Questionmark Perception
Dec 04 2021 |
Logged in as : candidate
Change font size

Introduction

考试说明

本试卷是EXIN Privacy & Data Protection Practitioner (PDPP.CH)模拟考试。 EXIN考试准则适用于该考试。

本试卷由40 道单项选择题组成。每道选择题有多个选项,但这些选项中只有一个是正确答案。

本试卷的总分是40分。每道题的分数是1分。您需要获得26分或以上通过考试。

考试时间为120分钟。

在该考试过程中您可以参考GDPR。您可以通过点击链接访问,使用导航键返回简介(第一个问题前的点)并再次点击链接。

祝您好运!





Copyright © EXIN Holding B.V. 2021. All rights reserved.
EXIN® is a registered trademark.

Question

1  of 40
某公司实施一项隐私政策,以帮助证明其遵守GDPR。有许多将该政策公开的理由。

将隐私政策公开的主要原因是什么?

A company implements a privacy policy, which helps to demonstrate compliance with the GDPR. It is recommended that this policy is made publicly accessible for several reasons.

What is the main reason for making the privacy policy publicly available?

Question

2  of 40
根据GDPR,哪项信息不是隐私政策的强制性部分?

According to the GDPR, what information is not a mandatory part of a privacy policy?

Question

3  of 40
GDPR采纳了“基于设计和默认的隐私”的有关原则。应用这些原则包括实施技术与组织措施。

为什么还需要实施组织措施?

The GDPR embraces the principles of privacy by design and by default. The application of these principles includes the implementation of both technical and organizational measures.

Why are organizational measures necessary?

Question

4  of 40
某公司正在启动一个项目来为消费者提供新的免费服务。

根据“隐私预设”的理念,何时是讨论数据保护的理想时机?

A company is setting up a project to create a new, free service for consumers.

According to privacy by design, what is the most desirable moment to discuss data protection?

Question

5  of 40
建立一套数据保护管理系统(DPMS)是分阶段完成的。建立DPMS的第一阶段称为数据和隐私保护的准备阶段。此阶段的一个步骤是执行初步的数据审计和评估。

为什么这些数据审计和评估必须在建立DPMS的数据和隐私保护的准备阶段进行?

Setting up a data protection management system (DPMS) is done in phases. The first phase in building a DPMS is called Data Protection and Privacy Preparation. A step in this phase is performing initial data audits and assessments.

Why must these data audits and assessments be done in the Data Protection and Privacy Preparation phase of building a DPMS?

Question

6  of 40
某组织希望遵守GDPR。他们正在构建一个数据保护管理系统(DPMS)。DPMS的构建工作正处于第一阶段:数据和隐私保护的准备阶段。

数据保护官(DPO)已拟定了一个治理结构,明确了数据流,创建了一份个人数据的清单,并确立了数据隐私保护计划(步骤7)中全部的三个要素。

构建DPMS的第一阶段中,最后的一步是什么?

An organization wants to comply with the GDPR. They are building a data protection management system (DPMS). The build of the DPMS is in the first phase: Data Protection and Privacy Preparation.

The data protection officer (DPO) has drafted a governance structure, established data flows, created a personal data inventory and established all three elements of the data protection privacy program (step 7).

What is the last step of the first phase of building a DPMS?

Question

7  of 40
某家公司希望构建一套数据保护管理系统(DPMS)。构建DPMS的第一段是数据和隐私保护的准备阶段。

哪一步属于这个阶段?

A company wants to build a data protection management system (DPMS). The first phase in building a DPMS is Data Protection and Privacy Preparation.

Which step does not belong to this first phase?

Question

8  of 40
一家公司希望构建一个数据保护管理系统(DPMS)。构建DPMS的第二阶段称为数据和隐私保护的组织阶段。第二阶段某个步骤具有以下目标:

整合整个公司及所有职能部门在数据和隐私保护上的观点

这个目标属于第二阶段的哪个步骤?

A company wants to set up a data protection management system (DPMS). The second phase in building a DPMS is called Data Protection and Privacy Organization. One of the steps in phase 2 has the following objective:

to integrate data protection and privacy thinking across the whole company and across all its functions

Which step in phase 2 has this objective?

Question

9  of 40
某数据保护官(DPO)意识到,与所有其他被任命的对数据和隐私保护负责或承责的人员保持定期沟通十分重要。这群人应在为达成数据和隐私保护方面一个全局性的组织成果而努力。

哪一项成果有利于组织?

A data protection officer (DPO) realizes the importance of maintaining regular communication with all other individuals who have been appointed and are accountable or responsible for data protection and privacy. This group of individuals should work towards an organization-wide outcome, regarding data protection and privacy.

