PDPF Practice Exam Questions with Answers Privacy and Data Protection Foundation Certification

The principle of limitation of purposes says that personal data must be collected for specific, explicit and legitimate purposes and cannot be further processed in a way incompatible with those purposes.

When the data is sold to another company, we can conclude that it was acquired by a controller for a specific purpose and that it subsequently sold it without the owner’s knowledge and consent.

Article 9 of the GDPR legislation on “Treatment of special categories of personal data”.

Also called sensitive data.

In its first paragraph it quotes:

“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”

Verify that the processor has sufficient security guarantees that are essential for the Controller to remain in

compliance with the GDPR. Remember that the responsibility is always of the controller who must take care of the data of the data subjects that have been entrusted to him.

Recital 81 mentions the following:

(81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organizational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.

Recital 170 mentions “Since the objective of this Regulation, namely to ensure an equivalent level of protection of natural persons and the free flow of personal data throughout the Union, cannot be sufficiently achieved by

the Member States and can rather, by reason of the scale or effects of the action, be better achieved at Union

level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.”

Proportionality says that personal data should be collected according to the purpose of processing, that is, proportional, and data that will not be used for the purpose should not be collected.

Subsidiarity is a principle that says that personal data can only be processed if there are no other means to achieve the objective. Therefore, the less personal data used, the less the possibilities of violating privacy.

An approach that implements data protection from the start. Correct. This is a correct description. (Literature: A, Chapter 8; GDPR Article 25(1))

An indication of timeframes if processing relates to erasure. Incorrect. This is a description of a data protection impact assessment (DPIA).

Data may only be collected for explicit and legitimate purposes. Incorrect. This is a description of measures taken to comply with the principle of purpose limitation.

Not holding more data than is strictly required for processing. Incorrect. This is a description of procedures to comply with the principle of data minimization.

When we have a Regulation, such as the GDPR, all EU member states are obliged to follow it. The regulation is a law and Member States cannot create laws that oppose it. Unlike the Directives that set objectives to be achieved, however, each Member State is free to decide how to apply them in its country.

The controller is responsible for performing the DPIA. However, after executing it, it is necessary to have the opinion of the DPO – in charge of Data Protection, so that it can give its opinion, favorable or not for the continuity of processing.

Article 35 of GDPR

2.The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.

Information of local and national authorities that were informed about the data breach. Incorrect. The supervisory authority must be made aware of reports to supervisory authorities in other EEA countries. Reports to local authorities, for instance the police, do not need to be reported.

Name and contact details of the data subjects whose data may have been breached. Incorrect. The supervisory authority requires an estimate of the number of data subjects involved, not their personal data.

Suggested measures to mitigate the adverse consequences of the data breach. Correct. The controller should add suggested measures to mitigate the adverse consequences of the data breach. (Literature: A, Chapter 7; GDPR Article 33(q))

The information needed to access the personal data that have been breached. Incorrect. The supervisory authority needs to know the type of personal data involved, but does not need access to the data themselves.

Recital 124 tells us:

“Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union and the controller or processor is established in more than one Member State, or where processing taking place in the context of the activities of a single establishment of a controller or processor in the Union substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the controller or processor should act as lead authority...”

But what is Main Establishment?

Article 4, paragraph 16, gives us the definitions:

16) «Main establishment»:

a)as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;

b)as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations

under this Regulation.

When we have a Regulation, such as the GDPR, all EU member states are obliged to follow it and have a fixed date for entry into force. The regulation is a law and Member States cannot create laws that oppose it. Unlike the Directives that set objectives to be achieved, however, each Member State is free to decide how to apply them in its country.

Important

Prior to the GDPR, there was the “95/46 / EC First Data Protection Directive (European DP)”. Approved in 1995, it was already aimed to protect personal data. This directive was replaced by the GDPR.

“Article 94: 1. Directive 95/46 / EC is repealed with effect from 25 May 2018.”

In the EXIN PDPF exam this is a question that is routinely asked. “What directive has been replaced by GDPR?” Answer: 95/46 / EC.

