Exin PDPF Exam Practice Test Instant Access

Question 1

According to the GDPR, in what situation must data subjects always be notified of a personal data breach?

AWhen personal data is processed at a facility of the processor that is not located within the borders of the EEA

BWhen personal data is processed by a party that agreed to the draft processing contract but has not yet signed it

CWhen the system on which the personal data is processed is attacked causing damage to its storage devices

DWhen there is a significant probability that the breach will lead to a high risk for the privacy of the data subjects

Answer : D

When personal data is processed at a facility of the processor that is not located within the borders of the EEA. Incorrect. The location where the data is processed is of no significance to the obligation to notify data subjects of personal data breaches.

When personal data is processed by a party that agreed to the draft processing contract but has not yet sign it. Incorrect. Personal data processed by another party than the controller without a valid written contract is considered a personal data breach. In the given situation however, negative consequences for the data subjects are unlikely. Notifying the data subject is not obligatory in that case.

When the system on which the personal data is processed is attacked causing damage to its storage devices. Incorrect. Damage to storage devices will make access to the data difficult or even impossible but does not imply illegal processing.

When there is a significant probability that the breach will lead to a high risk for the privacy of the data subjects. Correct. If there is a significant probability of negative impact on the data subjects, the controller is obliged to notify them of the breach. (Literature: A, Chapter 5)

Question 2

Which EU legislation allows data to be transferred between the European Economic Area (EEA) and the United States (USA)?

AA suitability decision based on the Privacy Shield program

BA transfer made on the basis of World Trade Organization legislation.

CEuropean Union Directive 95/46 / EC.

DA transfer made under UN law.

Answer : A

In July 2016, Implementing Decision 2016/1250 came into force, which legislates that the United States must ensure an adequate level of protection for personal data transferred from the Union to United States organizations under the EU-US Privacy Protection Shield (Privacy Shield).

This is because the United States does not have a single law on the protection of personal data, since because of its internal policy, each state can create its own laws. Privacy Shield aims to standardize this, so that companies in the European Union and the United States can offer their services.

Article 1 of the Implementing Decision 2016/1250:

1. For the purposes of Article 25(2) of Directive 95/46 / EC, the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States under the

EU-U.S. Privacy Shield.

2. The EU-U.S. Privacy Shield is constituted by the Principles issued by the U.S. Department of Commerce on 7 July 2016 as set out in Annex II and the official representations and commitments contained in the documents listed in Annexes I, III to VI.

3. For the purpose of paragraph 1, personal data are transferred under the EU-U.S. Privacy Shield where they are transferred from the Union to organisations in the United States that are included in the 'Privacy Shield List', maintained and made publicly available by the U.S. Department of Commerce, in accordance with Sections I and III of the Principles set out in Annex II.

Question 3

When is a Data Protection Impact Assessment (DPIA) under the General Data Protection Regulation (GDPR) mandatory?

AApplication of new technologies that may imply a high risk to the rights and freedoms of data subjects.

BThere is no security policy and information security risk analysis.

CIn all types of personal data processing.

Answer : A

Whenever a new technology is applied, a DPIA must be performed. In addition, a DPIA must be performed before starting the processing of personal data. This is important to check for risks to data subjects since data collection.

In its Article 35 the GDPR legislates on the Impact assessment on data protection.

1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

Question 4

What is the term used in the General Data Protection Regulation (GDPR) for the disclosure of, or unauthorized access to, personal data?

ASecurity incident

BIncident

CBreach of confidentiality

DData breach

Answer : D

GDPR uses the term data breach.

Article 4 paragraph 12

'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Question 5

According to the General Data Protection Regulation (GDPR), which category of personal data is considered to be sensitive data?

ALabor union association

BPassport number

CCredit card details

DSocial security number

Answer : A

Article 9: Processing of special categories of personal data:

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

Question 6

Regarding the Portability Law for data subjects, which option is correct?

AThe data subject has the right to object at any time, for reasons related to their particular situation, so that the data is not shared between controllers.

BThe data subject has the right to ask the controller to rectify, erase or limit the processing of personal data with respect to the data subject if he has shared his data.

CThe data owner has the right to transmit his data to another controller without the controller that already has the personal data provided being able to prevent it.

DThe data subject has the right to obtain from the controller the limitation of processing so that the data is shared.

Answer : C

Article 20 Right to data portability:

1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

Question 7

The General Data Protection Regulation (GDPR) is related to the protection of personal dat

a. What is the definition of personal data?

APreservation of confidentiality, integrity and availability of information

BAny information regarding an identified or identifiable natural person

CAny information that European citizens want to protect

DData that directly or indirectly reveals racial or ethnic origins, someone's religious views, and their data related to sexual health and habits

Answer : B

In its first paragraph of Article 4, the GDPR defines:

'personal data' means any information relating to an identified or identifiable natural person...

Exin PDPF Privacy and Data Protection Foundation Exam Practice Test