Sep 28 2020 |
Logged in as : candidate
This is the EXIN Privacy & Data Protection Foundation (PDPF.EN) sample exam. The Rules and Regulations for EXIN’s examinations apply to this exam.
This exam consists of 40 multiple-choice questions. Each multiple-choice question has a number of possible answers, of which only one is correct.
The maximum number of points that can be obtained for this exam is 40. Each correct answer is worth 1 point. You need 26 points or more to pass the exam.
The time allowed for this exam is 60 minutes.
Copyright © EXIN Holding B.V. 2019. All rights reserved.
EXIN® is a registered trademark.
1 of 40
A shopkeeper wants to register how many visitors enter his shop every day. A system detects the MAC-address of each visitor's smartphone. It is impossible for the shopkeeper to identify the owner of the phone from this signal, but telephone providers can link the MAC-address to the owner of the phone.
According to the GDPR, is the shopkeeper allowed to use this method?
Yes, because the shopkeeper cannot identify the owner of the telephone.
Yes, because the visitor has automatically consented by connecting to the Wi-Fi.
No, because the telephone’s MAC-address must be regarded as personal data.
No, because the telephone providers are the owners of the MAC-addresses.
2 of 40
Personal data as defined in the GDPR can be divided into several types. One of these types is described:
Data that directly or indirectly reveal someone's racial or ethnic background, political, philosophical, religious views, union affiliation and data related to health or sex life and sexual orientation.
What type of personal data is this?
Direct personal data
Indirect personal data
Special category personal data
3 of 40
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Which role in data protection is defined here?
4 of 40
A security breach has occurred in an information system that also holds personal data.
According to the GDPR, what is the very
thing the controller must do?
Ascertain whether the breach may have resulted in loss or unlawful processing of personal data
Assess the risk of adverse effects to the data subjects using a data protection impact assessment (DPIA)
Assess whether personal data of a sensitive nature has or may have been unlawfully processed
Report the breach immediately to all data subjects and the relevant supervisory authority
5 of 40
A breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
What is the
term that is associated with this definition in the GDPR?
Personal data breach
6 of 40
Which data subject right is explicitly defined by the GDPR?
A copy of personal data must be provided in the format requested by the data subject.
Access to personal data must be provided free of charge for the data subject.
Personal data must always be changed at the request of the data subject.
Personal data must always be erased if the data subject requests this.
7 of 40
When personal data are processed, who is ultimately responsible for demonstrating compliance with the GDPR?
Data protection officer (DPO)
8 of 40
According to the principle of purpose limitation, data should not be processed beyond the legitimate purpose defined. However, further processing is allowed in a few specific cases, provided that appropriate safeguards for the rights and freedoms of the data subjects are taken.
For which purpose is further processing
For archiving purposes in the public interest
For direct marketing and commercial purposes
For generalized statistical purposes
For scientific or historical research purposes
9 of 40
According to the GDPR, in what situation must data subjects
be notified of a personal data breach?
When personal data is processed at a facility of the processor that is not located within the borders of the EEA
When personal data is processed by a party that agreed to the draft processing contract but has not yet sign it
When the system on which the personal data is processed is attacked causing damage to its storage devices
When there is a significant probability that the breach will lead to a high risk for the privacy of the data subjects
10 of 40
Some data processing falls outside of the material scope of the GDPR.
What type of processing is
subject to the GDPR?
Collecting name and address information for a gymnastics club
Creating a back-up of biometric data for data security purposes
Editing personal photographs before printing them at home
11 of 40
The GDPR does not define privacy as a term but uses the concept implicitly throughout the text.
What is a correct definition of privacy as implicitly used throughout the GDPR?
The fundamental right to protection of personal data, regardless of how it was obtained
The right not to be disturbed by uninvited people, nor being followed, spied on or monitored
The right to respect for one's private and family life, home and personal correspondence
The right to freedom of opinion and expression and to seeking, receiving and imparting information
12 of 40
What is the relationship between data protection and privacy?
Data protection and privacy are synonyms and have the same meaning.
Data protection is the part of privacy that protects a person’s physical integrity.
Data protection refers to the measures needed to protect a person’s privacy.
13 of 40
What is the legal status of the GDPR?
The GDPR is functional law in all member states of the EEA. Some Articles allow for member states law to provide for more specific rules.
The GDPR is a recommendation of the European Commission that EEA countries' law authorities improve their laws on the protection of personal data.
The GDPR sets out minimum conditions and requirements. Member states need to pass national laws to meet these minimum requirements.
14 of 40
In the GDPR, some types of personal data are regarded as special category personal data.
Which personal data are considered special category personal data?
