Dec 04 2021 |
Logged in as : candidate
This is the EXIN Privacy & Data Protection Practitioner (PDPP.EN) sample exam. The Rules and Regulations for EXIN’s examinations apply to this exam.
This exam consists of 40 multiple-choice questions. Each multiple-choice question has a number of possible answers, of which only one is correct.
The maximum number of points that can be obtained for this exam is 40. Each correct answer is worth 1 point. You need 26 points or more to pass the exam.
The time allowed for this exam is 120 minutes.
You are allowed to use the
for this exam. Please click on the link to open it. If you close the GDPR, use the Navigator button to go back to the Introduction (dot before question 1) and click on the link again.
Copyright © EXIN Holding B.V. 2019. All rights reserved.
EXIN® is a registered trademark.
1 of 40
What is the
To allow customers and partners to verify which personal data the organization must process
To allow customers, partners and the supervisory authority to assess how personal data are handled
To communicate the result of data protection impact assessments (DPIAs) performed in the organization
To inform the supervisory authority of how the organization will respond after personal data breaches
2 of 40
According to the GDPR, what information is
Information about international transfers of personal data to a third country
Information about the identity and contact details of the controller
Information relating to data security measures in the organization
Information relating to retention periods and data subject's rights
3 of 40
The GDPR embraces the principles of privacy by design and by default. The application of these principles includes the implementation of both technical and organizational measures.
Why are organizational measures necessary?
Because privacy by design and by default requires that the organization restricts personal data access to controllers only
Because protecting the rights of data subjects, requires organizational processes that technical measures cannot cover
Because the designation of a data protection officer (DPO), where mandatory, is regarded as an organizational measure
4 of 40
A company is setting up a project to create a new, free service for consumers.
According to privacy by design, what is the
desirable time to discuss data protection?
From the start of the project
During the implementation phase
When the project nears completion
5 of 40
Setting up a data protection management system (DPMS) is done in phases. The first phase in building a DPMS is called Data Protection and Privacy Preparation. A step in this phase is performing initial data audits and assessments.
Why must these data audits and assessments be done in the Data Protection and Privacy Preparation phase of building a DPMS?
Because the data audits and assessments analyze the awareness and readiness of staff regarding data protection and privacy
Because the data audits and assessments identify risks regarding compliance, people and other related risks for the organization
Because the data audits and assessments provide a clear overview of the current personal data flows inside and outside the organization
Because the data audits and assessments provide an inventory of where different types of personal data are located within the organization
6 of 40
An organization wants to comply with the GDPR. They are building a data protection management system (DPMS). The build of the DPMS is in the first phase: Data Protection and Privacy Preparation.
The data protection officer (DPO) has drafted a governance structure, established data flows, created a personal data inventory and established all three elements of the data protection and privacy program (step 7).
What is the
step of the first phase of building a DPMS?
Carry out an analysis of the communication and training aspects required for your company's staff regarding data protection and privacy
Define clear roles and responsibilities in job descriptions and related documents, such as employment contracts of privacy managers and of a DPO
Draft a comprehensive guide to all members responsible for data protection and privacy to achieve compliance with relevant legislation
Draft and submit a report to the organization’s board about the steps taken so far, recommending action plans and a budget
7 of 40
A company wants to build a data protection management system (DPMS). The first phase in building a DPMS is Data Protection and Privacy Preparation.
Which step does
belong to this first phase?
Develop draft implementation action plans
Establish a data government organization
Maintain data privacy documentation
Perform initial data audits and assessments
8 of 40
A company wants to set up a data protection management system (DPMS). The second phase in building a DPMS is called Data Protection and Privacy Organization. One of the steps in phase 2 has the following objective:
to integrate data protection and privacy thinking across the whole company and across all its functions
Which step in phase 2 has this objective?
Audit the measures and controls for privacy and data protection to identify gaps and errors
Implement and operate the data protection and privacy computerized systems
Inform employees about the status of the privacy and data protection program
Maintain regular mutual communication for data protection and privacy issues
9 of 40
A data protection officer (DPO) realizes the importance of maintaining regular communication with all other individuals who have been appointed and are accountable or responsible for data protection and privacy. This group of individuals should work towards an organization-wide outcome, regarding data protection and privacy.
