Free Exin PDPF Practice Exam with Questions & Answers

Compliance. Incorrect. Compliance means meeting rules or standards.

Data protection by design and by default. Correct. By default, the minimum of personal data is to be processed for the shortest possible period, using the best possible security measures to prevent unauthorized access. Data protection by design refers to processing that includes appropriate measures to implement data protection principles. (Literature: A, Chapter 8; GDPR Article 25)

Embedded data protect. Incorrect. Embedded data protection is the result of data protection by design.

Recital 124 tells us:

“Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union and the controller or processor is established in more than one Member State, or where processing taking place in the context of the activities of a single establishment of a controller or processor in the Union substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the controller or processor should act as lead authority...”

But what is Main Establishment?

Article 4, paragraph 16, gives us the definitions:

16) «Main establishment»:

a)as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;

b)as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations

under this Regulation.

A list of payments made using a credit card. Incorrect. Credit card data is personal data, but not special category data.

An address list of members of a political party. Correct. Personal data revealing political opinions is special personal data (Literature: A, Chapter 1; GDPR Article 9(1))

A genealogical register of someone’s ancestors. Incorrect. Genealogical information on living persons is personal data, but not special category. The GDPR does not apply to data on deceased persons.

GDPR uses the term data breach.

Article 4 paragraph 12

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Article 6 legislates on the lawfulness of treatment and in it cites the 6 legal bases provided:

1 - the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

2- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering a contract

3 - processing is necessary for compliance with a legal obligation to which the controller is subject;

4- processing is necessary in order to protect the vital interests of the data subject or of another natural person;

5- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

6- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which requires protection of personal data, in particular where the data subject is a child.

For archiving purposes in the public interest. Incorrect. With the safeguards in place, further processing is

allowed for archiving purposes in the public interest.

For direct marketing and commercial purposes. Correct. This is not a purpose that is allowed, if it is not the original legitimate purpose of the processing. (Literature: A, Chapter 2)

For generalized statistical purposes. Incorrect. With the safeguards in place, further processing is allowed for generalized statistical purposes.

For scientific or historical research purposes. Incorrect. With the safeguards in place, further processing is allowed for research purposes.

This is sensitive data, so the loss must be reported to both the responsible authority and the data subjects.

When we talk about protection by design, we are considering data protection throughout the data lifecycle, from collection, processing, sharing, storage and deletion.

In its Article 5, which deals with the Principles concerning the processing of personal data, paragraph 1, the GDPR describes:

1. Personal data shall be:

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed («data minimisation»);

In the Article 5 all the principles of GDPR for processing personal data are quoted.

The data minimization principle refers to the purpose of the law that only the data that is required for processing should be collected.

This is also favorable to businesses. The less data is collected, the less likely violations are to occur and consequently the impacts also decrease.