Exin PDPF Exam Practice Test Instant Access

Question 1

After appearing in a photo posted by a friend on a social network, a person felt embarrassed and decided that he wants the photo to be deleted.

According to the General Data Protection Regulation (GDPR), does that person have the right to delete this photo?

AFalse

BTrue

Answer : B

GDPR does not apply to the use of personal data for domestic purposes, however in this example the controller is the Social Network, as it performs the processing of the photos. Therefore, the owner has the right to delete this photo.

For domestic purposes, data collection is not intended for professional or commercial purposes. Examples are the get-togethers of friends and family where we can collect names, phone numbers, e-mails to facilitate the organization, as well as taking pictures to record the moment. Now if you have a blog where you can record several moments with your friends and you monetize it in some way -- watch out! -- you are under the scope of GDPR.

Whereas Recital 18: ''This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.''

Question 2

What is the main difference between Directive 95/46 / EC and the General Data Protection Regulation (GDPR)?

AThe GDPR offers guidance for EU Member States and can create their own laws to comply with the regulation. Directive 95/46 / EC has the force of law and all EU Member States must follow it without changing.

BDirective 95/46 / EC offers guidance for EU Member States and can create their own laws to suit the directive. The GDPR has the force of law and all EU Member States must follow it without changing it.

Answer : B

When we have a Regulation, such as the GDPR, all EU Member States are obliged to follow it and have a fixed date to entry into force. The regulation is a law and Member States cannot create laws that oppose it. Unlike the Directives that set objectives to be achieved, however, each Member State is free to decide how to apply them in their countries.

Important

Prior to the GDPR, there was a Directive ''95/46 / EC First Data Protection Directive. Approved in 1995, it was already aimed at protecting personal data. This directive was replaced by GDPR.

''Article 94: 1. Directive 95/46 / EC is repealed with effect from 25 May 2018.'

In the EXIN PDPF exam this is an issue that is routinely asked. ''Which directive has been replaced by GDPR?'' Answer: 95/46 / EC.

Question 3

What is the main purpose of cookies?

AIdentify user preferences, identify the user and it can also save login to a website.

BSave the browser history, making it easier for the user to access the page again in the future.

CDisplay advertisements directed to the user, using information collected from the browser.

DInfect computers so that unsolicited advertisements are displayed in the browser.

Answer : A

There are some types of cookies, each with its own purpose.

Cookies are considered personal data, as they can identify a person. They are stored on our computers.

You may have come across the situation of searching for a particular product on the internet and then seeing ads for that product or similar on various websites.

Cookies are used to provide this information.

Question 4

According to the GDPR, what is a description of binding corporate rules (BCR)?

AA decision on the safety of transferring personal data to a non-EEA country

BA set of approved rules on personal data protection used by a group of enterprises

CA measure to compensate for the lack of personal data protection in a third country

DA set of agreements covering personal data transfers between non-EEA countries

Answer : B

A decision on the safety of transferring personal data to a non-EEA country. Incorrect. This refers to adequacy decisions.

A measure to compensate for the lack of personal data protection in a third country. Incorrect. This refers to appropriate safeguards.

A set of agreements covering personal data transfers between non-EEA countries. Incorrect. The GDPR does not cover agreements between non-EEA countries.

A set of approved rules on personal data protection used by a group of enterprises. Correct. BCR are a set of rules approved by the supervisory authorities. (Literature: A, Chapter 3; GDPR Article 47)

Question 5

What is the main objective of the ''Lifecycle Protection'' principle?

AAll appropriate measures shall be taken to ensure that inaccurate data, taking into account the purposes for which they are processed, are erased or rectified without a delay.

BThe processing of data must take place in a manner that ensures its security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage.

CSecurity measures should be in place from the moment data are collected until they are deleted.

DData must be collected for specified, explicit and legitimate purposes and may not be further processed in a manner incompatible with those purposes.

Answer : C

Data Life Cycle Management (DLM)

It aims to manage data flow throughout the lifecycle, from collection, processing, sharing, storage and deletion. Having the knowledge where the data travels, who is responsible, who has access, helps a lot to implement

security measures.

Question 6

Subcontracting treatment is regulated by contract or other regulatory act under Union or Member State law, which links the processor to the controller.

What this contract or other regulatory act stipulates?

AA process for testing, assessing and regularly evaluating the effectiveness of technical and organizational measures to ensure safe treatment.

BThe processor assists the driver through technical and organizational measures to enable it to fulfill its obligation to respond to requests from data subjects.

CThe description of categories of data subjects and categories of personal data

DThe purpose of data processing

Answer : B

Article 28 of the GDPR in its paragraph 3 mentions:

This contract or other normative act stipulates, inter alia, that the subcontractor:

a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

c) takes all measures required pursuant to Article 32;

d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;

e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;

f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;

g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Question 7

An architect, leaving a building site, puts his laptop for a moment beside his car on the road, while answering his phone. When driving away he sees in the mirror his laptop being crushed by an enormous lorry driving over it. All his files on the design of the building and the calculations he worked on are lost. His only consolation is that those were the only files on the device.

In terms of the GDPR, what happened?

Aa data breach

Ba security incident

Ca security issue

Da vulnerability

Answer : B

Exin PDPF Privacy and Data Protection Foundation Exam Practice Test