Which outcome benefits an organization the
Creating a system where all data protection and privacy issues must be referred to and subsequently solved by the DPO
Developing divergent perspectives on data protection and privacy while outsourcing or transferring data in the organization
Instilling a collaborative and proactive approach to embedding data protection and privacy into all parts of the organization
Raising awareness that outsourcing data protection and privacy creates shared responsibility and accountability for compliance
10 of 40
If an organization wants to develop, implement and manage a data protection management system (DPMS) this is done in several phases. The implementation of the DPMS has five phases describing: preparation, organization, development and implementation, governance, and evaluation and improvement.
What are the phases of implementing a DPMS comparable to?
A continual improvement process comparable to the PDCA-cycle
A guide to the implementation of privacy governance
An inventory of the data regulations as a preparation for the DPMS
The impact of privacy regulations, rules and standards
11 of 40
A key element of the GDPR is that an organization must demonstrate compliance. The implementation of a data protection management system (DPMS) can help demonstrate compliance.
Which phase of the implementation of a DPMS demonstrates compliance with the GDPR the
Phase 1, the organization prepares for privacy and data protection implementation
Phase 2, the organizational structures and mechanisms for privacy are established
Phase 3, data protection and privacy measures are developed and implemented
Phase 4, privacy governance mechanisms for the organization are established
12 of 40
A data protection officer (DPO) develops and implements a data protection and privacy management system (DPMS). The implementation is in phase 3: Data Protection and Privacy Development and Implementation.
What must be done
in phase 3?
Analyze and define the company’s needs and requirements for data protection and privacy
Investigate employees’ knowledge and understanding of data protection and privacy concepts
Research the industry's best practices and adapt them to the company’s needs and requirements
Understand global data protection and privacy law and determine the relevance of that information
13 of 40
A personal data breach response plan describes the following actions:
responds to the breach, provides public relations services and assists in minimizing the damage
- The data protection officer (
) asks the supervisory authority for support
notifies the business partners and data subjects about the data breach and asks their support
likely to minimize the impact for third parties and data subjects?
The external provider
14 of 40
Three health institutes work together to develop a mobile app for monitoring patients. Medical staff add their personal data and qualifications to the app, and patients add their personal data including medical data.
The health institutes appoint a single data protection officer (DPO). To run a pilot, they need to put the app in app stores. After the app is in app stores, they test the security of the new app. As a safety precaution, the description states that the app is in a pilot phase. Only a few test data subjects download the app, but they use it for real and enter actual data.
The test shows that the app is not secure at all. It can easily be hacked. A hacker could change health data of the patients and collect and use the data in unauthorized ways
According to the GDPR, what must the DPO do?
The DPO does not have to act, because the app is in a pilot phase and only a small number of patients is participating.
The DPO does not have to act, because the impact of the vulnerabilities cannot be qualified as high risk during a pilot phase.
The DPO must inform the patients and supervisory authority because the app results in a high risk to the patients’ rights and freedoms.
The DPO must notify the supervisory authority and make sure the app’s security measures are adjusted to the required safety standards.
15 of 40
Compliance with the GDPR can be helped by implementing a systematic incident management regime.
What is an outline of an effective incident management process?
Recognize that an incident has occurred, respond to the immediate and long-term concerns, and track the incident to ensure that the steps taken were effective
Recognize that an incident has occurred and report the incident to the data protection officer (DPO) to review the data flows and improve the security policies
Track all incidents that involve personal data, perform a data protection impact assessment (DPIA) to analyze the risks and set up an improvement plan
Track all instances of personal data processing to retrieve data after an incident more easily and ensure that response activities can be reduced to minimize costs.
16 of 40
The CEO has asked the privacy team to evaluate the organization in terms of data protection and privacy performance. A benchmark would be a proper way to objectively determine how well the organization is performing.
What does the privacy benchmark
A survey focused on the organization’s customer satisfaction regarding privacy
Comparisons across business units or departments regarding privacy compliance
The current privacy performance of the organization compared to that of one year ago
The privacy performance of the organization measured against that of similar entities in the industry
17 of 40
An organization wants to use artificial intelligence (AI) and deep learning algorithms in the human resources (HR) department to look at employment relations, create employee capability profiles and define bonuses for individual targets.
What must be done
and before implementing this new type of personal data processing?
Conduct a data protection impact assessment (DPIA)
Conduct a privacy assessment of the HR department
Report the processing to the supervisory authority
18 of 40
According to the GDPR, which activity is always a responsibility of the controller?