A list of payments made using a credit card
An address list of members of a political party
A genealogical register of someone’s ancestors
15 of 40
To plan the amount of parking space needed, a local government monitors and saves the license plate number of every car that enters and leaves the city center. They have obtained permission to collect data on the number of cars present in the city center.
By comparing the license plate time of entry and exit the number of cars present every moment of each day is calculated. Each month a report is created detailing the average number of cars in the city center at specific moments for every day of the week. At every entrance to the city center, a billboard clearly states what data is collected by whom, the purpose of the processing and the fact that the license plate numbers are saved securely for up to two years, because the measurements will be repeated next year.
Which of the basic principles for legitimate processing of personal data is
in this scenario?
Personal data are collected for specified, explicit and legitimate purposes and not further processed.
Personal data are kept in a form permitting identification of data subjects for no longer than is necessary.
Personal data are processed in a manner that ensures appropriate security of the personal data.
Personal data are processed in a transparent manner in relation to the data subject.
16 of 40
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Which data processing principle is described here?
Fairness and transparency
17 of 40
A person is moving from city A to city B, within an EEA member state. In city A he was a patient of the local hospital A. In city B, he becomes a patient of hospital B. The patient has opted out of the national electronic patients file system.
The patient asks hospital A to forward his medical file directly to hospital B.
According to the GDPR, what is allowed?
The hospital in A can send the data directly to hospital B, as requested by the patient
The hospital in A can send the file to hospital B, before the patient has requested it
The hospital in A can send the medical file to the data subject, but not to another hospital
The hospital in A cannot send the file, because there is no legitimate ground for processing
18 of 40
A company is planning to process personal data. The recently appointed data protection officer (DPO) executes a data protection impact assessment (DPIA). The DPO finds that all computers have a setting causing monitors to show a screen saver after five seconds of inaction. However, the computers are not locked automatically. When employees leave their desk, they usually do not lock their computers either.
What is this an example of?
Personal data breach
19 of 40
The GDPR refers to the principles of proportionality and subsidiarity.
What is the meaning of subsidiarity in this context?
Personal data can only be processed in accordance with the purpose specification.
Personal data cannot be reused without explicit and informed consent.
Personal data may only be processed when there are no other means to achieve the purposes.
Personal data must be adequate, relevant and not excessive in relation to the purposes.
20 of 40
”The controller shall implement appropriate technical and organizational measures for ensuring that (.) only personal data which are necessary for each specific purpose of the processing are processed.”
Which term in the GDPR is defined here?
Data protection by design and by default
Embedded data protection
21 of 40
While performing a backup, a data server disk crashed. Both the data and the backup are lost. The disk contained personal data, but no special category personal data.
The processor states that this is a personal data breach.
Is the statement of the processor true?
Yes, because the personal data on the disk were unlawfully processed.
Yes, because there were no special category personal data stored on the disk.
No, because no personal data on the disk were processed, only destroyed
No, because this is only a security incident and not a data breach
22 of 40
Organizations are obliged to keep a number of records to demonstrate compliance with the GDPR.
Which record is
obligatory according to the GDPR?
A record of all intended processing together with the processing purpose(s) and legal justifications
A record of data breaches with all relevant characteristics, including notifications
A record of notifications sent to the supervisory authority regarding processing of personal data
A record of processors including personal data provided and the period this data can be retained
23 of 40
A personal data breach has occurred, and the controller is writing a draft notification for the supervisory authority. The following information is already in the notification:
- The nature of the personal data breach and its possible consequences.
- Information regarding the parties that can provide additional information about the data breach.
What other information must the controller provide?
Information of local and national authorities that were informed about the data breach
Name and contact details of the data subjects whose data may have been breached
Suggested measures to mitigate the adverse consequences of the data breach
The information needed to access the personal data that have been breached
24 of 40
According to Article 33 of the GDPR the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify a personal data breach to the supervisory authority.
What is the maximum penalty for non-compliance with this notification obligation?
€ 10.000.000 or 2% of the annual global turnover, whichever is higher
€ 20.000.000 or 4% of the annual global turnover, whichever is higher
Up to € 500.000 with a minimum of € 120.000
Up to € 820.000 with a minimum of € 350.000
25 of 40
According to the GDPR, what is a task of a supervisory authority?
Implement technical and organizational measures to ensure compliance
Investigate security breaches of corporate information
Monitor and enforce the application of the GDPR
26 of 40
A Belgian company has their headquarters in France for tax purposes. They enter into a legally binding contract with a processor in the Netherlands for the processing of personal data of data subjects with various nationalities.
A personal data breach occurs. The supervisory authorities start an investigation.
