Exin PDPF Exam Practice Test Instant Access

Question 1

A written contract between a controller and a processor is called a data processing agreement. According to

the GDPR, what does not have to be covered in the written contract?

AThe contractor code of business ethics and conduct that is used.

BWhich data are covered by the data processing agreement

CThe information security and personal data breach procedures

DThe technical and organizational measures implemented

Answer : A

The contractor code of business ethics and conduct that is used. Correct. Although the GDPR endorses the use of codes of conduct and certification, it is not an obligation to have this clause to demonstrate compliance with the GDPR. (Literature: A, Chapter 8; GDPR Article 28(3))

The information security and personal data breach procedures. Incorrect. This is mandatory because it describes the obligations of the processor regarding the notification of a personal data breach (by the controller) to the supervisory authority.

The technical and organizational measures implemented. Incorrect. This is mandatory because it describes technical and organizational measures the processor must take.

Which data are covered by the data processing agreement. Incorrect. This is mandatory because it describes the personal data, including special category personal data, covered by the contract.

Question 2

What is the main purpose of the General Data Protection Regulation (GDPR)?

AProtecting the data of everyone in Europe.

BProtect the data of everyone in the world.

CProtect data of data subjects located in the European Economic Area (EEA), regardless of the country of processing.

DProtect confidential business data.

Answer : C

Besides to what many persons think, the GDPR does not apply only to the EU, but to all member countries of the European Economic Area (EEA) that includes, in addition to the EU member countries, Iceland, Liechtenstein and Norway.

Question 3

Regarding the Supervisory Authority's ''Investigative Powers'', it is correct to state:

Ait has the power to order the suspension of sending data to recipients in third countries or to international organizations

Byou have the power to order the controller to report a personal data breach to the data subject

Cit has the power to notify the controller or processor of alleged GDPR violations

Dit has the power to conduct impact assessments on data privacy

Answer : C

The numerous powers of the Supervisory Authority are divided into:

- Investigative powers;

- Correcting powers;

- Advisory and authorization powers.

The investigative powers provided for in Article 58, Paragraph 1 are:

a) To order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks;

b) To carry out investigations in the form of data protection audits;

c) To carry out a review on certifications issued pursuant to Article 42(7);

d) To notify the controller or the processor of an alleged infringement of this Regulation;

e) To obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;

f) To obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.

Question 4

The GDPR refers to the principles of proportionality and subsidiarity. What is the meaning of subsidiarity in this context?

APersonal data may only be processed when there are no other means to achieve the purposes.

BPersonal data cannot be reused without explicit and informed consent.

CPersonal data can only be processed in accordance with the purpose specification.

DPersonal data must be adequate, relevant and not excessive in relation to the purposes.

Answer : A

Personal data can only be processed in accordance with the purpose specification. Incorrect. This is one of the legal limitations.

Personal data cannot be reused without explicit and informed consent. Incorrect. This is one of the legal limitations.

Personal data may only be processed when there are no other means to achieve the purposes. Correct. This is the definition of subsidiarity. (Literature: A, Chapter 3; GDPR Article 35(7))

Personal data must be adequate, relevant and not excessive in relation to the purposes. Incorrect. This is the definition of proportionality.

Question 5

What is the main difference between Directive 95/46 / EC and the General Data Protection Regulation (GDPR)?

AThe GDPR offers guidance for EU Member States and can create their own laws to comply with the regulation. Directive 95/46 / EC has the force of law and all EU Member States must follow it without changing.

BDirective 95/46 / EC offers guidance for EU Member States and can create their own laws to suit the directive. The GDPR has the force of law and all EU Member States must follow it without changing it.

Answer : B

When we have a Regulation, such as the GDPR, all EU Member States are obliged to follow it and have a fixed date to entry into force. The regulation is a law and Member States cannot create laws that oppose it. Unlike the Directives that set objectives to be achieved, however, each Member State is free to decide how to apply them in their countries.

Important

Prior to the GDPR, there was a Directive ''95/46 / EC First Data Protection Directive. Approved in 1995, it was already aimed at protecting personal data. This directive was replaced by GDPR.

''Article 94: 1. Directive 95/46 / EC is repealed with effect from 25 May 2018.'

In the EXIN PDPF exam this is an issue that is routinely asked. ''Which directive has been replaced by GDPR?'' Answer: 95/46 / EC.

Question 6

A company located in France wishes to enter into a compulsory contract with a processor located in Portugal. This contract aims to process sensitive French personal dat

a. The Portuguese Supervisory Authority is informed about this contract and the type of processing.

How should Portuguese Supervisory Authority proceed, in accordance with the General Data Protection Regulation (GDPR)?

ASupervise the processing of personal data according to the guidelines of the Supervisory Authority of Portugal.

BReport the data processing to the French Supervisory Authority, which must take over the supervision.

CVerify that adequate compulsory contracts have been established and leave supervision to the French Supervisory Authority.

DSupervise the processing of personal data in accordance with the French Supervisory Authority legislation.

Answer : C

When there is a processor and an operator in EEA countries, the competent authority will be the location of the Controller, however the Supervisory authority of the Controller is considered to be a concerned Supervisory Authority (who has interests).

Therefore, the Processor Supervisory Authority evaluates and approves the rules of the contract, in accordance with Article 57 of the GDPR, and must notify the Controller Supervisory Authority.

In its Article 57, the GDPR legislates on the Responsibilities of the Supervisory Authority. In its first paragraph, items ''r'' and ''s'':

r) Authorise contractual clauses and provisions referred to in Article 46(3);

s) Approve binding corporate rules pursuant to Article 47.

Question 7

What is the main objective of the ''Lifecycle Protection'' principle?

AAll appropriate measures shall be taken to ensure that inaccurate data, taking into account the purposes for which they are processed, are erased or rectified without a delay.

BThe processing of data must take place in a manner that ensures its security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage.

CSecurity measures should be in place from the moment data are collected until they are deleted.

DData must be collected for specified, explicit and legitimate purposes and may not be further processed in a manner incompatible with those purposes.

Answer : C

Data Life Cycle Management (DLM)

It aims to manage data flow throughout the lifecycle, from collection, processing, sharing, storage and deletion. Having the knowledge where the data travels, who is responsible, who has access, helps a lot to implement

security measures.

Exin Privacy and Data Protection Foundation PDPF Exam Practice Test