Being responsible for performing a data protection impact assessment (DPIA)
Contracting a security company for the protection of personal data in transit
Implementing a new method to collect personal data from the customers
Maintaining records of the processing activities carried out by the processor
19 of 40
A hospital outsources its printing of patient invoices to a printing company. The printing company also prints invoices for other organizations.
Due to an error, names and addresses were mixed up when they were sorted at the printing company, and a number of invoices were sent to the wrong patients.
The hospital had carefully analyzed their own processes. The hospital had a robust verification process in place and has contractual agreements with the printing company.
Why will the hospital be held
by the supervisory authority?
Because the contract determines this
Because the hospital is the controller
Because the mix-up is between patients
Because the verification has gone wrong
20 of 40
When a controller and a processor sign a contract for the processing of personal data, they both have specific responsibilities. Some of these responsibilities are prescribed by the GDPR and others can be arranged in the contract.
According to the GDPR, when does the processor always need written authorization by the controller?
When the processor contracts a company to protect data during transfers
When the processor contracts a third party to process personal data
When the processor implements a new method to collect personal data
When the processor implements a new method to delete personal data
21 of 40
Who has the legal obligation to keep records of processing activities?
The chief information officer
The chief privacy officer
The controller and processor
The data protection officer (DPO)
22 of 40
A North American organization based in the European Economic Area (EEA) processes personal data of natural persons. It processes ethnicity data on a large scale.
According to the GDPR, an organization is required to appoint a data protection officer (DPO) in three specific cases.
In this case, for what reason is it mandatory for this organization to appoint a DPO?
Foreigners’ personal data are processed
Personal data are processed in a third country
Personal data of minorities are processed
Special categories of personal data are processed on a large scale
23 of 40
A data protection officer (DPO) works for the Ministry of Transportation, which is a national department.
A new project is announced to monitor people's driving behavior on the national highways. The Ministry wants to use an intelligent video analysis system to single out cars and automatically recognize license plates.
The state secretary is in a hurry to get the project started and worries that privacy issues might cause unwelcome delays.
What should the DPO do?
Ask the state secretary to contact the supervisory authority, because this is clearly outside the DPO’s scope
Assure the state secretary that a data protection impact assessment (DPIA) is unnecessary, if data subjects are informed of the data processing
Inform the state secretary that a DPIA is mandatory for the large-scale monitoring of a public space
Urge the state secretary to reconsider the project because mass surveillance data processing is prohibited
24 of 40
Data protection officers (DPOs) are bound by secrecy or confidentiality concerning the performance of their tasks.
In relation to which party is the DPO
from this secrecy or confidentiality to seek advice?
The board of directors of the company
The data protection and privacy network members team
The information security officer (ISO)
The supervisory authority
25 of 40
A data protection impact assessment (DPIA) is a tool to identify data protection risks, especially the ones which are likely to highly affect the rights and freedoms of natural persons.
Why can the DPIA be seen as part of an organization's wider risk management?
Because the DPIA assesses all security risks of the organization under review and replaces any other risk assessment or risk management
Because the DPIA assesses risks by the likelihood and severity of the risk, similar to other well-defined components of risk management
Because the DPIA is mandatory for each project, according to the GDPR, which reduces all other legal requirements for risk management
26 of 40
According to the GDPR, what should always be part of a data protection impact assessment (DPIA)?
Develop a subject access request procedure to ensure compliance with data subjects’ rights
Identify the personal data that are processed and the intended purposes of the processing
Notify the data subjects that an assessment will take place and request their explicit consent
Set up an incident response plan and define appropriate safeguards to avoid data breaches
27 of 40
An organization develops a new product to find underperforming employees. They search their internet history and analyze work behavior using artificial intelligence (AI).
Although the software engineers do not fully understand the algorithm, management decides to fire the bottom 10% employees.
The data protection officer (DPO) is concerned about the impact of this product and informs the board that a data protection impact assessment (DPIA) is required.
part of the reason why a DPIA is mandatory?
The automation of the personal data processing
The evaluation that may affect the data subjects significantly
The processing of special categories of personal data
The systematic monitoring of personal aspects of natural persons
28 of 40
an outcome of a data protection impact assessment (DPIA)?
A log of access to confidential data, with an automated authorization check
A record of data subjects’ views on the intended processing operations
A systematic description of the intended processing operations
An assessment of risks to the rights and freedoms of data subjects
29 of 40
The GDPR details what the output of a data protection impact assessment (DPIA) must contain at a minimum.
mandatory in a DPIA?
