Questionmark Perception
Dec 01 2020 |
Logged in as : candidate
Change font size

Introduction

Introduction

This is the EXIN Privacy & Data Protection Foundation (PDPF.EN) sample exam. The Rules and Regulations for EXIN’s examinations apply to this exam.

This exam consists of 40 multiple-choice questions. Each multiple-choice question has a number of possible answers, of which only one is correct.

The maximum number of points that can be obtained for this exam is 40. Each correct answer is worth 1 point. You need 26 points or more to pass the exam.

The time allowed for this exam is 60 minutes.

Good luck!





Copyright © EXIN Holding B.V. 2020. All rights reserved.
EXIN® is a registered trademark.

Question

1  of 40
A shopkeeper wants to register how many visitors enter his shop every day. A system detects the MAC-address of each visitor's smartphone. It is impossible for the shopkeeper to identify the owner of the phone from this signal, but telephone providers can link the MAC-address to the owner of the phone.

According to the GDPR, is the shopkeeper allowed to use this method?

Question

2  of 40
Personal data as defined in the GDPR can be divided into several types. One of these types is described:

Data that directly or indirectly reveal someone's racial or ethnic background, political, philosophical, religious views, union affiliation and data related to health or sex life and sexual orientation.

What type of personal data is this?

Question

3  of 40
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Which role in data protection is defined here?

Question

4  of 40
A security breach has occurred in an information system that also holds personal data.

According to the GDPR, what is the very first thing the controller must do?

Question

5  of 40
A breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

What is the exact term that is associated with this definition in the GDPR?

Question

6  of 40
Which data subject right is explicitly defined by the GDPR?

Question

7  of 40
When personal data are processed, who is ultimately responsible for demonstrating compliance with the GDPR?

Question

8  of 40
According to the principle of purpose limitation, data should not be processed beyond the legitimate purpose defined. However, further processing is allowed in a few specific cases, provided that appropriate safeguards for the rights and freedoms of the data subjects are taken.

For which purpose is further processing not allowed?

Question

9  of 40
According to the GDPR, in what situation must data subjects always be notified of a personal data breach?

Question

10  of 40
Some data processing falls outside of the material scope of the GDPR.

What type of processing is not subject to the GDPR?

Question

11  of 40
The GDPR does not define privacy as a term but uses the concept implicitly throughout the text.

What is a correct definition of privacy as implicitly used throughout the GDPR?

Question

12  of 40
What is the relationship between data protection and privacy?

Question

13  of 40
What is the legal status of the GDPR?

Question

14  of 40
In the GDPR, some types of personal data are regarded as special category personal data.

Which personal data are considered special category personal data?

Question

15  of 40
To plan the amount of parking space needed, a local government monitors and saves the license plate number of every car that enters and leaves the city center. They have obtained permission to collect data on the number of cars present in the city center.

By comparing the license plate time of entry and exit the number of cars present every moment of each day is calculated. Each month a report is created detailing the average number of cars in the city center at specific moments for every day of the week. At every entrance to the city center, a billboard clearly states what data is collected by whom, the purpose of the processing and the fact that the license plate numbers are saved securely for up to two years, because the measurements will be repeated next year.

Which of the basic principles for legitimate processing of personal data is violated in this scenario?

Question

16  of 40
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Which data processing principle is described here?

Question

17  of 40
A person is moving from city A to city B, within an EEA member state. In city A he was a patient of the local hospital A. In city B, he becomes a patient of hospital B. The patient has opted out of the national electronic patients file system.

The patient asks hospital A to forward his medical file directly to hospital B.

According to the GDPR, what is allowed?

Question

18  of 40
A company is planning to process personal data. The recently appointed data protection officer (DPO) executes a data protection impact assessment (DPIA). The DPO finds that all computers have a setting causing monitors to show a screen saver after five seconds of inaction. However, the computers are not locked automatically. When employees leave their desk, they usually do not lock their computers either.

What is this an example of?

Question

19  of 40
The GDPR refers to the principles of proportionality and subsidiarity.

What is the meaning of subsidiarity in this context?

Question

20  of 40
”The controller shall implement appropriate technical and organizational measures for ensuring that (.) only personal data which are necessary for each specific purpose of the processing are processed.”

Which term in the GDPR is defined here?

Question

21  of 40
While performing a backup, a data server disk crashed. Both the data and the backup are lost. The disk contained personal data, but no special category personal data.

The processor states that this is a personal data breach.

Is the statement of the processor true?

Question

22  of 40
Organizations are obliged to keep a number of records to demonstrate compliance with the GDPR.

Which record is not obligatory according to the GDPR?

Question

23  of 40
A personal data breach has occurred, and the controller is writing a draft notification for the supervisory authority. The following information is already in the notification:

- The nature of the personal data breach and its possible consequences.
- Information regarding the parties that can provide additional information about the data breach.

What other information must the controller provide?

Question

24  of 40
According to Article 33 of the GDPR the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify a personal data breach to the supervisory authority.

What is the maximum penalty for non-compliance with this notification obligation?

Question

25  of 40
According to the GDPR, what is a task of a supervisory authority?

Question

26  of 40
A Belgian company has their headquarters in France for tax purposes. They enter into a legally binding contract with a processor in the Netherlands for the processing of personal data of data subjects with various nationalities.

A personal data breach occurs. The supervisory authorities start an investigation.

Why is the French supervisory authority seen as the lead supervisory authority?

Question

27  of 40
On July 12, 2016 the European Commission implemented a ruling regarding the transfer of personal data between the EEA and the US. The ruling is based on the data protection measures described in the EU-US Privacy Shield.

What kind of a ruling is this?

Question

28  of 40
A controller wants to outsource processing of personal data to a processor.

What must be done before outsourcing?

Question

29  of 40
What is the purpose of a data protection audit by the supervisory authority?

Question

30  of 40
In order for personal data processing to be lawful, what is always a requirement?

Question

31  of 40
Personal data can be transferred outside of the EEA.

According to the GDPR, which transfers outside the EEA are always lawful?

Question

32  of 40
According to the GDPR, what is a description of binding corporate rules (BCR)?

Question

33  of 40
A written contract between a controller and a processor is called a data processing agreement.

According to the GDPR, what does not have to be covered in the written contract?

Question

34  of 40
One of the objectives of a data protection impact assessment (DPIA) is to strengthen the confidence of customers or citizens in the way personal data is processed and privacy is respected.

How can a DPIA strengthen the confidence?

Question

35  of 40
One of the seven principles of data protection by design is Functionality – Positive-Sum, not Zero-Sum.

What is the essence of this principle?

Question

36  of 40
A company wishes to use personal data of their customers. They wish to start sending all female customers a customized newsletter.

What right do all data subjects have in this scenario?

Question

37  of 40
What is a description of data protection by design and by default?

Question

38  of 40
According to the GDPR, when is a data protection impact assessment (DPIA) obligatory?

Question

39  of 40
The GDPR describes the principle of data minimization.

How can organizations comply with this principle?

Question

40  of 40
What is the main use of a persistent cookie?