Exin PDPF Privacy and Data Protection Foundation Exam Practice Test

It is necessary to check the extent of this personal data breach, what data has been accessed and what is the risk to his or her. Depending on this extension, in addition to notifying the supervisory authority, it will also be mandatory to notify the owners of the breached data.

GDPR does not apply to the use of personal data for domestic purposes, however in this example the controller is the Social Network, as it performs the processing of the photos. Therefore, the owner has the right to delete this photo.

For domestic purposes, data collection is not intended for professional or commercial purposes. Examples are the get-togethers of friends and family where we can collect names, phone numbers, e-mails to facilitate the organization, as well as taking pictures to record the moment. Now if you have a blog where you can record several moments with your friends and you monetize it in some way – watch out! – you are under the scope of GDPR.

Whereas Recital 18: “This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.”

Article 83 of GDPR

5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher...

Article 51 of GDPR

2. Each supervisory authority shall contribute to the consistent application of this Regulation throughout the

Union.

Data protection and privacy are complementary, but not the same thing.

A very repeated phrase is: “It is possible to have security without privacy, but it is not possible to have privacy without security”.

Privacy is a right that must be protected, and Data Protection are the measures that will be used to achieve this protection.

For archiving purposes in the public interest. Incorrect. With the safeguards in place, further processing is

allowed for archiving purposes in the public interest.

For direct marketing and commercial purposes. Correct. This is not a purpose that is allowed, if it is not the original legitimate purpose of the processing. (Literature: A, Chapter 2)

For generalized statistical purposes. Incorrect. With the safeguards in place, further processing is allowed for generalized statistical purposes.

For scientific or historical research purposes. Incorrect. With the safeguards in place, further processing is allowed for research purposes.

The contractor code of business ethics and conduct that is used. Correct. Although the GDPR endorses the use of codes of conduct and certification, it is not an obligation to have this clause to demonstrate compliance with the GDPR. (Literature: A, Chapter 8; GDPR Article 28(3))

The information security and personal data breach procedures. Incorrect. This is mandatory because it describes the obligations of the processor regarding the notification of a personal data breach (by the controller) to the supervisory authority.

The technical and organizational measures implemented. Incorrect. This is mandatory because it describes technical and organizational measures the processor must take.

Which data are covered by the data processing agreement. Incorrect. This is mandatory because it describes the personal data, including special category personal data, covered by the contract.

The deadline for companies to adapt and comply with GDPR was May 25, 2018. This is an important date and should be memorized. It is common to have this question in this exam.

Article 99 of GDPR

1.This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

2.It shall apply from 25 May 2018.

Article 6 legislates on the lawfulness of treatment and in it cites the 6 legal bases provided:

1 - the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

2- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering a contract

3 - processing is necessary for compliance with a legal obligation to which the controller is subject;

4- processing is necessary in order to protect the vital interests of the data subject or of another natural person;

5- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

6- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which requires protection of personal data, in particular where the data subject is a child.

When personal data is processed at a facility of the processor that is not located within the borders of the EEA. Incorrect. The location where the data is processed is of no significance to the obligation to notify data subjects of personal data breaches.

When personal data is processed by a party that agreed to the draft processing contract but has not yet sign it. Incorrect. Personal data processed by another party than the controller without a valid written contract is considered a personal data breach. In the given situation however, negative consequences for the data subjects are unlikely. Notifying the data subject is not obligatory in that case.

When the system on which the personal data is processed is attacked causing damage to its storage devices. Incorrect. Damage to storage devices will make access to the data difficult or even impossible but does not imply illegal processing.

When there is a significant probability that the breach will lead to a high risk for the privacy of the data subjects. Correct. If there is a significant probability of negative impact on the data subjects, the controller is obliged to notify them of the breach. (Literature: A, Chapter 5)

In July 2016, Implementing Decision 2016/1250 came into force, which legislates that the United States must ensure an adequate level of protection for personal data transferred from the Union to United States organizations under the EU-US Privacy Protection Shield (Privacy Shield).

This is because the United States does not have a single law on the protection of personal data, since because of its internal policy, each state can create its own laws. Privacy Shield aims to standardize this, so that companies in the European Union and the United States can offer their services.

Article 1 of the Implementing Decision 2016/1250:

1.For the purposes of Article 25(2) of Directive 95/46 / EC, the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States under the

EU-U.S. Privacy Shield.

2.The EU-U.S. Privacy Shield is constituted by the Principles issued by the U.S. Department of Commerce on 7 July 2016 as set out in Annex II and the official representations and commitments contained in the documents listed in Annexes I, III to VI.

3.For the purpose of paragraph 1, personal data are transferred under the EU-U.S. Privacy Shield where they are transferred from the Union to organisations in the United States that are included in the ‘Privacy Shield List’, maintained and made publicly available by the U.S. Department of Commerce, in accordance with Sections I and III of the Principles set out in Annex II.

Data protection and privacy are synonyms and have the same meaning. Incorrect. Data protection helps to protect a person’s privacy, but the terms are not synonyms.

Data protection is the part of privacy that protects a person’s physical integrity. Incorrect. Data protection is not related to physical integrity or physical privacy.

Data protection refers to the measures needed to protect a person’s privacy. Correct. Data protection are some of the measures needed to protect a person’s privacy. (Literature: A, Chapter 1)

Transfers based on the laws of the non-EEA country concerned. Incorrect. This would also require an adequacy decision confirming that those laws are sufficient.

Transfers falling under World Trade Organization rules. Incorrect. WTO only covers free trade of goods and services.

Transfers governed by approved binding corporate rules (BCR). Correct. Binding corporate rules approved by a supervisory authority involved make the transfer lawful. (Literature: A, Chapter 7; GDPR Article 47)

Transfers within a global corporation or organization. Incorrect. This would also require that they adopt official binding corporate rules.

Anonymized data is not under the scope of the GDPR, nor are data from deceased persons. Organizations that handle only this type of data do not need to conform to the GDPR.

Anonymized data reads data that is not possible to reverse in order to identify the data subject. There is also pseudonymized data, in which case it is possible to perform the reversal and identify the data holder.

The GDPR has 173 recitals. The Recitals introduce a better understanding of the law and its articles. The Articles, which are 99 in total, contain the mandatory requirements of the law.

Another option says: “A server is attacked and exploited by a hacker”, however, here it does not provide information if that server contained personal data.

The other wrong option is: "Strategic company data is mistakenly shared". Strategic data is not personal data.

For these reasons, the correct option is “Personal data processed without the consent of the controller”. Note: even if the processor has a contract that authorizes the processing of personal data on behalf of the controller, it cannot perform any treatment to which it was not previously authorized, nor can it sub-process without the knowledge and consent of the controller.

Article 30 in its first paragraph legislates:

1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.

Recital 82 mentions:

In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

When we talk about protection by design, we are considering data protection throughout the data lifecycle, from collection, processing, sharing, storage and deletion.

When we focus on protecting data at all of these stages, the risk of not meeting any legal obligations is significantly reduced.