Question 1

A person who works for a union took home a draft newsletter to finish it. The thumb drive containing
the draft and contact list has been lost. To whom, among others, this data breach should be
reported?

Accepted Answer

A

Explanation: This is sensitive data, so the loss must be reported to both the responsible authority and the data subjects.

Question 2

The GDPR describes the principle of data minimization. How can organizations comply with this principle?

Accepted Answer

C

Explanation: By applying the concept of least privilege to the personal data collected, stored or otherwise processed. Incorrect. Data minimization does not address least privilege. By limiting access rights to staff who need the personal data for the intended processing operations. Incorrect. This describes the concept of limiting authorization for instance to comply with the principle of integrity and confidentiality. By limiting file sizes, through saving all personal data that is processed in the smallest possible format. Incorrect. Data minimization according to the GDPR is not about storage size, but about minimalizing the use of personal data. By limiting the personal data to what is adequate, relevant and necessary for the processing purposes. Correct. This is the essence of the description in the GDPR. (Literature: A, Chapter 2; GDPR Article 5(1)(c))

Question 3

According to the GDPR, what is a description of binding corporate rules (BCR)?

Accepted Answer

B

Explanation: A decision on the safety of transferring personal data to a non-EEA country. Incorrect. This refers to adequacy decisions. A measure to compensate for the lack of personal data protection in a third country. Incorrect. This refers to appropriate safeguards. A set of agreements covering personal data transfers between non-EEA countries. Incorrect. The GDPR does not cover agreements between non-EEA countries. A set of approved rules on personal data protection used by a group of enterprises. Correct. BCR are a set of rules approved by the supervisory authorities. (Literature: A, Chapter 3; GDPR Article 47)

Question 4

What is the definition of Controller according to GDPR?

Accepted Answer

B

Explanation: Article 4 dealing with the GDPR Definitions says in its paragraph 7: ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Question 5

A company wishes to use personal data of their customers. They wish to start sending all female customers a customized newsletter. What right do all data subjects have in this scenario?

Accepted Answer

C

Explanation: The right to compensation. Incorrect. It is unlikely that all data subjects will suffer harm that must be compensated in this scenario. The right to object to profiling. Correct. All data subjects have a right to object to the processing of personal data for direct marketing, including profiling. This is clearly profiling. (Literature: A, Chapter 4) The right to rectification. Incorrect. It is unlikely that the company has incorrect data on all data subjects, so the right to rectification does not apply.

Question 6

How is Data Lifecycle Management (DLM) related to data protection?

Accepted Answer

B

Explanation: It aims to manage the flow of data throughout the life cycle, from collection, processing, sharing, storage and deletion. Having the knowledge where the data travels, who is responsible, who has access, helps and a lot to implement security measures.

Question 7

What is the main purpose of cookies?

Accepted Answer

A

Explanation: There are some types of cookies, each with its own purpose. Cookies are considered personal data, as they can identify a person. They are stored on our computers. You may have come across the situation of searching for a particular product on the internet and then seeing ads for that product or similar on various websites. Cookies are used to provide this information.

Question 8

When personal data are processed, who is ultimately responsible for demonstrating compliance with the GDPR?

Accepted Answer

Explanation: Explanation: Controller. Correct. The controller is responsible for adequate data security measures and must be able to demonstrate compliance with the GDPR. (Literature:A, Chapter 2) Data protection officer (DPO). Incorrect. The DPO has expert knowledge and assists the controller or processor to monitor internal compliance. Processor. Incorrect. The processor is the one who processes personal data according to the instructions of the controller. The controller remains ultimately responsible though. Supervisory authority. Incorrect. The controller needs to demonstrate compliance with the GDPR if requested by the supervisory authority.

Question 9

Which of the following options is provided for in the GDPR and can be made by Member States?

Accepted Answer

A

Explanation: Recital 10 of GDPR states: “Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation.” It also says: “This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’). However, this does not mean that Member States can approve a rule that goes against a GDPR guideline. Note that these national provisions are measures to increase the effectiveness of the law. Here is an example the case of Ireland where it was established that the DPO is responsible for data breaches, something that is not provided for in the GDPR.

Question 10

After notifying the supervisory authority, what should be the first action the controller must take when it finds a security breach where unauthorized people have accessed personal data?

Accepted Answer

B

Explanation: It is necessary to check the extent of this personal data breach, what data has been accessed and what is the risk to his or her. Depending on this extension, in addition to notifying the supervisory authority, it will also be mandatory to notify the owners of the breached data.

Question 11

What is the legal status of the GDPR?

Accepted Answer

A

Explanation: The GDPR is functional law in all member states of the EEA. Some Articles allow for member states law to provide for more specific rules. Correct. The GDPR is European law but the Regulation does not exclude Member state law that sets out the circumstances for specific processing situations. (Literature: A, Chapter 1; GDPR Recital 10) The GDPR is a recommendation of the European Commission that EEA countries’ law authorities improve their laws on the protection of personal data. Incorrect. An EU recommendation is not binding. The GDPR is a functional European law in all member states. The GDPR sets out minimum conditions and requirements. Member states need to pass national laws to meet these minimum requirements. Incorrect. This is the description of an EU Directive.

Question 12

What is the definition of Processor according to GDPR?

Accepted Answer

C

Explanation: Article 4 dealing with the GDPR Definitions says in its paragraph 8: ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Question 13

In its Article 9 the GDPR categorizes some types of personal data as “sensitive”. Of these below which are considered sensitive?

Accepted Answer

D

Explanation: As stated in the statement, Article 9 concerns the treatment of special categories of personal data, also called sensitive data. This is a type of question that is often asked by EXIN. Important to remember which types of data are categorized as sensitive. Article 9: Processing of special categories of personal data 1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. Examples of sensitive data: Race, skin color, family tree, political party, political party affiliation, religious beliefs, illness, test results, digital, facial recognition and sexual preference. These are just a few examples.

Question 14

After appearing in a photo posted by a friend on a social network, a person felt embarrassed and
decided that he wants the photo to be deleted.
According to the General Data Protection Regulation (GDPR), does that person have the right to
delete this photo?

Accepted Answer

B

Explanation: GDPR does not apply to the use of personal data for domestic purposes, however in this example the controller is the Social Network, as it performs the processing of the photos. Therefore, the owner has the right to delete this photo. For domestic purposes, data collection is not intended for professional or commercial purposes. Examples are the get-togethers of friends and family where we can collect names, phone numbers, e-mails to facilitate the organization, as well as taking pictures to record the moment. Now if you have a blog where you can record several moments with your friends and you monetize it in some way – watch out! – you are under the scope of GDPR. Whereas Recital 18: “This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.”

Question 15

The Control Authority may impose fines on organizations that are not meeting the mandatory requirements of the General Data Protection Regulation (GDPR).

Accepted Answer

B

Explanation: Article 83 of GDPR 5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher... Article 51 of GDPR 2. Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union.

Free EXIN PDPF Actual Exam Questions