According to the GDPR, in what situation must data subjects always be notified of a personal data breach?
Answer : D
When personal data is processed at a facility of the processor that is not located within the borders of the EEA. Incorrect. The location where the data is processed is of no significance to the obligation to notify data subjects of personal data breaches.
When personal data is processed by a party that agreed to the draft processing contract but has not yet sign it. Incorrect. Personal data processed by another party than the controller without a valid written contract is considered a personal data breach. In the given situation however, negative consequences for the data subjects are unlikely. Notifying the data subject is not obligatory in that case.
When the system on which the personal data is processed is attacked causing damage to its storage devices. Incorrect. Damage to storage devices will make access to the data difficult or even impossible but does not imply illegal processing.
When there is a significant probability that the breach will lead to a high risk for the privacy of the data subjects. Correct. If there is a significant probability of negative impact on the data subjects, the controller is obliged to notify them of the breach. (Literature: A, Chapter 5)
Which EU legislation allows data to be transferred between the European Economic Area (EEA) and the United States (USA)?
Answer : A
In July 2016, Implementing Decision 2016/1250 came into force, which legislates that the United States must ensure an adequate level of protection for personal data transferred from the Union to United States organizations under the EU-US Privacy Protection Shield (Privacy Shield).
This is because the United States does not have a single law on the protection of personal data, since because of its internal policy, each state can create its own laws. Privacy Shield aims to standardize this, so that companies in the European Union and the United States can offer their services.
Article 1 of the Implementing Decision 2016/1250:
1. For the purposes of Article 25(2) of Directive 95/46 / EC, the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States under the
EU-U.S. Privacy Shield.
2. The EU-U.S. Privacy Shield is constituted by the Principles issued by the U.S. Department of Commerce on 7 July 2016 as set out in Annex II and the official representations and commitments contained in the documents listed in Annexes I, III to VI.
3. For the purpose of paragraph 1, personal data are transferred under the EU-U.S. Privacy Shield where they are transferred from the Union to organisations in the United States that are included in the 'Privacy Shield List', maintained and made publicly available by the U.S. Department of Commerce, in accordance with Sections I and III of the Principles set out in Annex II.
When is a Data Protection Impact Assessment (DPIA) under the General Data Protection Regulation (GDPR) mandatory?
Answer : A
Whenever a new technology is applied, a DPIA must be performed. In addition, a DPIA must be performed before starting the processing of personal data. This is important to check for risks to data subjects since data collection.
In its Article 35 the GDPR legislates on the Impact assessment on data protection.
1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
What is the term used in the General Data Protection Regulation (GDPR) for the disclosure of, or unauthorized access to, personal data?
Answer : D
GDPR uses the term data breach.
Article 4 paragraph 12
'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
According to the General Data Protection Regulation (GDPR), which category of personal data is considered to be sensitive data?
Answer : A
Article 9: Processing of special categories of personal data:
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
Regarding the Portability Law for data subjects, which option is correct?
Answer : C
Article 20 Right to data portability:
1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
The General Data Protection Regulation (GDPR) is related to the protection of personal dat
a. What is the definition of personal data?
Answer : B
In its first paragraph of Article 4, the GDPR defines:
'personal data' means any information relating to an identified or identifiable natural person...