Questionmark Perception
Dec 01 2020 |
Logged in as : candidate
Change font size

Introduction

考试说明

本试卷是EXIN Privacy & Data Protection Foundation (PDPF.CH)模拟考试。 EXIN考试准则适用于该考试。

本试卷由40 道单项选择题组成。每道选择题有多个选项,但这些选项中只有一个是正确答案。

本试卷的总分是40分。每道题的分数是1分。您需要获得26分或以上通过考试。

考试时间为60分钟。

祝您好运!





Copyright © EXIN Holding B.V. 2020. All rights reserved.
EXIN® is a registered trademark.

Question

1  of 40
一位店主希望登记每天到店顾客的数量。一个系统可检测每个顾客手机的MAC地址。店主无法根据该信号确定手机机主,但手机供应商可以将MAC地址与手机机主相对应。

根据GDPR,店主是否可以采用这种方法?

A shopkeeper wants to register how many visitors enter his shop every day. A system detects the MAC-address of each visitor's smartphone. It is impossible for the shopkeeper to identify the owner of the phone from this signal, but telephone providers can link the MAC-address to the owner of the phone.

According to the GDPR, is the shopkeeper allowed to use this method?

Question

2  of 40
GDPR中定义的个人数据可以分为几种类型。其中一类描述如下:

直接或间接显示某人的种族或民族背景、政治、哲学、宗教观点、工会从属关系以及与健康或性生活和性取向有关的数据。

此处描述了哪类个人数据?

Personal data as defined in the GDPR can be divided into several types. One of these types is described:

Data that directly or indirectly reveal someone's racial or ethnic background, political, philosophical, religious views, union affiliation and data related to health or sex life and sexual orientation.

What type of personal data is this?

Question

3  of 40
自然人或法人、公共部门、代理机构或其他机构可以单独或与他人共同确定处理个人数据的目的和方式。

此处定义了数据保护中的哪个角色?

A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Which role in data protection is defined here?

Question

4  of 40
在一个存有个人数据的信息系统中发生了安全侵害。

根据GDPR,控制者必须首先做什么?

A security breach has occurred in an information system that also holds personal data.

According to the GDPR, what is the very first thing the controller must do?

Question

5  of 40
一个导致传输、存储或以其他方式处理的个人数遭受意外或非法性的破坏、丢失、篡改、擅自披露或访问的安全侵害。

与GDPR中的这项定义确切相关的术语是哪个?

A breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

What is the exact term that is associated with this definition in the GDPR?

Question

6  of 40
GDPR明确定义了数据主体的哪些权利?

Which data subject right is explicitly defined by the GDPR?

Question

7  of 40
当个人数据被处理,对证明遵守GDPR最终负责的一方是谁?

When personal data are processed, who is ultimately responsible for demonstrating compliance with the GDPR?

Question

8  of 40
根据目的限制原则,不应超出既定的合法目的处理数据。但是,在某些特定情况下,只要采取适当的措施保障数据主体的权利和自由,就可以进行进一步处理。

而出于哪项目的允许进一步处理?

According to the principle of purpose limitation, data should not be processed beyond the legitimate purpose defined. However, further processing is allowed in a few specific cases, provided that appropriate safeguards for the rights and freedoms of the data subjects are taken.

For which purpose is further processing not allowed?

Question

9  of 40
根据GDPR,哪一种情况下总是要通知个人数据泄露?

According to the GDPR, in what situation must data subjects always be notified of a personal data breach?

Question

10  of 40
某些数据处理不在GDPR的适用范围之内。

哪一类处理受GDPR的约束?

Some data processing falls outside of the material scope of the GDPR.

What type of processing is not subject to the GDPR?

Question

11  of 40
GDPR并未按术语定义隐私,而是通篇隐式使用了这一概念。

哪一项是GDPR中隐式使用的隐私的准确定义?

The GDPR does not define privacy as a term but uses the concept implicitly throughout the text.

What is a correct definition of privacy as implicitly used throughout the GDPR?

Question

12  of 40
数据保护与隐私之间存在什么关系?

What is the relationship between data protection and privacy?

Question

13  of 40
GDPR的法律地位如何?

What is the legal status of the GDPR?

Question

14  of 40
在GDPR中,某些类型的个人数据被视为特殊类别个人数据。

哪种个人数据被视为特殊类别个人数据?

In the GDPR, some types of personal data are regarded as special category personal data.

