PDPF Practice Exam Questions with Answers Privacy and Data Protection Foundation Certification

A decision on the safety of transferring personal data to a non-EEA country. Incorrect. This refers to adequacy decisions.

A measure to compensate for the lack of personal data protection in a third country. Incorrect. This refers to appropriate safeguards.

A set of agreements covering personal data transfers between non-EEA countries. Incorrect. The GDPR does not cover agreements between non-EEA countries.

A set of approved rules on personal data protection used by a group of enterprises. Correct. BCR are a set of rules approved by the supervisory authorities. (Literature: A, Chapter 3; GDPR Article 47)

Implement technical and organizational measures to ensure compliance. Incorrect. This is the task of the controller.

Investigate security breaches of corporate information. Incorrect. Only breaches of personal data are a concern of the supervisory authority.

Monitor and enforce the application of the GDPR. Correct. This is the main task of any supervisory authority. (Literature: A, Chapter 7)

Article 4 dealing with the GDPR Definitions says in its paragraph 21:

‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51.

A copy of personal data must be provided in the format requested by the data subject. Incorrect. It must be provided in a structured, commonly used and machine-readable format, but not necessarily in any format the data subject specifies.

Access to personal data must be provided free of charge for the data subject. Correct. Data subjects have a right to a copy of their data free of charge. However, only the first copy has to be free. (Literature: A, Chapter 4)

Personal data must always be changed at the request of the data subject. Incorrect. Only erroneous data has to be rectified.

Personal data must always be erased if the data subject requests this. Incorrect. The right to erasure has several exceptions to this, for instance if the data are needed for the establishment, exercise or defense of legal claims.

Article 20 Right to data portability:

1.The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

Article 57 legislates on the Responsibilities of the Supervisory Authority. In paragraph 1, item “a” says: “monitor and enforce the application of this Regulation”.

It is up to a supervisory authority to inspect and take measures to compel companies to conform to the GDPR.

According to paragraph 1 of Article 51.

1. Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’).

Chapter VI of the GDPR talks about laws on independent supervisory authorities.

This is likely to be charged on the exam. Memorize this name: “Privacy Shield”

In July 2016, Implementing Decision 2016/1250 came into force, which legislates that the United States must ensure an adequate level of protection for personal data transferred from the Union to United States organizations under the EU-US Privacy Protection Shield (Privacy Shield).

This is because the United States does not have a single law on the protection of personal data, because of its internal policy, each state can create its own laws. Privacy Shield aims to standardize this, so that companies in the European Union and the United States can offer their services.

Article 1 of the Implementing Decision 2016/1250:

1. For the purposes of Article 25(2) of Directive 95/46 / EC, the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-U.S. Privacy Shield.

2.The EU-U.S. Privacy Shield is constituted by the Principles issued by the U.S. Department of Commerce on 7 July 2016 as set out in Annex II and the official representations and commitments contained in the documents listed in Annexes I, III to VII.

3.For the purpose of paragraph 1, personal data are transferred under the EU-U.S. Privacy Shield where they are transferred from the Union to organisations in the United States that are included in the ‘Privacy Shield List’, maintained and made publicly available by the U.S. Department of Commerce, in accordance with Sections I and III of the Principles set out in Annex II.

Yes, because the personal data on the disk were unlawfully processed. Correct. Personal data irretrievably lost is regarded as ‘a breach of security leading to unlawful destruction of personal data, which also makes it a personal data breach. (Literature: A, Chapter 5; GDPR Article 4(12))

Yes, because there were no special category personal data stored on the disk. Incorrect. Accidental loss of data is a security incident (data is no longer available). According to the GDPR it is also unlawful processing of personal data, hence a personal data breach. Data do not have to belong to the category of special

personal data to fall under the category personal data breach.

No, because no personal data on the disk were processed, only destroyed. Incorrect. A technical malfunction causing data to be no longer available is a security incident. The GDPR sees accidental loss of personal data as unlawful processing (not on instruction of the controller or processor) hence as a personal data breach.

No, because this is only a security incident and not a data breach. Incorrect. Personal data that are irretrievably lost, is regarded as unauthorized processing by the GDPR, hence a personal data breach. The fact that data was accidentally destroyed also makes the event a security incident.

The correct option is the responsibility of the Supervisory Authority, the others are the responsibility of the processor.

GDPR Article 3 decrees:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

a)the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or;

b)the monitoring of their behaviour as far as their behaviour takes place within the Union.