When we have a Regulation, such as the GDPR, all EU Member States are obliged to follow it and have a fixed date to entry into force. The regulation is a law and Member States cannot create laws that oppose it. Unlike the Directives that set objectives to be achieved, however, each Member State is free to decide how to apply them in their countries.

Important

Prior to the GDPR, there was a Directive “95/46 / EC First Data Protection Directive. Approved in 1995, it was already aimed at protecting personal data. This directive was replaced by GDPR.

“Article 94: 1. Directive 95/46 / EC is repealed with effect from 25 May 2018."

In the EXIN PDPF exam this is an issue that is routinely asked. “Which directive has been replaced by GDPR?” Answer: 95/46 / EC.

The fundamental right to protection of personal data, regardless of how it was obtained. Incorrect. This is a definition of data protection.

The right not to be disturbed by uninvited people, nor being followed, spied on or monitored. Incorrect. This is a definition of physical privacy. However, the GDPR does not concern itself with physical privacy.

The right to respect for one’s private and family life, home and personal correspondence. Correct. This is the definition as implicitly used throughout the GDPR. (Literature: A, Chapter 1)

The right to freedom of opinion and expression and to seeking, receiving and imparting information. Incorrect. This is a short version of Universal Declaration of Human Rights Article 19: freedom of opinion and expression.

When we talk about protection by design, we are considering data protection throughout the data lifecycle, from collection, processing, sharing, storage and deletion.

When we focus on protecting data at all of these stages, the risk of not meeting any legal obligations is significantly reduced.

Because France is located in the middle of Europe. Incorrect. The geographical position of the countries is irrelevant.

Because France is the largest of the three EEA countries. Incorrect. The size of the countries is irrelevant.

Because the company has their headquarters in France. Correct. The country of the main establishment determines the lead supervisory authority. The ‘main establishment’ is the place of the central administration of that organization, or in other words: headquarters. (Literature: A, Chapter 7)

It aims to manage the flow of data throughout the life cycle, from collection, processing, sharing, storage and deletion.

Having the knowledge where the data travels, who is responsible, who has access, helps and a lot to implement security measures.

Implement technical and organizational measures to ensure compliance. Incorrect. This is the task of the controller.

Investigate security breaches of corporate information. Incorrect. Only breaches of personal data are a concern of the supervisory authority.

Monitor and enforce the application of the GDPR. Correct. This is the main task of any supervisory authority. (Literature: A, Chapter 7)

Section: (none)

Explanation

Controller. Correct. The controller is responsible for adequate data security measures and must be able to demonstrate compliance with the GDPR. (Literature:A, Chapter 2)

Data protection officer (DPO). Incorrect. The DPO has expert knowledge and assists the controller or processor to monitor internal compliance.

Processor. Incorrect. The processor is the one who processes personal data according to the instructions of the controller. The controller remains ultimately responsible though.

Supervisory authority. Incorrect. The controller needs to demonstrate compliance with the GDPR if requested by the supervisory authority.

The lost reports did not contain personal data, in this case GDPR is not applicable and is a security incident.

Important

A data breach is whenever something that has not been planned with personal data happens, be it improper processing, improper sharing, loss of data, deletion, etc. In other words, personal data must be used for a specific purpose, respecting the life cycle of the same (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach.

For archiving purposes in the public interest. Incorrect. With the safeguards in place, further processing is

allowed for archiving purposes in the public interest.

For direct marketing and commercial purposes. Correct. This is not a purpose that is allowed, if it is not the original legitimate purpose of the processing. (Literature: A, Chapter 2)

For generalized statistical purposes. Incorrect. With the safeguards in place, further processing is allowed for generalized statistical purposes.

For scientific or historical research purposes. Incorrect. With the safeguards in place, further processing is allowed for research purposes.

Applied security standards must assure the confidentiality, integrity and availability of personal data throughout their lifecycle. Incorrect. This is an aspect of End-to-End Security - Lifecycle Protection, one of the other six basic principles.

If different types of legitimate objectives are contradictory, the privacy objectives must be given priority over other security objectives. Incorrect. Data protection by design rejects the idea that privacy competes with other interests, design objectives, and technical capabilities.

