorrect. It is unlikely that all data subjects will suffer harm that must be compensated in this scenario.

The right to object to profiling. Correct. All data subjects have a right to object to the processing of personal data for direct marketing, including profiling. This is clearly profiling. (Literature: A, Chapter 4)

The right to rectification. Incorrect. It is unlikely that the company has incorrect data on all data subjects, so the right to rectification does not apply.

Question 4

One of the seven principles of data protection by design is Functionality - Positive-Sum, not Zero-Sum. What is the essence of this principle?

AIf different types of legitimate objectives are contradictory, the privacy objectives must be given priority over other security objectives.

BApplied security standards must assure the confidentiality, integrity and availability of personal data throughout their lifecycle.

CWherever possible, detailed privacy impact and risk assessments should be carried out and published, clearly documenting the privacy risks.

DWhen embedding privacy into a given technology, process, or system, it should be done in such a way that full functionality is not impaired.

Answer : D

Applied security standards must assure the confidentiality, integrity and availability of personal data throughout their lifecycle. Incorrect. This is an aspect of End-to-End Security - Lifecycle Protection, one of the other six basic principles.

If different types of legitimate objectives are contradictory, the privacy objectives must be given priority over other security objectives. Incorrect. Data protection by design rejects the idea that privacy competes with other interests, design objectives, and technical capabilities.

When embedding privacy into a given technology, process, or system, it should be done in such a way that full functionality is not impaired. Correct. This is the essence. (Literature: A, Chapter 8; GDPR Article 25)

Wherever possible, detailed privacy impact and risk assessments should be carried out and published, clearly documenting the privacy risks. Incorrect. This is an aspect of Privacy Embedded into Design, one of the other six basic principles.

Question 5

According to the GDPR, what is a task of a supervisory authority?

AInvestigate security breaches of corporate information

BImplement technical and organizational measures to ensure compliance

CMonitor and enforce the application of the GDPR

Answer : C

Implement technical and organizational measures to ensure compliance. Incorrect. This is the task of the controller.

Investigate security breaches of corporate information. Incorrect. Only breaches of personal data are a concern of the supervisory authority.

Monitor and enforce the application of the GDPR. Correct. This is the main task of any supervisory authority. (Literature: A, Chapter 7)

Question 6

We know that when browsing the internet there is a lot of personal data that is collected. One mechanism for collecting this data is cookies.

How do marketers use this collected personal data?

ACollecting logs from web servers and running campaigns promoting products on social media.

BCollecting the logs from the web servers, they analyze which products are most visited and sold, promoting marketing campaigns for these products.

CThey create behavioral profiles, applying tags to web page visitors. These profiles can be marketed and used in targeted marketing campaigns.

Answer : C

There are some types of cookies, each with its own purpose.

Cookies are considered personal data, as they can identify a person.

In the case of the issue we are talking about the Tracking Cookies. These monitor our browsing activities and bombard us with advertisements and advertisements.

You may have already encountered the situation of searching for a particular product on the internet and then seeing ads for that product or similar on various websites.

Question 7

The Traffic Department of a city wants to know how many cars travel daily in order to plan the number of spaces needed to implement a rotating parking system.

To do this, cameras were installed at strategic points. Through image recognition software it is possible to capture the license plate and know how many cars traveled in the city. A monthly report is issued with the average number of cars present each day.

Signs and posters were spread around the city informing drivers and citizens what is the purpose of processing and that the data will be stored for up to five years, for future comparison.

What basic principle of legitimate processing of personal data is being violated in this case?

APersonal data must be kept in a way that allows the identification of data subjects for a period not longer than necessary.

BPersonal data must be processed transparently in relation to the data subject.

CPersonal data must be processed in a way that guarantees the appropriate security of personal data.

DPersonal data must be collected for specific, explicit and legitimate purposes and must not be further processed for incompatible purposes.

Answer : A

Here we have a very common catch in EXIN exams.

As stated ''monthly a report is issued''. Therefore, the report issued and with the average number of cars for each day is known, there is no longer a need to keep the license plate records. The information on the average number of cars per day is already sufficient for the planning of rotating parking as well as sufficient for a future comparison. So, there is no need to keep personal data stored for 5 years.

You may be wondering if a license plate is personal data. The answer is yes. Any information that makes it possible to identify a person is considered personal data.

A real and interesting example was a wife who identified her husband's car at a friend's house through Google Maps. The license plates on Google Maps are erased for security, but the car had a specific sticker. See that the wife gathered two pieces of information: car model and sticker, to identify her husband. In isolation neither of these two is a personal data, but together they become, because it was possible to identify it.

Luckily for his wife, who discovered his affair with her friend.

Exin Privacy and Data Protection Foundation Exam Practice Test