Exin PDPF Exam Practice Test Instant Access

Question 1

According to the GDPR, what is a description of binding corporate rules (BCR)?

AA decision on the safety of transferring personal data to a non-EEA country

BA set of approved rules on personal data protection used by a group of enterprises

CA measure to compensate for the lack of personal data protection in a third country

DA set of agreements covering personal data transfers between non-EEA countries

Answer : B

A decision on the safety of transferring personal data to a non-EEA country. Incorrect. This refers to adequacy decisions.

A measure to compensate for the lack of personal data protection in a third country. Incorrect. This refers to appropriate safeguards.

A set of agreements covering personal data transfers between non-EEA countries. Incorrect. The GDPR does not cover agreements between non-EEA countries.

A set of approved rules on personal data protection used by a group of enterprises. Correct. BCR are a set of rules approved by the supervisory authorities. (Literature: A, Chapter 3; GDPR Article 47)

Question 2

Which of the following conflicts with the principle of limiting the purposes?

AThe data is sold to another company without the consent of the data subject.

BAdapt the data to the purpose of the treatment.

CStore the data in a way that allows the identification of the data subjects.

DData is used in an obscure manner to the data subject.

Answer : A

The principle of limitation of purposes says that personal data must be collected for specific, explicit and legitimate purposes and cannot be further processed in a way incompatible with those purposes.

When the data is sold to another company, we can conclude that it was acquired by a controller for a specific purpose and that it subsequently sold it without the owner's knowledge and consent.

Question 3

In the European Union we have: Directives and Regulations. What is the difference between them?

AThe regulation provides guidance for EU Member States and they can create their own laws to conform to the regulation. A directive has the force of law and all EU Member States must follow it without changing it.

BThe directive provides guidance for EU member states and they can create their own laws to suit the directive. A regulation has the force of law and all EU Member States must follow it without changing it.

Answer : B

When we have a Regulation, such as the GDPR, all EU member states are obliged to follow it and have a fixed date for entry into force. The regulation is a law and Member States cannot create laws that oppose it. Unlike the Directives that set objectives to be achieved, however, each Member State is free to decide how to apply them in its country.

Important

Prior to the GDPR, there was the ''95/46 / EC First Data Protection Directive (European DP)''. Approved in 1995, it was already aimed to protect personal data. This directive was replaced by the GDPR.

''Article 94: 1. Directive 95/46 / EC is repealed with effect from 25 May 2018.''

In the EXIN PDPF exam this is a question that is routinely asked. ''What directive has been replaced by GDPR?'' Answer: 95/46 / EC.

Question 4

A person finds that a private videotape showing her in a very intimate situation has been published on a website. She never consented to publication and demands that the video is being removed without undue delay.

According to the GDPR, what should be done next?

ANothing. The video may be regarded as 'news' and, therefore, the website is only exercising its right to freedom of expression and information.

BThe controller erases the video from the website and, when possible, informs any controller who might
process the same video, that it must be erased.

CThe controller erases the video from the website. There is no obligation however, to inform others who might have copied it, that it should be erased.

DThe controller directs the person to seek a lawyer and informs that he cannot exclude before a juridical authorization.

Answer : B

Question 5

According to the principle of purpose limitation, data should not be processed beyond the legitimate purpose defined. However, further processing is allowed in a few specific cases, provided that appropriate safeguards for the rights and freedoms of the data subjects are taken. For which purpose is further processing not allowed?

AFor archiving purposes in the public interest

BFor generalized statistical purposes

CFor scientific or historical research purposes

DFor direct marketing and commercial purposes

Answer : D

For archiving purposes in the public interest. Incorrect. With the safeguards in place, further processing is

allowed for archiving purposes in the public interest.

For direct marketing and commercial purposes. Correct. This is not a purpose that is allowed, if it is not the original legitimate purpose of the processing. (Literature: A, Chapter 2)

For generalized statistical purposes. Incorrect. With the safeguards in place, further processing is allowed for generalized statistical purposes.

For scientific or historical research purposes. Incorrect. With the safeguards in place, further processing is allowed for research purposes.

Question 6

According to the General Data Protection Regulation (GDPR), which category of personal data is considered to be sensitive data?

ALabor union association

BPassport number

CCredit card details

DSocial security number

Answer : A

Article 9: Processing of special categories of personal data:

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

Question 7

A processor is instructed to report on customers who bought a product both last month and at least once in the three months before that. Unfortunately, the processor makes a mistake and uses personal data collected by another controller for a different purpose.

The mistake is found before the report is created, and nobody has access to personal date he or she should not have had access to.

How should the processor act on this situation and what should the controller do, if anything?

AThe processor must notify the controller and the controller must notify the Data Protection Authority of a data breach.

BThe processor must notify the controller of a data breach. The controller must assess the possible risk to the data subjects.

CThe processor must notify the Data Protection Authority of a data breach. The controller must execute a PIA to assess the risk to data subjects.

DThe processor must restart processing using the right data. There is no need for the controller to act.

Answer : B

Exin Privacy and Data Protection Foundation PDPF Exam Practice Test