Free Exin PDPF Practice Exam with Questions & Answers | Set: 2

A record of all intended processing together with the processing purpose(s) and legal justifications.

Incorrect. A record of all intended processing with the purpose(s) and legal justifications must be kept.

A record of data breaches with all relevant characteristics, including notifications. Incorrect. A record of data breaches must be kept.

A record of notifications sent to the supervisory authority regarding processing of personal data. Correct. Prior consultation of high-risk processing is obligatory, but there is no need for a separate record of notifications sent. (Literature: A, Chapter 6;GDPR Article 36(1))

A record of processors including personal data provided and the period this data can be retained. Incorrect. A record of processors and data provided must be kept.

The Article 20 of GDPR establishes the Right to data portability.

The second paragraph mentions:

In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

However, it is worth noting that the paragraph 1 of this article mentions:

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format…

The utterance explains that she requested that the data was transferred, that is why the correct answer is “The current gym should send all her data directly to the new gym.” (B)

Yet she has the right to request her own data, so if the utterance was referenced in that way, the correct answer would be: “The current gym should provide the data to her.” (D)

Information of local and national authorities that were informed about the data breach. Incorrect. The supervisory authority must be made aware of reports to supervisory authorities in other EEA countries. Reports to local authorities, for instance the police, do not need to be reported.

Name and contact details of the data subjects whose data may have been breached. Incorrect. The supervisory authority requires an estimate of the number of data subjects involved, not their personal data.

Suggested measures to mitigate the adverse consequences of the data breach. Correct. The controller should add suggested measures to mitigate the adverse consequences of the data breach. (Literature: A, Chapter 7; GDPR Article 33(q))

The information needed to access the personal data that have been breached. Incorrect. The supervisory authority needs to know the type of personal data involved, but does not need access to the data themselves.

Yes, because the personal data on the disk were unlawfully processed. Correct. Personal data irretrievably lost is regarded as ‘a breach of security leading to unlawful destruction of personal data, which also makes it a personal data breach. (Literature: A, Chapter 5; GDPR Article 4(12))

Yes, because there were no special category personal data stored on the disk. Incorrect. Accidental loss of data is a security incident (data is no longer available). According to the GDPR it is also unlawful processing of personal data, hence a personal data breach. Data do not have to belong to the category of special

personal data to fall under the category personal data breach.

No, because no personal data on the disk were processed, only destroyed. Incorrect. A technical malfunction causing data to be no longer available is a security incident. The GDPR sees accidental loss of personal data as unlawful processing (not on instruction of the controller or processor) hence as a personal data breach.

No, because this is only a security incident and not a data breach. Incorrect. Personal data that are irretrievably lost, is regarded as unauthorized processing by the GDPR, hence a personal data breach. The fact that data was accidentally destroyed also makes the event a security incident.

The contractor code of business ethics and conduct that is used. Correct. Although the GDPR endorses the use of codes of conduct and certification, it is not an obligation to have this clause to demonstrate compliance with the GDPR. (Literature: A, Chapter 8; GDPR Article 28(3))

The information security and personal data breach procedures. Incorrect. This is mandatory because it describes the obligations of the processor regarding the notification of a personal data breach (by the controller) to the supervisory authority.

The technical and organizational measures implemented. Incorrect. This is mandatory because it describes technical and organizational measures the processor must take.

Which data are covered by the data processing agreement. Incorrect. This is mandatory because it describes the personal data, including special category personal data, covered by the contract.

The organization minimizes the risk of costly adjustments in processes or the redesign of systems in a later stage. Incorrect. This aspect may strengthen the confidence of management, but not of customers or citizens.

The organization prevents non-compliance with the GDPR and minimizes the risk of fines. Incorrect. Preventing fines may strengthen the confidence of management, but not of customers or citizens.

The organization proves that it takes privacy seriously and aims for compliance with the GDPR. Correct. Doing a DPIA shows customers or citizens that the company is serious about data protection. (Literature: A, Chapter 8)

In the example there is likely to be no risk to the data subjects or if it exists it will be very low, but this does not exempt the processor from notifying the Controller. However, at least the Controller should assess whether there is a need to notify the Supervisory Authority.

As stated in the statement, Article 9 concerns the treatment of special categories of personal data, also called sensitive data.

This is a type of question that is often asked by EXIN. Important to remember which types of data are categorized as sensitive.

Article 9: Processing of special categories of personal data

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

Examples of sensitive data: Race, skin color, family tree, political party, political party affiliation, religious beliefs, illness, test results, digital, facial recognition and sexual preference. These are just a few examples.