Which personal data are considered special category personal data?

Question

15  of 40
为了规划所需的停车位数量,当地政府监控并保存每辆进出市中心汽车的车牌号。他们已取得许可进行市中心汽车数量的数据收集。

通过比较车牌和进出时间,可以计算出每天每时每刻的汽车数量。每个月都会创建一份报告,详细说明每周每天特定时刻在市中心出现的汽车平均数量。在市中心的每个入口处,公告牌清楚说明了哪些人收集哪些数据,处理的目的以及车牌号可最多安全存储两年的事实,因为明年还会继续重复测量。

在这种情况下违反了合法处理个人数据的哪条基本原则?

To plan the amount of parking space needed, a local government monitors and saves the license plate number of every car that enters and leaves the city center. They have obtained permission to collect data on the number of cars present in the city center.

By comparing the license plate time of entry and exit the number of cars present every moment of each day is calculated. Each month a report is created detailing the average number of cars in the city center at specific moments for every day of the week. At every entrance to the city center, a billboard clearly states what data is collected by whom, the purpose of the processing and the fact that the license plate numbers are saved securely for up to two years, because the measurements will be repeated next year.

Which of the basic principles for legitimate processing of personal data is violated in this scenario?

Question

16  of 40
个人数据对其处理用途而言应是充分、相关且仅限于必要的。

此处描述的是哪条数据处理原则?

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Which data processing principle is described here?

Question

17  of 40
在欧洲经济区域(EEA)成员国内,某人从A市迁移到B市。在A市,他是当地医院A的患者。在B市,他变成了医院B的患者。该患者已选择退出国家电子患者档案系统。

该患者要求医院A将他的医疗档案直接发送给医院B。

根据GDPR,哪一项是被允许的?

A person is moving from city A to city B, within an EEA member state. In city A he was a patient of the local hospital A. In city B, he becomes a patient of hospital B. The patient has opted out of the national electronic patients file system.

The patient asks hospital A to forward his medical file directly to hospital B.

According to the GDPR, what is allowed?

Question

18  of 40
某公司正计划处理个人数据。近期委任的数据保护官(DPO)执行了一项数据保护影响评估(DPIA)。该DPO发现所有电脑均有一项设置,让显示器在待机五秒钟后显示屏幕保护程序。但是,电脑并没有被自动锁定。当员工离开办公桌时,他们通常也不会锁定自己的电脑。

这属于哪一种情况?

A company is planning to process personal data. The recently appointed data protection officer (DPO) executes a data protection impact assessment (DPIA). The DPO finds that all computers have a setting causing monitors to show a screen saver after five seconds of inaction. However, the computers are not locked automatically. When employees leave their desk, they usually do not lock their computers either.

What is this an example of?

Question

19  of 40
GDPR中提到相称性和辅助性原则。

在这种背景下,辅助性的含义是什么?

The GDPR refers to the principles of proportionality and subsidiarity.

What is the meaning of subsidiarity in this context?

Question

20  of 40
“控制者应实施适当的技术和组织措施,以确保(……)只处理每个特定处理目的所必需的个人数据。”

此处定义了GDPR中的哪个术语?

”The controller shall implement appropriate technical and organizational measures for ensuring that (.) only personal data which are necessary for each specific purpose of the processing are processed.”

Which term in the GDPR is defined here?

Question

21  of 40
执行备份时,数据服务器磁盘发生崩溃。数据及其备份都丢失了。磁盘包含个人数据,但并没有特殊类别的个人数据。

处理者表示这种情况属于个人数据泄露。

处理者的说法是否正确?

While performing a backup, a data server disk crashed. Both the data and the backup are lost. The disk contained personal data, but no special category personal data.

The processor states that this is a personal data breach.

Is the statement of the processor true?

Question

22  of 40
各组织有义务保留一些记录,以证明与GDPR合规。

根据GDPR,哪一项记录不是强制性的?

Organizations are obliged to keep a number of records to demonstrate compliance with the GDPR.

Which record is not obligatory according to the GDPR?

Question

23  of 40
如发生个人数据泄露事件,控制者应向监管机构起草一份通知。通知中已经包含以下信息:

- 个人数据泄露的性质及其可能的后果。
- 关于可提供数据泄露其他信息的各方的信息。

控制者还必须提供哪些其他信息?

