PDPF Exam Questions – EXIN Privacy and Data Protection Foundation Exam – PassQuestion Free Questions To Test Online

1. What is the essence of the principle ‘Full Lifecycle Protection’?

Delivering the maximum degree of data protection by default, ensuring that personal data are automatically protected in any given IT system or business practice.

Ensuring that whatever business practice or technology is involved, processing is done according to the stated objectives, subject to independent verification.

Embedding security measures to protect the data from the moment it is collected, throughout processing until it is destroyed at the end of the process.

Prioritizing the protection of the interests of the individual by offering for example strong privacy defaults, appropriate notice or empowering user-friendly options.

2. A processor is instructed to report on customers who bought a product both last month and at least once in the three months before that. Unfortunately, the processor makes a mistake and uses personal data collected by another controller for a different purpose. The mistake is found before the report is created, and nobody has access to personal date he or she should not have had access to.

How should the processor act on this situation and what should the controller do, if anything?

The processor must notify the controller and the controller must notify the Data Protection Authority of a data breach.

The processor must notify the controller of a data breach. The controller must assess the possible risk to the data subjects.

The processor must notify the Data Protection Authority of a data breach. The controller must execute a PIA to assess the risk to data subjects.

The processor must restart processing using the right data. There is no need for the controller to act.

3. The Supervisory Authority is notified whenever an organization intends to process personal data, except for some specific situations. The Supervisory Authority keeps a publicly accessible register of these data processing operations.

What else is a legal obligation of the Supervisory Authority in reaction to such a notification?

To assess compliance with the law in all classes where sensitive personal data is processed

To assess the legitimacy of operations that involve specific risks for the data subjects

To assess the legitimacy of binding contract(s) between the controller and the data processor(s)

To give out a license for the data processing, specifying the types of personal data which are allowed

4. In what way are online activities of people most effectively used by modern marketers?

By analyzing the logs of the web server it can be seen which products are top sellers, allowing them to optimize their marketing campaigns for those products.

By tagging users of social media, profiles of their online behavior can be created. These profiles are used to ask them to promote a product.

By tagging visitors of web pages, profiles of their online behavior can be created. These profiles are sold and used in targeted advertisement campaigns.

5. A German company wants to enter into a binding contract with a processor in the Netherlands for the processing of sensitive personal data of German data subjects. The Dutch Supervisory Authority is informed of the type of data and the aims of the processing, including the contract describing what data will be processed and what data protection procedures and practices will be in place.

According to the GDPR, what should the Dutch Supervisory Authority do in this scenario?

Report the data processing to the German Supervisory Authority and leave the supervising to them.

Supervise the processing of personal data in accordance with Dutch Law.

Supervise the processing of personal data in accordance with German Law.

The Dutch Supervisory Authority should check that adequate binding contracts are in place. The German Supervisory Authority should supervise.

6. A person finds that a private videotape showing her in a very intimate situation has been published on a website. She never consented to publication and demands that the video is being removed without undue delay.

According to the GDPR, what should be done next?

Nothing. The video may be regarded as ‘news’ and, therefore, the website is only exercising its right to freedom of expression and information.

The controller erases the video from the website and, when possible, informs any controller who might process the same video, that it must be erased.

The controller erases the video from the website. There is no obligation however, to inform others who might have copied it, that it should be erased.

The controller directs the person to seek a lawyer and informs that he cannot exclude before a juridical authorization.

7. For processing of personal data to be legal, a number of requirements must be fulfilled.

What is a requirement for lawful personal data processing?

A ‘code of conduct’, describing what the processing exactly entails, must be in place.

The data subject must have given consent, prior to the processing to begin.

The processing must be reported to and allowed by the Data Processing Authority

There must be a legitimate ground for the processing of personal data.

8. Under what EU legislation is data transfer between the EEA and the U.S.A. allowed?

An adequacy decision based on the Privacy Shield program

An adequacy decision by reason of US domestic legislation

The Transatlantic Trade an Investment Partnership (TTIP)

The U.S.A.’s commitment to join the European Economic Area

9. According to the GDPR, for which situations should a Data Protection Impact Assessment (DPIA) be conducted?

For all projects that include technologies or processes that require data protection

For all sets of similar processing operations with comparable risks

For any situation where technologies and processes will be subject to a risk assessment

For technologies and processes that are likely to result in a high risk to the rights of data subjects

10. While paying with a credit card, the card is skimmed (i.e. the data on the magnetic strip is stolen). The magnetic strip contains the account number, expiration date, cardholder’s name and address, PIN number and more.

What kind of a data breach is this?

Material

Non-material

Verbal

PDPF Exam Questions – EXIN Privacy and Data Protection Foundation Exam

PDPF Exam Questions – EXIN Privacy and Data Protection Foundation Exam

Leave a Reply Cancel reply