Exin PDPF Exam Practice Test Instant Access

Question 1

While performing a backup, a data server disk crashed. Both the data and the backup are lost. The disk contained personal data, but no special category personal dat

a. The processor states that this is a personal data breach. Is the statement of the processor true?

AYes, because there were no special category personal data stored on the disk.

BNo, because no personal data on the disk were processed, only destroyed

CYes, because the personal data on the disk were unlawfully processed.

DNo, because this is only a security incident and not a data breach

Answer : C

Yes, because the personal data on the disk were unlawfully processed. Correct. Personal data irretrievably lost is regarded as 'a breach of security leading to unlawful destruction of personal data, which also makes it a personal data breach. (Literature: A, Chapter 5; GDPR Article 4(12))

Yes, because there were no special category personal data stored on the disk. Incorrect. Accidental loss of data is a security incident (data is no longer available). According to the GDPR it is also unlawful processing of personal data, hence a personal data breach. Data do not have to belong to the category of special

personal data to fall under the category personal data breach.

No, because no personal data on the disk were processed, only destroyed. Incorrect. A technical malfunction causing data to be no longer available is a security incident. The GDPR sees accidental loss of personal data as unlawful processing (not on instruction of the controller or processor) hence as a personal data breach.

No, because this is only a security incident and not a data breach. Incorrect. Personal data that are irretrievably lost, is regarded as unauthorized processing by the GDPR, hence a personal data breach. The fact that data was accidentally destroyed also makes the event a security incident.

Question 2

Under what EU legislation is data transfer between the EEA and the U.S.

Aallowed?

AAn adequacy decision based on the Privacy Shield program

BAn adequacy decision by reason of US domestic legislation

CThe Transatlantic Trade an Investment Partnership (TTIP)

DThe U.S.A.'s commitment to join the European Economic Area

Answer : A, A

https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en

Question 3

Which of the following options is provided for in the GDPR and can be made by Member States?

AApprove national provisions for implementation of GDPR.

BForcing the controller to notify the data subject of a breach.

CAudit controller and processor safety processes.

DPenalize controllers and processors.

Answer : A

Recital 10 of GDPR states:

''Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member

States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation.''

It also says: ''This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data ('sensitive data').

However, this does not mean that Member States can approve a rule that goes against a GDPR guideline. Note that these national provisions are measures to increase the effectiveness of the law. Here is an example the case of Ireland where it was established that the DPO is responsible for data breaches, something that is not provided for in the GDPR.

Question 4

Which of the options below is classified as a personal data breach under the GDPR?

APersonal data processed without the consent of the controller.

BA server is attacked and exploited by a hacker.

CData accessed by employees without permission.

DStrategic company data is mistakenly shared.

Answer : A

Another option says: ''A server is attacked and exploited by a hacker'', however, here it does not provide information if that server contained personal data.

The other wrong option is: 'Strategic company data is mistakenly shared'. Strategic data is not personal data.

For these reasons, the correct option is ''Personal data processed without the consent of the controller''. Note: even if the processor has a contract that authorizes the processing of personal data on behalf of the controller, it cannot perform any treatment to which it was not previously authorized, nor can it sub-process without the knowledge and consent of the controller.

Question 5

When does the GDPR require data subjects consent to a cookie?

AAlways, because a cookie is regarded as online identifier

BNever, as the EU Cookie Law does not require explicit consent

COnly if the cookie contains authentication information of the data subject

DOnly if the cookie contains shopping basket items

Answer : A

https://eugdprcompliant.com/cookies-consent-gdpr/

Question 6

We know that when a personal data breach occurs, the data controller (Controller) must notify the Supervisory Authority within 72 hours, without justified delay. However, should the Controller do if it is unable to communicate within this time?

ASend the notification with the date of the violation changed, to remain within 72 hours.

BAfter 72 hours there is no longer any need to send notification of personal data breach.

CDo not notify and seek ways to hide the violation so that the Supervisory Authority or the titleholders are made aware

DSend the notification, even after 72 hours, accompanied by the reasons for the delay
Section: (none)
Explanation

Answer : D

Article 33 which deals with ''Notification of a personal data breach to the supervisory authority'' in its paragraph 1 legislates:

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Question 7

Regarding the Supervisory Authority's ''Investigative Powers'', it is correct to state:

Ait has the power to order the suspension of sending data to recipients in third countries or to international organizations

Byou have the power to order the controller to report a personal data breach to the data subject

Cit has the power to notify the controller or processor of alleged GDPR violations

Dit has the power to conduct impact assessments on data privacy

Answer : C

The numerous powers of the Supervisory Authority are divided into:

- Investigative powers;

- Correcting powers;

- Advisory and authorization powers.

The investigative powers provided for in Article 58, Paragraph 1 are:

a) To order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks;

b) To carry out investigations in the form of data protection audits;

c) To carry out a review on certifications issued pursuant to Article 42(7);

d) To notify the controller or the processor of an alleged infringement of this Regulation;

e) To obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;

f) To obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.

Exin Privacy and Data Protection Foundation PDPF Exam Practice Test