A description of the processing and its purposes
An assessment of the necessity and proportionality of the processing operations in relation to the purposes
An assessment of the risks to the rights and freedoms of data subjects
The advice of the supervisory authority
30 of 40
A data protection impact assessment (DPIA) shows that the intended processing involves collecting more data on individual customers than is necessary to achieve the intended purpose.
According to the GDPR, what is the
Anonymize the data as soon as possible
Introduce a training and awareness program
Limit the period of time for which the data is stored
Reduce the amount of data collected
31 of 40
What is best done
, before starting a data protection impact assessment (DPIA)?
Determining measures to address the identified risks
Determining whether there is a need for a DPIA
Identifying the risks to the rights and freedoms of data subjects
32 of 40
A company performs a data protection impact assessment (DPIA).
Why is data mapping useful for a DPIA?
It assesses all organizational risks to privacy.
It helps to gain an overview of the personal data in use.
It helps to inform all relevant parties.
33 of 40
A privacy expert is hired by an organization. They wish to outsource part of their data processing activities. The expert performs a data protection impact assessment (DPIA) on the processing that involves a data processor.
One of the main steps of a DPIA requires the controller to provide all the input and does not require the processor to be involved.
Which step is that?
Assessment of the necessity and proportionality of the processing
Assessment of the risks to the rights and freedoms of data subjects
Mitigating measures to address the risks, including safeguards
Systematic descriptions of the intended processing operations
34 of 40
A large company is struggling financially. The board wants employees to work more efficiently.
The board starts an experiment in which the internet activities of the employees are monitored. The data are analyzed to see where more efficiency can be achieved. People categorized as
might be dismissed.
Why must a data protection impact assessment (DPIA) be done before using the new procedure?
Because a large company has many employees. Therefore, the processing will be large scale.
Because it is an experiment. A DPIA is required for new and experimental processing activities.
Because it is systematic processing. The decisions might significantly affect the employees.
35 of 40
An organization plans to make automated decisions on its clients, based on profiling.
Which part of the data protection impact assessment (DPIA) needs extra attention?
The assessment of the need to perform a DPIA in relation to this processing activity
The measures to protect the rights of the data subject that will be implemented
The measures to secure the personal data from being requested by data subjects
The procedures for data erasure after a data subject asks for their data to be removed
36 of 40
The GDPR states that organizations must seek ways to prevent personal data breaches. Therefore, it is important to quickly recognize incidents that can be classified as personal data breaches.
According to the GDPR, which incident is
a personal data breach?
A patient is expecting a package containing medical equipment, but it is delivered to the wrong address.
An employee working at a mental health clinic has misplaced a set of patient files that cannot be retraced.
The accidental destruction of personal data by a fire or an earthquake in a data warehouse
The unauthorized disclosure of a company’s confidential financial data regarding an intended acquisition
37 of 40
In which situation is it required to report a personal data breach to the supervisory authority?
If the organization cannot resolve the incident within a timeframe of 72 hours after it has occurred
In any situation where there is a security threat to the rights and freedom of natural persons
Only if the incident is recognized as a personal data breach within a timeframe of 72 hours
When a personal data breach is likely to result in a risk to the rights and freedom of natural persons
38 of 40
The head of the Human Resources (HR) department has lost a memory stick containing the personal information of 35 employees. The memory stick is protected by strong encryption. The HR department also has this personal information stored in a backup device.
According to the GDPR, is it mandatory to report this personal data breach to the supervisory authority?
Yes, because all security incidents must be reported to the supervisory authority.
Yes, because reporting it enables the supervisory authority to inform the employees.
No, because it is not a legitimate interest of the company to report data breaches.
No, because this personal data breach creates no risk to the data subjects’ rights.
39 of 40
According to the GDPR, in which situation must a personal data breach be reported to the data subjects affected?
When a personal data breach is likely to result in a high risk to the rights and freedoms of the data subject
When the supervisory authority has determined that consent was the only legal ground for processing
When there is a security incident that is labelled as a personal data breach within 72 hours
When personal data is compromised by external factors such as hackers or other cyber criminals
40 of 40
In the best practice incident response process the phases prepare, respond and follow-up are defined. For each phase, documentation is essential.
In the respond phase, it is important to gather and preserve evidence to show why an incident happened and why the organization was not able to prevent the incident.
What must be gathered and preserved?
Audit control plans
Data protection impact assessments (DPIAs)
Evidence to provide a clear picture
System recovery plans
Perception license for EXIN Holding