Exin PDPF Exam Questions Instant Access - No Installation Required

Question 1

A person buys a product at a store located in the European Economic Area (EEA). At the time of purchase, you are asked to fill out a registration form and he informs his personal email.

As is usual in many stores, in the next few days this person will start receiving several marketing emails. He considers the frequency of these emails to be very high. Demanding his rights, he asks the store to delete all his personal data.

What the store must do according to the General Data Protection Regulation (GDPR)?

AThe owner does not have this right, since he bought a product in the store, he has the right to send emails with new promotions.

BThe store has 30 days from the date of receipt of the customer's request to delete all data at no cost to the customer.

CThe store must delete customer data from its advertising list. Purchase data cannot be deleted, as financial data has to be kept longer.

Answer : C

Companies have tax obligations to be fulfilled, so financial data cannot be deleted.

The data subject has several rights under the GDPR, however there are limitations. These rights cannot run counter to other specific legislation. In this case, the holder can exercise the right of Opposition instead of Exclusion. In the Right of Opposition, he requests the Controller to cease the processing of his data for non- consented purposes. An example of Opposition: in Brazil there was the website naomeperturbe.com.br, where millions of Brazilians could oppose the inconvenient calls made by the telecommunication service providers.

Question 2

Which of the options below best represents data protection by design?

AIt aims to incorporate security measures to protect data from the moment it is collected, throughout the processing and until its destruction at the end of the process

BIt aims to ensure that personal data is automatically part of a protection process.

CIt aims to create privacy impact analysis procedures (DPIA), notifications of breaches of privacy and fulfil requests from data subjects.

Answer : A

When we talk about protection by design, we are considering data protection throughout the data lifecycle, from collection, processing, sharing, storage and deletion.

Question 3

Personal data can be transferred outside of the EE

AAccording to the GDPR, which transfers outside the EEA are always lawful?

ATransfers based on the laws of the non-EEA country concerns

BTransfers falling under World Trade Organization rules

CTransfers governed by approved binding corporate rules (BCR)

DTransfers within a global corporation or organization

Answer : C

Transfers based on the laws of the non-EEA country concerned. Incorrect. This would also require an adequacy decision confirming that those laws are sufficient.

Transfers falling under World Trade Organization rules. Incorrect. WTO only covers free trade of goods and services.

Transfers governed by approved binding corporate rules (BCR). Correct. Binding corporate rules approved by a supervisory authority involved make the transfer lawful. (Literature: A, Chapter 7; GDPR Article 47)

Transfers within a global corporation or organization. Incorrect. This would also require that they adopt official binding corporate rules.

https://edps.europa.eu/data-protection/data-protection/reference-library/international-transfers_en

Question 4

A shopkeeper wants to register how many visitors enter his shop every day. A system detects the MAC- address of each visitor's smartphone. It is impossible for the shopkeeper to identify the owner of the phone from this signal, but telephone providers can link the MAC-address to the owner of the phone. According to the GDPR, is the shopkeeper allowed to use this method?

AYes, because the shopkeeper cannot identify the owner of the telephone

BNo, because the telephone providers are the owners of the MAC-addresses.

CNo, because the telephone's MAC-address must be regarded as personal data.

DYes, because the visitor has automatically consented by connecting to the Wi-Fi

Answer : C

Yes, because the shopkeeper cannot identify the owner of the telephone. Incorrect. The issue is not whether the shopkeeper can identify the visitor, but that it is technically possible to do so.

Yes, because the visitor has automatically consented by connecting to the Wi-Fi. Incorrect. Consent must be an active, informed and free act of agreement to the processing. To see a MAC-address, the visitor does not need to be logged onto the Wi-Fi.

No, because the telephones MAC-address must be regarded as personal data. Correct. The phone's signal is a unique code that can be linked to the owner of the phone. The data must be regarded as personal data, because it is technically possible to identify the visitor. (Literature: A, Chapter 3; GDPR Article 26 and 30)

No, because the telephone providers are the owners of the MAC-addresses. Incorrect. The shopkeeper is not allowed to keep the data or process it because it must be regarded as personal data. The telephone provider is not the owner of the MAC-address, nor is the telephone provider protected by the GDPR.

Question 5

What does the GDPR concept of 'binding corporate rules' (BCR) imply?

AA commission decision on the safety of data transfer to a third country

BA set of rules used by a group of enterprises concerning personal data protection in international transfers

CMeasures to compensate for the lack of data protection in a third country

DRules covering data transfers between third countries

Answer : B

Question 6

A good practice is to lock the computer automatically or manually when you are away from the workstation.

The company's DPO realizes that this procedure is not being followed by employees. This occurrence should be classified in which category?

AClassified as a security vulnerability

BClassified as a security incident

CThere is no specific category.

DClassified as a data breach

Answer : A

This occurrence should be classified as a security vulnerability, as it does not state whether an incident occurred for this reason.

However, the failure in this procedure can allow an incident to occur if an unauthorized person has access to the workstation.

Vulnerability is the means by which an attack can cause an information security incident.

Question 7

When is a Data Protection Impact Assessment (DPIA) under the General Data Protection Regulation (GDPR) mandatory?

AApplication of new technologies that may imply a high risk to the rights and freedoms of data subjects.

BThere is no security policy and information security risk analysis.

CIn all types of personal data processing.

Answer : A

Whenever a new technology is applied, a DPIA must be performed. In addition, a DPIA must be performed before starting the processing of personal data. This is important to check for risks to data subjects since data collection.

In its Article 35 the GDPR legislates on the Impact assessment on data protection.

1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

Exin Privacy and Data Protection Foundation PDPF Exam Questions