Exin PDPF Exam Practice Test Instant Access

Question 1

The GDPR refers to the principles of proportionality and subsidiarity. What is the meaning of subsidiarity in this context?

APersonal data may only be processed when there are no other means to achieve the purposes.

BPersonal data cannot be reused without explicit and informed consent.

CPersonal data can only be processed in accordance with the purpose specification.

DPersonal data must be adequate, relevant and not excessive in relation to the purposes.

Answer : A

Personal data can only be processed in accordance with the purpose specification. Incorrect. This is one of the legal limitations.

Personal data cannot be reused without explicit and informed consent. Incorrect. This is one of the legal limitations.

Personal data may only be processed when there are no other means to achieve the purposes. Correct. This is the definition of subsidiarity. (Literature: A, Chapter 3; GDPR Article 35(7))

Personal data must be adequate, relevant and not excessive in relation to the purposes. Incorrect. This is the definition of proportionality.

Question 2

Which of these should appear in a Data Protection Impact Assessment (DPIA) according to the General Data Protection Regulation (GDPR)?

AAn assessment of the need and proportionality of treatment operations in relation to the objectives.

BData Protection Officer (DPO) contact and responsibilities.

CAn inventory and the flow of personal data within the organization.

DA survey of other laws that must be taken into account in addition to the GDPR.

Answer : A

In its Article 35 the GDPR legislates on the Impact assessment on data protection.

7) The assessment shall contain at least:

a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and

d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

Question 3

A person buys a product at a store located in the European Economic Area (EEA). At the time of purchase, you are asked to fill out a registration form and he informs his personal email.

As is usual in many stores, in the next few days this person will start receiving several marketing emails. He considers the frequency of these emails to be very high. Demanding his rights, he asks the store to delete all his personal data.

What is the right required by the data subject?

ARight to erasure

BData subject's right of access

CRight to limitation of treatment

DRight to rectification

Answer : A

Article 17

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.

Question 4

A controller wants to switch processors. What is necessary to review before making this change, so that it remains GDPR compliant?

AThe matrix location of this new processor.

BRequire the old processor to erase data.

CRequire the old processor to port the data.

DVerify that the new processor has sufficient security guarantees.

Answer : D

Verify that the processor has sufficient security guarantees that are essential for the Controller to remain in

compliance with the GDPR. Remember that the responsibility is always of the controller who must take care of the data of the data subjects that have been entrusted to him.

Recital 81 mentions the following:

(81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organizational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.

Question 5

Who should ask for an opinion after conducting an impact assessment on the protection of personal data (DPIA)?

ADPO

BController

CSupervisory Authority

DProcessor

Answer : A

The controller is responsible for performing the DPIA. However, after executing it, it is necessary to have the opinion of the DPO -- in charge of Data Protection, so that it can give its opinion, favorable or not for the continuity of processing.

Article 35 of GDPR

2. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.

Question 6

Subcontracting treatment is regulated by contract or other regulatory act under Union or Member State law, which links the processor to the controller.

What this contract or other regulatory act stipulates?

AA process for testing, assessing and regularly evaluating the effectiveness of technical and organizational measures to ensure safe treatment.

BThe processor assists the driver through technical and organizational measures to enable it to fulfill its obligation to respond to requests from data subjects.

CThe description of categories of data subjects and categories of personal data

DThe purpose of data processing

Answer : B

Article 28 of the GDPR in its paragraph 3 mentions:

This contract or other normative act stipulates, inter alia, that the subcontractor:

a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

c) takes all measures required pursuant to Article 32;

d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;

e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;

f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;

g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Question 7

What is the main reason for performing data protection by design (from conception)?

ADevelop technical measures for the protection of personal data.

BEnable better marketing campaigns targeted at customers.

CCollect as much data as possible for data processing.

DReduce the risk of not meeting legal obligations.

Answer : D

When we talk about protection by design, we are considering data protection throughout the data lifecycle, from collection, processing, sharing, storage and deletion.

When we focus on protecting data at all of these stages, the risk of not meeting any legal obligations is significantly reduced.

Exin PDPF Privacy and Data Protection Foundation Exam Practice Test