Exin PDPF Exam Practice Test Instant Access

Question 1

According to the GDPR, in what situation must data subjects always be notified of a personal data breach?

AWhen personal data is processed at a facility of the processor that is not located within the borders of the EEA

BWhen personal data is processed by a party that agreed to the draft processing contract but has not yet signed it

CWhen the system on which the personal data is processed is attacked causing damage to its storage devices

DWhen there is a significant probability that the breach will lead to a high risk for the privacy of the data subjects

Answer : D

When personal data is processed at a facility of the processor that is not located within the borders of the EEA. Incorrect. The location where the data is processed is of no significance to the obligation to notify data subjects of personal data breaches.

When personal data is processed by a party that agreed to the draft processing contract but has not yet sign it. Incorrect. Personal data processed by another party than the controller without a valid written contract is considered a personal data breach. In the given situation however, negative consequences for the data subjects are unlikely. Notifying the data subject is not obligatory in that case.

When the system on which the personal data is processed is attacked causing damage to its storage devices. Incorrect. Damage to storage devices will make access to the data difficult or even impossible but does not imply illegal processing.

When there is a significant probability that the breach will lead to a high risk for the privacy of the data subjects. Correct. If there is a significant probability of negative impact on the data subjects, the controller is obliged to notify them of the breach. (Literature: A, Chapter 5)

Question 2

Which EU legislation allows data to be transferred between the European Economic Area (EEA) and the United States (USA)?

AA suitability decision based on the Privacy Shield program

BA transfer made on the basis of World Trade Organization legislation.

CEuropean Union Directive 95/46 / EC.

DA transfer made under UN law.

Answer : A

In July 2016, Implementing Decision 2016/1250 came into force, which legislates that the United States must ensure an adequate level of protection for personal data transferred from the Union to United States organizations under the EU-US Privacy Protection Shield (Privacy Shield).

This is because the United States does not have a single law on the protection of personal data, since because of its internal policy, each state can create its own laws. Privacy Shield aims to standardize this, so that companies in the European Union and the United States can offer their services.

Article 1 of the Implementing Decision 2016/1250:

1. For the purposes of Article 25(2) of Directive 95/46 / EC, the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States under the

EU-U.S. Privacy Shield.

2. The EU-U.S. Privacy Shield is constituted by the Principles issued by the U.S. Department of Commerce on 7 July 2016 as set out in Annex II and the official representations and commitments contained in the documents listed in Annexes I, III to VI.

3. For the purpose of paragraph 1, personal data are transferred under the EU-U.S. Privacy Shield where they are transferred from the Union to organisations in the United States that are included in the 'Privacy Shield List', maintained and made publicly available by the U.S. Department of Commerce, in accordance with Sections I and III of the Principles set out in Annex II.

Question 3

When is a Data Protection Impact Assessment (DPIA) under the General Data Protection Regulation (GDPR) mandatory?

AApplication of new technologies that may imply a high risk to the rights and freedoms of data subjects.

BThere is no security policy and information security risk analysis.

CIn all types of personal data processing.

Answer : A

Whenever a new technology is applied, a DPIA must be performed. In addition, a DPIA must be performed before starting the processing of personal data. This is important to check for risks to data subjects since data collection.

In its Article 35 the GDPR legislates on the Impact assessment on data protection.

1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

Question 4

What is the term used in the General Data Protection Regulation (GDPR) for the disclosure of, or unauthorized access to, personal data?

ASecurity incident

BIncident

CBreach of confidentiality

DData breach

Answer : D

GDPR uses the term data breach.

Article 4 paragraph 12

'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Question 5

According to the General Data Protection Regulation (GDPR), which category of personal data is considered to be sensitive data?

ALabor union association

BPassport number

CCredit card details

DSocial security number

Answer : A

Article 9: Processing of special categories of personal data:

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

Question 6

We know that when browsing the internet there is a lot of personal data that is collected. One mechanism for collecting this data is cookies.

How do marketers use this collected personal data?

ACollecting logs from web servers and running campaigns promoting products on social media.

BCollecting the logs from the web servers, they analyze which products are most visited and sold, promoting marketing campaigns for these products.

CThey create behavioral profiles, applying tags to web page visitors. These profiles can be marketed and used in targeted marketing campaigns.

Answer : C

There are some types of cookies, each with its own purpose.

Cookies are considered personal data, as they can identify a person.

In the case of the issue we are talking about the Tracking Cookies. These monitor our browsing activities and bombard us with advertisements and advertisements.

You may have already encountered the situation of searching for a particular product on the internet and then seeing ads for that product or similar on various websites.

Question 7

The Traffic Department of a city wants to know how many cars travel daily in order to plan the number of spaces needed to implement a rotating parking system.

To do this, cameras were installed at strategic points. Through image recognition software it is possible to capture the license plate and know how many cars traveled in the city. A monthly report is issued with the average number of cars present each day.

Signs and posters were spread around the city informing drivers and citizens what is the purpose of processing and that the data will be stored for up to five years, for future comparison.

What basic principle of legitimate processing of personal data is being violated in this case?

APersonal data must be kept in a way that allows the identification of data subjects for a period not longer than necessary.

BPersonal data must be processed transparently in relation to the data subject.

CPersonal data must be processed in a way that guarantees the appropriate security of personal data.

DPersonal data must be collected for specific, explicit and legitimate purposes and must not be further processed for incompatible purposes.

Answer : A

Here we have a very common catch in EXIN exams.

As stated ''monthly a report is issued''. Therefore, the report issued and with the average number of cars for each day is known, there is no longer a need to keep the license plate records. The information on the average number of cars per day is already sufficient for the planning of rotating parking as well as sufficient for a future comparison. So, there is no need to keep personal data stored for 5 years.

You may be wondering if a license plate is personal data. The answer is yes. Any information that makes it possible to identify a person is considered personal data.

A real and interesting example was a wife who identified her husband's car at a friend's house through Google Maps. The license plates on Google Maps are erased for security, but the car had a specific sticker. See that the wife gathered two pieces of information: car model and sticker, to identify her husband. In isolation neither of these two is a personal data, but together they become, because it was possible to identify it.

Luckily for his wife, who discovered his affair with her friend.

Exin PDPF Privacy and Data Protection Foundation Exam Practice Test