When embedding privacy into a given technology, process, or system, it should be done in such a way that full functionality is not impaired. Correct. This is the essence. (Literature: A, Chapter 8; GDPR Article 25)

Wherever possible, detailed privacy impact and risk assessments should be carried out and published, clearly documenting the privacy risks. Incorrect. This is an aspect of Privacy Embedded into Design, one of the other six basic principles.

A list of payments made using a credit card. Incorrect. Credit card data is personal data, but not special category data.

An address list of members of a political party. Correct. Personal data revealing political opinions is special personal data (Literature: A, Chapter 1; GDPR Article 9(1))

A genealogical register of someone’s ancestors. Incorrect. Genealogical information on living persons is personal data, but not special category. The GDPR does not apply to data on deceased persons.

When personal data is processed at a facility of the processor that is not located within the borders of the EEA. Incorrect. The location where the data is processed is of no significance to the obligation to notify data subjects of personal data breaches.

When personal data is processed by a party that agreed to the draft processing contract but has not yet sign it. Incorrect. Personal data processed by another party than the controller without a valid written contract is considered a personal data breach. In the given situation however, negative consequences for the data subjects are unlikely. Notifying the data subject is not obligatory in that case.

When the system on which the personal data is processed is attacked causing damage to its storage devices. Incorrect. Damage to storage devices will make access to the data difficult or even impossible but does not imply illegal processing.

When there is a significant probability that the breach will lead to a high risk for the privacy of the data subjects. Correct. If there is a significant probability of negative impact on the data subjects, the controller is obliged to notify them of the breach. (Literature: A, Chapter 5)

The GDPR has 173 recitals. The Recitals introduce a better understanding of the law and its articles. The Articles, which are 99 in total, contain the mandatory requirements of the law.

A record of all intended processing together with the processing purpose(s) and legal justifications.

Incorrect. A record of all intended processing with the purpose(s) and legal justifications must be kept.

A record of data breaches with all relevant characteristics, including notifications. Incorrect. A record of data breaches must be kept.

A record of notifications sent to the supervisory authority regarding processing of personal data. Correct. Prior consultation of high-risk processing is obligatory, but there is no need for a separate record of notifications sent. (Literature: A, Chapter 6;GDPR Article 36(1))

A record of processors including personal data provided and the period this data can be retained. Incorrect. A record of processors and data provided must be kept.

In the example there is likely to be no risk to the data subjects or if it exists it will be very low, but this does not exempt the processor from notifying the Controller. However, at least the Controller should assess whether there is a need to notify the Supervisory Authority.

Collecting name and address information for a gymnastics club. Incorrect. Collecting is also considered processing data.

Creating a back-up of biometric data for data security purposes. Incorrect. Storage is also considered processing data.

Editing personal photographs before printing them at home. Correct. The GDPR is not applicable to home-use of your own photographs. (Literature: A, Chapter 1; GDPR Article 4)

The front line with the data holder is the Controller, see image. So, it is he who has to show compliance, who must be concerned with the legality of processing, who must implement security measures.

There are some types of cookies, each with its own purpose.

Cookies are considered personal data, as they can identify a person. They are stored on our computers.

You may have come across the situation of searching for a particular product on the internet and then seeing ads for that product or similar on various websites.

Cookies are used to provide this information.

Personal data can only be processed in accordance with the purpose specification. Incorrect. This is one of the legal limitations.

Personal data cannot be reused without explicit and informed consent. Incorrect. This is one of the legal limitations.

Personal data may only be processed when there are no other means to achieve the purposes. Correct. This is the definition of subsidiarity. (Literature: A, Chapter 3; GDPR Article 35(7))

Personal data must be adequate, relevant and not excessive in relation to the purposes. Incorrect. This is the definition of proportionality.

When we talk about protection by design, we are considering data protection throughout the data lifecycle, from collection, processing, sharing, storage and deletion.

Article 83 of GDPR

5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher...

Article 51 of GDPR

2. Each supervisory authority shall contribute to the consistent application of this Regulation throughout the

Union.