Exin PDPF Exam Questions Instant Access - No Installation Required

Question 1

The General Data Protection Regulation (GDPR) in its Article 30 legislates on the Records of treatment activities.

If requested, the controller must provide these records:

ATo the data processor

BTo the Data Protection Officer (DPO)

CThe supervisory authority

DTo the European Commission

Answer : C

Article 30 in its first paragraph legislates:

1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility.

Recital 82 mentions:

In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

Question 2

In its Article 9 the GDPR categorizes some types of personal data as ''sensitive''.

Of these below which are considered sensitive?

ADate of birth of a person.

BA person's home address.

CSoccer team that a person supports.

DResult of a medical examination.

Answer : D

As stated in the statement, Article 9 concerns the treatment of special categories of personal data, also called sensitive data.

This is a type of question that is often asked by EXIN. Important to remember which types of data are categorized as sensitive.

Article 9: Processing of special categories of personal data

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

Examples of sensitive data: Race, skin color, family tree, political party, political party affiliation, religious beliefs, illness, test results, digital, facial recognition and sexual preference. These are just a few examples.

Question 3

In the contract between the controller and processor for the processing of personal data, which of the options below represents the sole responsibility of the Controller?

AErase all personal data after the completion of treatment-related services, deleting existing copies.

BTreat personal data only through documented instructions, including with regard to data transfers to third countries or international organizations.

CEnsure that the persons authorized to process personal data have made a commitment to confidentiality.

DApply technical and organizational measures to ensure that only personal data that are necessary for each specific purpose of processing are processed.

Answer : D

The correct option is exclusively for the Controller, the others are for the Processor in accordance with Articles 25 and 28 of the GDPR.

Question 4

A breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. What is the exact term that is associated with this definition in the GDPR?

ASecurity breach

BPersonal data breach

CConfidentiality violation

DSecurity incident

Answer : B

Confidentiality violation. Incorrect. GDPR uses the term personal data breach. Not every data breach is a confidentiality violation.

Personal data breach. Correct. This is the definition of a personal data breach. (Literature: A, Chapter 5; GDPR Article 4(12))

Security breach. Incorrect. GDPR uses the term personal data breach. Not every security breach is a data breach. Not every data breach is a personal data breach.

Security incident. Incorrect. GDPR uses the term personal data breach. Not every security incident is a data breach.

Question 5

A person finds that a private videotape showing her in a very intimate situation has been published on a website. She never consented to publication and demands that the video is being removed without undue delay.

According to the GDPR, what should be done next?

ANothing. The video may be regarded as 'news' and, therefore, the website is only exercising its right to freedom of expression and information.

BThe controller erases the video from the website and, when possible, informs any controller who might
process the same video, that it must be erased.

CThe controller erases the video from the website. There is no obligation however, to inform others who might have copied it, that it should be erased.

DThe controller directs the person to seek a lawyer and informs that he cannot exclude before a juridical authorization.

Answer : B

Question 6

The illegal collection, storage, modification, disclosure or dissemination of personal data is an offense under European law.

What kind of offense is this?

AAn offense related to content

BAn offense to intellectual property

CAn economic offense

DAn offense to privacy

Answer : D

An offense to privacy, as any illegal processing of personal data is considered an offense.

Question 7

Regarding the Supervisory Authority's ''Investigative Powers'', it is correct to state:

Ait has the power to order the suspension of sending data to recipients in third countries or to international organizations

Byou have the power to order the controller to report a personal data breach to the data subject

Cit has the power to notify the controller or processor of alleged GDPR violations

Dit has the power to conduct impact assessments on data privacy

Answer : C

The numerous powers of the Supervisory Authority are divided into:

- Investigative powers;

- Correcting powers;

- Advisory and authorization powers.

The investigative powers provided for in Article 58, Paragraph 1 are:

a) To order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks;

b) To carry out investigations in the form of data protection audits;

c) To carry out a review on certifications issued pursuant to Article 42(7);

d) To notify the controller or the processor of an alleged infringement of this Regulation;

e) To obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;

f) To obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.

Exin Privacy and Data Protection Foundation PDPF Exam Questions