Free Exin PDPF Practice Exam with Questions & Answers | Set: 4

When a project includes technologies or processes that use personal data. Incorrect. Only for technologies and processes that are likely to result in a high risk to the rights of data subjects is the DPIA mandatory.

When processing is likely to result in a high risk to the rights of data subjects. Correct. For processing operations which are likely to result in a high risk, a DPIA is obligatory to assess those risks and to design mitigation measures. (Literature: A, Chapter 6; GDPR Article 35)

When similar processing operations with comparable risks are repeated. Incorrect. This is a case in which a DPIA does not need to be repeated.

Adequacy decision. Correct. The ruling is an adequacy decision regarding processing in third countries. (Literature: A, Chapter 7; GDPR Article 45 and Recitals (104) and (106)

Derogation. Incorrect. A derogation is for specific situations where a transfer is necessary, but there is no ruling permitting it. (Literature: GDPR Article 49(1)(q))

Legally binding contract. Incorrect. The ruling is an adequacy decision. A legally binding contract is between a processor and a controller.

Treaty superseding the GDPR. Incorrect. The ruling is an adequacy decision. It does not supersede the GDPR.

Here is a catch between the options “Loss of personal data” and “Transfer of personal data outside the EU”.

A data breach is whenever something happens that has not been planned with the personal data, be it improper processing, improper sharing, loss of data, deletion, etc. That is, personal data must be used for a specific purpose, respecting the life cycle (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach.

The transfer of personal data outside the EU can also be considered a violation if there is no authorization from the data subject and if the destination country does not offer legislation like the GDPR. Although there is no specific legislation, the Supervisory Authority can authorize the transfer of data provided that the company in the destination country accepts standard contractual clauses for the processing of this data.

Article 46 of GDPR

1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

Article 58 of GDPR

3. Each supervisory authority shall have all of the following authorisation and advisory powers: to authorise contractual clauses referred to in point (a) of Article 46(3).

The correct option is exclusively for the Controller, the others are for the Processor in accordance with Articles 25 and 28 of the GDPR.

The front line with the data holder is the Controller, see image. So, it is he who has to show compliance, who must be concerned with the legality of processing, who must implement security measures.

This occurrence should be classified as a security vulnerability, as it does not state whether an incident occurred for this reason.

However, the failure in this procedure can allow an incident to occur if an unauthorized person has access to the workstation.

Vulnerability is the means by which an attack can cause an information security incident.

With the death of the data subject, the controller can process the data in any way he wishes, since personal data of deceased persons is not within the scope of the GDPR.

Recital 27 says: This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.

When personal data is processed at a facility of the processor that is not located within the borders of the EEA. Incorrect. The location where the data is processed is of no significance to the obligation to notify data subjects of personal data breaches.

When personal data is processed by a party that agreed to the draft processing contract but has not yet sign it. Incorrect. Personal data processed by another party than the controller without a valid written contract is considered a personal data breach. In the given situation however, negative consequences for the data subjects are unlikely. Notifying the data subject is not obligatory in that case.

When the system on which the personal data is processed is attacked causing damage to its storage devices. Incorrect. Damage to storage devices will make access to the data difficult or even impossible but does not imply illegal processing.

When there is a significant probability that the breach will lead to a high risk for the privacy of the data subjects. Correct. If there is a significant probability of negative impact on the data subjects, the controller is obliged to notify them of the breach. (Literature: A, Chapter 5)

In its Article 35 the GDPR legislates on the Impact assessment on data protection.

7)The assessment shall contain at least:

a)a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

b)an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

c)an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and

d)the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.