Questionmark Perception
Dec 04 2021 |
Logged in as : candidate
Change font size

Introduction

Introduction

This is the EXIN Privacy & Data Protection Practitioner (PDPP.EN) sample exam. The Rules and Regulations for EXIN’s examinations apply to this exam.

This exam consists of 40 multiple-choice questions. Each multiple-choice question has a number of possible answers, of which only one is correct.

The maximum number of points that can be obtained for this exam is 40. Each correct answer is worth 1 point. You need 26 points or more to pass the exam.

The time allowed for this exam is 120 minutes.

You are allowed to use the GDPR for this exam. Please click on the link to open it. If you close the GDPR, use the Navigator button to go back to the Introduction (dot before question 1) and click on the link again.

Good luck!





Copyright © EXIN Holding B.V. 2019. All rights reserved.
EXIN® is a registered trademark.

Question

1  of 40
A company implements a privacy policy, which helps to demonstrate compliance with the GDPR. It is recommended that this policy is made publicly accessible for several reasons.

What is the main reason for making the privacy policy publicly available?

Question

2  of 40
According to the GDPR, what information is not a mandatory part of a privacy policy?

Question

3  of 40
The GDPR embraces the principles of privacy by design and by default. The application of these principles includes the implementation of both technical and organizational measures.

Why are organizational measures necessary?

Question

4  of 40
A company is setting up a project to create a new, free service for consumers.

According to privacy by design, what is the most desirable time to discuss data protection?

Question

5  of 40
Setting up a data protection management system (DPMS) is done in phases. The first phase in building a DPMS is called Data Protection and Privacy Preparation. A step in this phase is performing initial data audits and assessments.

Why must these data audits and assessments be done in the Data Protection and Privacy Preparation phase of building a DPMS?

Question

6  of 40
An organization wants to comply with the GDPR. They are building a data protection management system (DPMS). The build of the DPMS is in the first phase: Data Protection and Privacy Preparation.

The data protection officer (DPO) has drafted a governance structure, established data flows, created a personal data inventory and established all three elements of the data protection and privacy program (step 7).

What is the last step of the first phase of building a DPMS?

Question

7  of 40
A company wants to build a data protection management system (DPMS). The first phase in building a DPMS is Data Protection and Privacy Preparation.

Which step does not belong to this first phase?

Question

8  of 40
A company wants to set up a data protection management system (DPMS). The second phase in building a DPMS is called Data Protection and Privacy Organization. One of the steps in phase 2 has the following objective:

to integrate data protection and privacy thinking across the whole company and across all its functions

Which step in phase 2 has this objective?

Question

9  of 40
A data protection officer (DPO) realizes the importance of maintaining regular communication with all other individuals who have been appointed and are accountable or responsible for data protection and privacy. This group of individuals should work towards an organization-wide outcome, regarding data protection and privacy.

Which outcome benefits an organization the most?

Question

10  of 40
If an organization wants to develop, implement and manage a data protection management system (DPMS) this is done in several phases. The implementation of the DPMS has five phases describing: preparation, organization, development and implementation, governance, and evaluation and improvement.

What are the phases of implementing a DPMS comparable to?

Question

11  of 40
A key element of the GDPR is that an organization must demonstrate compliance. The implementation of a data protection management system (DPMS) can help demonstrate compliance.

Which phase of the implementation of a DPMS demonstrates compliance with the GDPR the most?

Question

12  of 40
A data protection officer (DPO) develops and implements a data protection and privacy management system (DPMS). The implementation is in phase 3: Data Protection and Privacy Development and Implementation.

What must be done first in phase 3?

Question

13  of 40
A personal data breach response plan describes the following actions:

- An external provider responds to the breach, provides public relations services and assists in minimizing the damage
- The data protection officer (DPO) asks the supervisory authority for support
- The processor notifies the business partners and data subjects about the data breach and asks their support

Who is most likely to minimize the impact for third parties and data subjects?

Question

14  of 40
Three health institutes work together to develop a mobile app for monitoring patients. Medical staff add their personal data and qualifications to the app, and patients add their personal data including medical data.

The health institutes appoint a single data protection officer (DPO). To run a pilot, they need to put the app in app stores. After the app is in app stores, they test the security of the new app. As a safety precaution, the description states that the app is in a pilot phase. Only a few test data subjects download the app, but they use it for real and enter actual data.

The test shows that the app is not secure at all. It can easily be hacked. A hacker could change health data of the patients and collect and use the data in unauthorized ways

According to the GDPR, what must the DPO do?

Question

15  of 40
Compliance with the GDPR can be helped by implementing a systematic incident management regime.

What is an outline of an effective incident management process?

Question

16  of 40
The CEO has asked the privacy team to evaluate the organization in terms of data protection and privacy performance. A benchmark would be a proper way to objectively determine how well the organization is performing.

What does the privacy benchmark not cover?