Which outcome benefits an organization the most?

Question

10  of 40
如果一个组织想要开发、实施和管理一个数据保护管理系统(DPMS),它通常是分阶段来完成。DPMS的实施分为五个阶段,分别为:准备、组织、开发和实施、治理以及评估和改进。

实施DPMS的各个阶段类似于什么?

If an organization wants to develop, implement and manage a data protection management system (DPMS) this is done in several phases. The implementation of the DPMS has five phases describing: preparation, organization, development implementation, governance, and evaluation and improvement.

What are the phases of implementing a DPMS comparable to?

Question

11  of 40
GDPR的一大关键是组织必须证明其合规性。而实施一个数据保护管理系统(DPMS)可以帮助证明合规性。

实施DPMS的哪个阶段最能为对GDPR的合规提供证明?

A key element of the GDPR is that an organization must demonstrate compliance. The implementation of a data protection management system (DPMS) can help demonstrate compliance.

Which phase of the implementation of a DPMS demonstrates compliance with the GDPR the most?

Question

12  of 40
某数据保护官(DPO)开发并实施了一个数据保护和隐私管理系统(DPMS)。目前已执行到第3阶段:数据和隐私保护的开发和实施阶段。

该阶段必须首先做的是什么?

A data protection officer (DPO) develops and implements a data protection and privacy management system (DPMS). The implementation is in phase 3: Data Protection and Privacy Development and Implementation.

What must be done first in phase 3?

Question

13  of 40
一份个人数据泄露应对计划描述了以下行动:

-一个外部供应商来对泄露事件做出响应,提供公关服务并协助将损害最小化
-数据保护官(DPO)向监管机构寻求支持
-处理者将有关数据泄露的信息通知业务合作伙伴和数据主体,并寻求他们的支持

有可能将对第三方和数据主体的影响降到最低?

A personal data breach response plan describes the following actions:

- An external provider responds to the breach, provides public relations services and assists in minimizing the damage
- The data protection officer (DPO) asks the supervisory authority for support
- The processor notifies the business partners and data subjects about the data breach and asks their support

Who is most likely to minimize the impact for third parties and data subjects?

Question

14  of 40
三家医疗机构合作开发一款用于监控患者的移动应用程序。其中医务人员将其个人数据和资历添加到该应用程序中,患者添加其个人数据,包括医疗数据。

三家医疗机构共同任命了一名数据保护官(DPO)。要运行试验版本,他们需要将应用程序上架应用商店。应用程序进入应用商店后,他们将测试新应用程序的安全性。为了安全起见,产品说明中指出该应用程序还处于试用阶段。只有少数测试数据主体下载了该应用程序,但他们真实地使用了该程序并输入真实数据。

测试结果表明该应用程序安全性不足,而容易被黑客入侵。黑客可能会更改患者的健康数据,并未经授权地收集和使用数据。

根据GDPR,该DPO必须做什么?

Three health institutes work together to develop a mobile app for monitoring patients. Medical staff add their personal data and qualifications to the app, and patients add their personal data including medical data.

The health institutes appoint a single data protection officer (DPO). To run a pilot, they need to put the app in app stores. After the app is in app stores, they test the security of the new app. As a safety precaution, the description states that the app is in a pilot phase. Only a few test data subjects download the app, but they use it for real and enter actual data.

The test shows that the app is not secure at all. It can easily be hacked. A hacker could change health data of the patients and collect and use the data in unauthorized ways

According to the GDPR, what must the DPO do?

Question

15  of 40
建立一个系统性的事故管理制度可以有助于GDPR合规。

什么概述了一个有效的事故管理流程?

Compliance with the GDPR can be helped by implementing a systematic incident management regime.

What is an outline of an effective incident management process?

Question

16  of 40
CEO已要求隐私小组从数据和隐私保护的表现方面对组织进行一次评估。而采用基准是客观评定组织的表现的一种恰当方法。

什么是隐私基准所不包括的?

The CEO has asked the privacy team to evaluate the organization in terms of data protection and privacy performance. A benchmark would be a proper way to objectively determine how well the organization is performing.

What does the privacy benchmark not cover?

Question

17  of 40
某组织想要在人力资源(HR)部门运用人工智能(AI)和深度学习算法检视雇佣关系、创建员工能力档案以及为各人的目标设定奖金。

在实施这种新型的个人数据处理之前,必须首先做什么?

An organization wants to use artificial intelligence (AI) and deep learning algorithms in the human resources (HR) department to look at employment relations, create employee capability profiles and define bonuses for individual targets.