Why is the French supervisory authority seen as the lead supervisory authority?
Because France is located in the middle of Europe
Because France is the largest of the three EEA countries
Because the company has their headquarters in France
27 of 40
On July 12, 2016 the European Commission implemented a ruling regarding the transfer of personal data between the EEA and the US. The ruling is based on the data protection measures described in the EU-US Privacy Shield.
What kind of a ruling is this?
Legally binding contract
Treaty superseding the GDPR
28 of 40
A controller wants to outsource processing of personal data to a processor.
What must be done
The controller must ask the supervisory authority for permission to outsource the processing of the data.
The controller must ask the supervisory authority if the agreed written contract is compliant with the regulations.
The controller and processor must draft and sign a written contract guaranteeing the confidentiality of the data.
The processor must show the controller that all demands agreed in the service level agreement (SLA) are met.
29 of 40
What is the purpose of a data protection audit by the supervisory authority?
To advise the controller on the mitigation of privacy risks to protect the controller from liability claims for non-compliance.
To fulfill the obligation in the GDPR to implement appropriate technical and organizational measures for data protection.
To monitor and enforce the application of the GDPR by assessing that processing is performed in compliance with the GDPR.
30 of 40
In order for personal data processing to be lawful, what is
A code of conduct must be in place, describing what the processing exactly entails.
The processing must be reported to and allowed by the supervisory authority.
There must be a legitimate ground for the processing of personal data.
31 of 40
Personal data can be transferred outside of the EEA.
According to the GDPR, which transfers outside the EEA are always lawful?
Transfers based on the laws of the non-EEA country concerned
Transfers falling under World Trade Organization rules
Transfers governed by approved binding corporate rules (BCR)
Transfers within a global corporation or organization
32 of 40
According to the GDPR, what is a description of binding corporate rules (BCR)?
A decision on the safety of transferring personal data to a non-EEA country
A measure to compensate for the lack of personal data protection in a third country
A set of agreements covering personal data transfers between non-EEA countries
A set of approved rules on personal data protection used by a group of enterprises
33 of 40
A written contract between a controller and a processor is called a data processing agreement.
According to the GDPR, what does
have to be covered in the written contract?
The contractor code of business ethics and conduct that is used.
The information security and personal data breach procedures
The technical and organizational measures implemented
Which data are covered by the data processing agreement
34 of 40
One of the objectives of a data protection impact assessment (DPIA) is to strengthen the confidence of customers or citizens in the way personal data is processed and privacy is respected.
How can a DPIA strengthen the confidence?
The organization minimizes the risk of costly adjustments in processes or the redesign of systems in a later stage
The organization prevents non-compliance with the GDPR and minimizes the risk of fines
The organization proves that it takes privacy seriously and aims for compliance with the GDPR
35 of 40
One of the seven principles of data protection by design is
Functionality – Positive-Sum, not Zero-Sum
What is the essence of this principle?
Applied security standards must assure the confidentiality, integrity and availability of personal data throughout their lifecycle.
If different types of legitimate objectives are contradictory, the privacy objectives must be given priority over other security objectives.
When embedding privacy into a given technology, process, or system, it should be done in such a way that full functionality is not impaired.
Wherever possible, detailed privacy impact and risk assessments should be carried out and published, clearly documenting the privacy risks.
36 of 40
A company wishes to use personal data of their customers. They wish to start sending all female customers a customized newsletter.
What right do all data subjects have in this scenario?
The right to compensation
The right to object to profiling
The right to rectification
37 of 40
What is a description of data protection by design and by default?
An approach that implements data protection from the start
An indication of timeframes if processing relates to erasure
Data may only be collected for explicit and legitimate purposes
Not holding more data than is strictly required for processing
38 of 40
According to the GDPR, when is a data protection impact assessment (DPIA) obligatory?
When a project includes technologies or processes that use personal data
When processing is likely to result in a high risk to the rights of data subjects
When similar processing operations with comparable risks are repeated
39 of 40
The GDPR describes the principle of data minimization.
How can organizations comply with this principle?
By applying the concept of least privilege to the personal data collected, stored or otherwise processed
By limiting access rights to staff who need the personal data for the intended processing operations
By limiting file sizes, through saving all personal data that is processed in the smallest possible format
By limiting the personal data to what is adequate, relevant and necessary for the processing purposes
40 of 40
What is the
use of a persistent cookie?
To ensure that the user’s personal data are stored securely on the server
To personalize the user’s experience of the website during a next visit
To record every keystroke made by a computer user to find out passwords
To save the pages a user has bookmarked in the user’s browser history
Perception license for EXIN Holding