Exin PDPF Exam Practice Test Instant Access

Question 1

What is the purpose of a data protection audit by the supervisory authority?

ATo monitor and enforce the application of the GDPR by assessing that processing is performed in compliance with the GDPR.

BTo fulfill the obligation in the GDPR to implement appropriate technical and organizational measures for data protection.

CTo advise the controller on the mitigation of privacy risks to protect the controller from liability claims for
non-compliance.

Answer : A

To advise the controller on the mitigation of privacy risks to protect the controller from liability claims for non-compliance. Incorrect. The supervisory authority has the task to monitor compliance and to advise on enhancements, but its purpose is not to protect the controller.

To fulfill the obligation in the GDPR to implement appropriate technical and organizational measures for data protection. Incorrect. The audit is not the implementation of the measures, but an assessment of the effectiveness of them.

To monitor and enforce the application of the GDPR by assessing that processing is performed in compliance with the GDPR. Correct. According to the GDPR this is an important task of a supervisory authority. (Literature: A, Chapter 7; GDPR Article 57 (1)(a))

Question 2

One of the seven principles of data protection by design is Functionality - Positive-Sum, not Zero-Sum. What is the essence of this principle?

AIf different types of legitimate objectives are contradictory, the privacy objectives must be given priority over other security objectives.

BApplied security standards must assure the confidentiality, integrity and availability of personal data throughout their lifecycle.

CWherever possible, detailed privacy impact and risk assessments should be carried out and published, clearly documenting the privacy risks.

DWhen embedding privacy into a given technology, process, or system, it should be done in such a way that full functionality is not impaired.

Answer : D

Applied security standards must assure the confidentiality, integrity and availability of personal data throughout their lifecycle. Incorrect. This is an aspect of End-to-End Security - Lifecycle Protection, one of the other six basic principles.

If different types of legitimate objectives are contradictory, the privacy objectives must be given priority over other security objectives. Incorrect. Data protection by design rejects the idea that privacy competes with other interests, design objectives, and technical capabilities.

When embedding privacy into a given technology, process, or system, it should be done in such a way that full functionality is not impaired. Correct. This is the essence. (Literature: A, Chapter 8; GDPR Article 25)

Wherever possible, detailed privacy impact and risk assessments should be carried out and published, clearly documenting the privacy risks. Incorrect. This is an aspect of Privacy Embedded into Design, one of the other six basic principles.

Question 3

According to the GDPR, what is a task of a supervisory authority?

AInvestigate security breaches of corporate information

BImplement technical and organizational measures to ensure compliance

CMonitor and enforce the application of the GDPR

Answer : C

Implement technical and organizational measures to ensure compliance. Incorrect. This is the task of the controller.

Investigate security breaches of corporate information. Incorrect. Only breaches of personal data are a concern of the supervisory authority.

Monitor and enforce the application of the GDPR. Correct. This is the main task of any supervisory authority. (Literature: A, Chapter 7)

Question 4

A Belgian company has their headquarters in France for tax purposes. They enter into a legally binding contract with a processor in the Netherlands for the processing of personal data of data subjects with various nationalities. A personal data breach occurs. The supervisory authorities start an investigation. Why is the French supervisory authority seen as the lead supervisory authority?

ABecause the company has their headquarters in France

BBecause France is located in the middle of Europe

CBecause France is the largest of the three EEA countries

Answer : A

Because France is located in the middle of Europe. Incorrect. The geographical position of the countries is irrelevant.

Because France is the largest of the three EEA countries. Incorrect. The size of the countries is irrelevant.

Because the company has their headquarters in France. Correct. The country of the main establishment determines the lead supervisory authority. The 'main establishment' is the place of the central administration of that organization, or in other words: headquarters. (Literature: A, Chapter 7)

Question 5

To plan the amount of parking space needed, a local government monitors and saves the license plate number of every car that enters and leaves the city center. They have obtained permission to collect data on the number of cars present in the city center. By comparing the license plate time of entry and exit the number of cars present every moment of each day is calculated. Each month a report is created detailing the average number of cars in the city center at specific moments for every day of the week. At every entrance to the city center, a billboard clearly states what data is collected by whom, the purpose of the processing and the fact that the license plate numbers are saved securely for up to two years, because the measurements will be repeated next year. Which of the basic principles for legitimate processing of personal data is violated in this scenario?

APersonal data are processed in a manner that ensures appropriate security of the personal data.

BPersonal data are processed in a transparent manner in relation to the data subject

CPersonal data are kept in a form permitting identification of data subjects for no longer than is necessary.

DPersonal data are collected for specified, explicit and legitimate purposes and not further processed.

Answer : C

Personal data are collected for specified, explicit and legitimate purposes and not further processed. Incorrect. The local government is entitled to collect data on the number of cars present.

Personal data are kept in a form permitting identification of data subjects for no longer than is necessary. Correct. In the given scenario, there is no need to retain the data of a specific car identifying the owner once it has left the area (Literature: A, Chapter 2; GDPR Article 5)

Personal data are processed in a manner that ensures appropriate security of the personal data. Incorrect. The scenario does not suggest inappropriate security.

Personal data are processed in a transparent manner in relation to the data subject. Incorrect. The processing is taking place transparently, since it is communicated properly to the data subjects.

Question 6

What is the term used in the General Data Protection Regulation (GDPR) for the disclosure of, or unauthorized access to, personal data?

ASecurity incident

BIncident

CBreach of confidentiality

DData breach

Answer : D

GDPR uses the term data breach.

Article 4 paragraph 12

'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Question 7

According to the General Data Protection Regulation (GDPR), which category of personal data is considered to be sensitive data?

ALabor union association

BPassport number

CCredit card details

DSocial security number

Answer : A

Article 9: Processing of special categories of personal data:

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

Exin Privacy and Data Protection Foundation Exam Practice Test