What must be done first and before implementing this new type of personal data processing?

Question

18  of 40
根据GDPR,哪一项活动始终由控制者负责?

According to the GDPR, which activity is always a responsibility of the controller?

Question

19  of 40
一家医院将其患者发票的打印工作外包给一家印刷公司。该印刷公司同时为其他组织打印发票。

因为一个纰漏,印刷公司在整理姓名和地址时弄混了,一些发票发错了患者。

这家医院之前已仔细分析过自己的流程,医院也已经建立了健全的验证程序,并与印刷公司签订了合同协议。

为什么这种情况下监管机构要追究医院的责任

A hospital outsources its printing of patient invoices to a printing company. The printing company also prints invoices for other organizations.

Due to an error, names and addresses were mixed up when they were sorted at the printing company, and a number of invoices were sent to the wrong patients.

The hospital had carefully analyzed their own processes. The hospital had a robust verification process in place and has contractual agreements with the printing company.

Why will the hospital be held responsible by the supervisory authority?

Question

20  of 40
当控制者和处理者签订处理个人数据的合同时,二者同时承担特定的职责。其中一些职责由GDPR规定,其余可以在合同中约定。

根据GDPR,什么情况下处理者总是需要得到控制者的书面授权?

When a controller and a processor sign a contract for the processing of personal data, they both have specific responsibilities. Some of these responsibilities are prescribed by the GDPR and others can be arranged in the contract.

According to the GDPR, when does the processor always need written authorization by the controller?

Question

21  of 40
记录处理活动是谁的法律义务?

Who has the legal obligation to keep records of processing activities?

Question

22  of 40
设在欧洲经济区(EEA)的某北美组织正处理自然人的个人数据。他们处理的是大批量种族数据。

根据GDPR,在三种特定情况下,组织需要任命数据保护官(DPO)。

在本例中,出于什么原因该组织必须任命DPO?

A North American organization based in the EEA processes personal data of natural persons. It processes ethnicity data on a large scale.

According to the GDPR, an organization is required to appoint a data protection officer (DPO) in three specific cases.

In this case, for what reason is it mandatory for this organization to appoint a DPO?

Question

23  of 40
某数据保护官(DPO)服务于一个国家的交通部。

该部门宣布了一个监控人们在国道上的驾驶行为的新项目。该交通部想用智能视频分析系统识别出每辆汽车并自动识别车牌。

国务卿急于启动该项目,且担心隐私问题可能会导致其不必要的延误。

该DPO应该怎么做?

A data protection officer (DPO) works for the Ministry of Transportation, which is a national department.

A new project is announced to monitor people's driving behavior on the national highways. The Ministry wants to use an intelligent video analysis system to single out cars and automatically recognize license plates.

The state secretary is in a hurry to get the project started and worries that privacy issues might cause unwelcome delays.

What should the DPO do?

Question

24  of 40
数据保护官(DPO)在执行其任务时受到保密要求的约束。

而涉及到哪一方时DPO可免除保密义务以寻求建议?

Data protection officers (DPOs) are bound by secrecy or confidentiality concerning the performance of their tasks.

In relation to which party is the DPO exempted from this secrecy or confidentiality to seek advice?

Question

25  of 40
数据保护影响评估(DPIA)是一种用于识别数据保护风险的手段,尤其是识别可能对自然人的权利和自由产生重大影响的风险。

为什么DPIA可以被视为更宽泛的组织风险管理工作中的一部分?

A data protection impact assessment (DPIA) is a tool to identify data protection risks, especially the ones which are likely to highly affect the rights and freedoms of natural persons.

Why can the DPIA be seen as part of an organization's wider risk management?

Question

26  of 40
根据GDPR,什么应始终是数据保护影响评估(DPIA)中的一个环节?

According to the GDPR, what should always be part of a data protection impact assessment (DPIA)?

Question

27  of 40
某组织开发一款新产品,用于发现表现不佳的员工。他们搜索员工的上网历史记录并使用人工智能(AI)分析其工作行为。

尽管软件工程师并不完全理解算法,但是管理层还是决定解雇表现垫底的10%员工。

数据保护官(DPO)对此产品的影响表示担忧,告知董事会需要执行一个数据保护影响评估(DPIA)。

什么不是此例必须执行DPIA的原因?

An organization develops a new product to find underperforming employees. They search their internet history and analyze work behavior using artificial intelligence (AI).

Although the software engineers do not fully understand the algorithm, management decides to fire the bottom 10% employees.

The data protection officer (DPO) is concerned about the impact of this product and informs the board that a data protection impact assessment (DPIA) is required.