A personal data breach has occurred, and the controller is writing a draft notification for the supervisory authority. The following information is already in the notification:

- The nature of the personal data breach and its possible consequences.
- Information regarding the parties that can provide additional information about the data breach.

What other information must the controller provide?

Question

24  of 40
GDPR第33条规定,控制者应立即在可行情况下,在知晓后72小时内向监管机构通知个人数据泄露行为。

未履行此项通知义务的最高罚款是多少?

According to Article 33 of the GDPR the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify a personal data breach to the supervisory authority.

What is the maximum penalty for non-compliance with this notification obligation?

Question

25  of 40
根据GDPR,哪一项是监管机构的任务?

According to the GDPR, what is a task of a supervisory authority?

Question

26  of 40
某比利时公司出于税收目的将总部设在法国。该公司与荷兰境内的处理者签订了具有法律约束力的合同,以处理不同国籍数据主体的个人数据。

由于发生了个人数据泄露,监管机构展开了调查。

为什么是法国监管机构被当做主导监管机构?

A Belgian company has their headquarters in France for tax purposes. They enter into a legally binding contract with a processor in the Netherlands for the processing of personal data of data subjects with various nationalities.

A personal data breach occurs. The supervisory authorities start an investigation.

Why is the French supervisory authority seen as the lead supervisory authority?

Question

27  of 40
2016年7月12日,欧盟委员会实施了一项关于在欧洲经济区域(EEA)与美国之间传输个人数据的裁定。该项裁定基于欧盟-美国隐私护盾中所述的数据保护措施。

此处指的是哪一项裁定?

On July 12, 2016 the European Commission implemented a ruling regarding the transfer of personal data between the EEA and the US. The ruling is based on the data protection measures described in the EU-US Privacy Shield.

What kind of a ruling is this?

Question

28  of 40
控制者想要将个人数据的处理工作外包给处理者。

在外包之前必须做的是什么?

A controller wants to outsource processing of personal data to a processor.

What must be done before outsourcing?

Question

29  of 40
监管机构进行数据保护审计的目的是什么?

What is the purpose of a data protection audit by the supervisory authority?

Question

30  of 40
为了确保个人数据处理合法,哪一项要求须始终遵守?

In order for personal data processing to be lawful, what is always a requirement?

Question

31  of 40
个人数据可以传输到欧洲经济区域(EEA)外。

根据GDPR,哪一种传送到EEA外的传输始终合法?

Personal data can be transferred outside of the EEA.

According to the GDPR, which transfers outside the EEA are always lawful?

Question

32  of 40
根据GDPR,哪一项描述了企业约束性规则(BCR)?

According to the GDPR, what is a description of binding corporate rules (BCR)?

Question

33  of 40
控制者与处理者签订的书面合同称为数据处理协议。

根据GDPR,哪些不用必须体现书面合同中?

A written contract between a controller and a processor is called a data processing agreement.

According to the GDPR, what does not have to be covered in the written contract?

Question

34  of 40
数据保护影响评估(DPIA)的目的之一是加强客户或公民对个人数据处理和尊重隐私的信心。

DPIA如何增强信心?

One of the objectives of a data protection impact assessment (DPIA) is to strengthen the confidence of customers or citizens in the way personal data is processed and privacy is respected.

How can a DPIA strengthen the confidence?

Question

35  of 40
基于设计的数据保护的七大原则之一是完整功能:正和而非零和

这项原则的本质是什么?

One of the seven principles of data protection by design is Functionality – Positive-Sum, not Zero-Sum.

What is the essence of this principle?

Question

36  of 40
某公司希望使用顾客的个人数据,来向所有女性顾客发送定制的简讯。

在这种情况下,所有数据主体享有哪些权利?

A company wishes to use personal data of their customers. They wish to start sending all female customers a customized newsletter.

What right do all data subjects have in this scenario?

Question

37  of 40
哪一项描述了基于设计的和默认的数据保护?

What is a description of data protection by design and by default?

Question

38  of 40
根据GDPR,何时必须执行数据保护影响评估(DPIA)?

According to the GDPR, when is a data protection impact assessment (DPIA) obligatory?

Question

39  of 40
GDPR描述了数据最小化原则。

组织如何遵守此原则?

The GDPR describes the principle of data minimization.

How can organizations comply with this principle?

Question

40  of 40
哪一项是使用永久性cookie的主要用途?

What is the main use of a persistent cookie?