Question

17  of 40
An organization wants to use artificial intelligence (AI) and deep learning algorithms in the human resources (HR) department to look at employment relations, create employee capability profiles and define bonuses for individual targets.

What must be done first and before implementing this new type of personal data processing?

Question

18  of 40
According to the GDPR, which activity is always a responsibility of the controller?

Question

19  of 40
A hospital outsources its printing of patient invoices to a printing company. The printing company also prints invoices for other organizations.

Due to an error, names and addresses were mixed up when they were sorted at the printing company, and a number of invoices were sent to the wrong patients.

The hospital had carefully analyzed their own processes. The hospital had a robust verification process in place and has contractual agreements with the printing company.

Why will the hospital be held responsible by the supervisory authority?

Question

20  of 40
When a controller and a processor sign a contract for the processing of personal data, they both have specific responsibilities. Some of these responsibilities are prescribed by the GDPR and others can be arranged in the contract.

According to the GDPR, when does the processor always need written authorization by the controller?

Question

21  of 40
Who has the legal obligation to keep records of processing activities?

Question

22  of 40
A North American organization based in the European Economic Area (EEA) processes personal data of natural persons. It processes ethnicity data on a large scale.

According to the GDPR, an organization is required to appoint a data protection officer (DPO) in three specific cases.

In this case, for what reason is it mandatory for this organization to appoint a DPO?

Question

23  of 40
A data protection officer (DPO) works for the Ministry of Transportation, which is a national department.

A new project is announced to monitor people's driving behavior on the national highways. The Ministry wants to use an intelligent video analysis system to single out cars and automatically recognize license plates.

The state secretary is in a hurry to get the project started and worries that privacy issues might cause unwelcome delays.

What should the DPO do?

Question

24  of 40
Data protection officers (DPOs) are bound by secrecy or confidentiality concerning the performance of their tasks.

In relation to which party is the DPO exempted from this secrecy or confidentiality to seek advice?

Question

25  of 40
A data protection impact assessment (DPIA) is a tool to identify data protection risks, especially the ones which are likely to highly affect the rights and freedoms of natural persons.

Why can the DPIA be seen as part of an organization's wider risk management?

Question

26  of 40
According to the GDPR, what should always be part of a data protection impact assessment (DPIA)?

Question

27  of 40
An organization develops a new product to find underperforming employees. They search their internet history and analyze work behavior using artificial intelligence (AI).

Although the software engineers do not fully understand the algorithm, management decides to fire the bottom 10% employees.

The data protection officer (DPO) is concerned about the impact of this product and informs the board that a data protection impact assessment (DPIA) is required.

What is not part of the reason why a DPIA is mandatory?

Question

28  of 40
What is not an outcome of a data protection impact assessment (DPIA)?

Question

29  of 40
The GDPR details what the output of a data protection impact assessment (DPIA) must contain at a minimum.

What is not mandatory in a DPIA?

Question

30  of 40
A data protection impact assessment (DPIA) shows that the intended processing involves collecting more data on individual customers than is necessary to achieve the intended purpose.

According to the GDPR, what is the most appropriate response?

Question

31  of 40
What is best done first, before starting a data protection impact assessment (DPIA)?

Question

32  of 40
A company performs a data protection impact assessment (DPIA).

Why is data mapping useful for a DPIA?

Question

33  of 40
A privacy expert is hired by an organization. They wish to outsource part of their data processing activities. The expert performs a data protection impact assessment (DPIA) on the processing that involves a data processor.

One of the main steps of a DPIA requires the controller to provide all the input and does not require the processor to be involved.

Which step is that?

Question

34  of 40
A large company is struggling financially. The board wants employees to work more efficiently.

The board starts an experiment in which the internet activities of the employees are monitored. The data are analyzed to see where more efficiency can be achieved. People categorized as inefficient might be dismissed.

Why must a data protection impact assessment (DPIA) be done before using the new procedure?

Question

35  of 40
An organization plans to make automated decisions on its clients, based on profiling.

Which part of the data protection impact assessment (DPIA) needs extra attention?

Question

36  of 40
The GDPR states that organizations must seek ways to prevent personal data breaches. Therefore, it is important to quickly recognize incidents that can be classified as personal data breaches.

According to the GDPR, which incident is not a personal data breach?

Question

37  of 40
In which situation is it required to report a personal data breach to the supervisory authority?

Question

38  of 40
The head of the Human Resources (HR) department has lost a memory stick containing the personal information of 35 employees. The memory stick is protected by strong encryption. The HR department also has this personal information stored in a backup device.

According to the GDPR, is it mandatory to report this personal data breach to the supervisory authority?

Question

39  of 40
According to the GDPR, in which situation must a personal data breach be reported to the data subjects affected?

Question

40  of 40
In the best practice incident response process the phases prepare, respond and follow-up are defined. For each phase, documentation is essential.

In the respond phase, it is important to gather and preserve evidence to show why an incident happened and why the organization was not able to prevent the incident.

What must be gathered and preserved?