What is not part of the reason why a DPIA is mandatory?

Question

28  of 40
什么不属于数据保护影响评估(DPIA)的产出?

What is not an outcome of a data protection impact assessment (DPIA)?

Question

29  of 40
GDPR详细说明了数据保护影响评估(DPIA)必须至少输出的内容。

什么不属于DPIA的强制要求的?

The GDPR details what the output of a data protection impact assessment (DPIA) must contain at a minimum.

What is not mandatory in a DPIA?

Question

30  of 40
一项数据保护影响评估(DPIA)表明,预期的处理工作将涉及到收集超出预期目的所必需的个体客户数据。

根据GDPR,什么是恰当的应对?

A data protection impact assessment (DPIA) shows that the intended processing involves collecting more data on individual customers than is necessary to achieve the intended purpose.

According to the GDPR, what is the most appropriate response?

Question

31  of 40
在开始数据保护影响评估(DPIA)之前,最好做什么?

What is best done first, before starting a data protection impact assessment (DPIA)?

Question

32  of 40
某公司执行了一个数据保护影响评估(DPIA)。

为什么说绘制数据地图对其做DPIA有用?

A company performs a data protection impact assessment (DPIA).

Why is data mapping useful for a DPIA?

Question

33  of 40
某组织聘请了一名隐私专家。该组织希望将部分数据处理活动外包。该专家对涉及一个数据处理者来做处理工作进行一项数据保护影响评估(DPIA)。

DPIA中一个主要的步骤中要求由控制者来给出所有意见,而不要求处理者参与。

该步骤具体指哪一步?

A privacy expert is hired by an organization. They wish to outsource part of their data processing activities. The expert performs a data protection impact assessment (DPIA) on the processing that involves a data processor.

One of the main steps of a DPIA requires the controller to provide all the input and does not require the processor to be involved.

Which step is that?

Question

34  of 40
一家大公司出现财务困难。董事会希望员工提高工作效率。

董事会决定开始一项试验,以监控员工的上网活动,并通过分析数据了解可以提高效率之处,而被归为效率低下的员工可能会被解雇。

为什么在采用该新程序之前必须进行一个数据保护影响评估(DPIA)?

A large company is struggling financially. The board wants employees to work more efficiently.

The board starts an experiment in which the internet activities of the employees are monitored. The data are analyzed to see where more efficiency can be achieved. People categorized as inefficient might be dismissed.

Why must a data protection impact assessment (DPIA) be done before using the new procedure?

Question

35  of 40
某组织计划基于特征分析对客户实行自动决策。

在此例中数据保护影响评估(DPIA)的哪一部分需要特别注意?

An organization plans to make automated decisions on its clients, based on profiling.

Which part of the data protection impact assessment (DPIA) needs extra attention?

Question

36  of 40
GDPR规定,组织必须设法防止个人数据泄露。因此,要快速识别可归类为个人数据泄露的事故。

根据GDPR,哪一项不属于个人数据泄露事故?

The GDPR states that organizations must seek ways to prevent personal data breaches. Therefore, it is important to quickly recognize incidents that can be classified as personal data breaches.

According to the GDPR, which incident is not a personal data breach?

Question

37  of 40
在什么情况下需要向监管机构上报个人数据泄露事故?

In which situation is it required to report a personal data breach to the supervisory authority?

Question

38  of 40
人力资源(HR)部主管丢失了一个存储卡,其中包含35名员工的个人信息。该存储卡有强加密的保护。人力资源部曾将这些个人信息存储在备份设备中。

根据GDPR,是否必须将这一个人数据泄露事故上报给监管机构?

The head of the Human Resources (HR) department has lost a memory stick containing the personal information of 35 employees. The memory stick is protected by strong encryption. The HR department also has this personal information stored in a backup device.

According to the GDPR, is it mandatory to report this personal data breach to the supervisory authority?

Question

39  of 40
根据GDPR,在什么情况下必须将个人数据泄露事故报告给受影响的数据主体?

According to the GDPR, in which situation must a personal data breach be reported to the data subjects affected?

Question

40  of 40
在事故响应的最佳实践中定义了准备、响应和跟进几个阶段。每个阶段都必须进行存档。

在响应阶段,重要的是收集和保存证据,证明事件发生的原因以及组织未能防止事故发生的原因。

其中具体必须收集和保存是哪一个?

In the best practice incident response process the phases prepare, respond and follow-up are defined. For each phase, documentation is essential.

In the respond phase, it is important to gather and preserve evidence to show why an incident happened and why the organization was not able to prevent the incident.

What must be gathered and preserved?