Ch. 14 GDPR and International Privacy Quiz Flashcards

Question 1

Q

The General Data Protection Regulation (GDPR) is based on the principles of proportionality and subsidiarity. What is the meaning of ‘proportionality’ in this context?

A) Personal data can only be processed in accordance with the purpose specification.
B) Personal data cannot be re-used without explicit and informed consent.
C) Personal data may only be processed in case there are no other means to achieve the purposes.
D) Personal data must be adequate, relevant and not excessive in relation to the purposes.

Answer

A

A) Incorrect. This is one of the legal limitations.
B) Incorrect. This is one of the legal limitations.
C) Incorrect. This is the definition of subsidiarity.
D) Correct. See:Course slide81 (day 1) Proportionality & subsidiarity checkand GDPR art. 35 (7).

Question 2

Q

The GDPR does not define privacy as a term but uses the concept implicitly throughout the text. What is a correct definition of privacy as implicitly used throughout the GDPR?

A) The fundamental right to protection of personal data, regardless of how it was obtained
B) The right not to be disturbed by uninvited people, nor being followed, spied on or monitored
C) The right to respect for one’s private and family life, home and personal correspondence
D) The right to freedom of opinion and expression and to seeking, receiving and imparting information

Answer

A

<a>physical privacy.
C) Correct. This is the definition as implicitly used throughout the GDPR. (Literature: A, Chapter 1)
D) Incorrect. This is a short version of Universal Declaration of Human Rights Article 19: freedom of opinion and expression.</a>

Question 3

Q

What is the relationship between data protection and privacy?

A) Data protection and privacy are synonyms and have the same meaning.
B) Data protection is the part of privacy that protects a person’s physical integrity.
C) Data protection refers to the measures needed to protect a person’s privacy.

Answer

A

A) Incorrect. Data protection helps to protect a person’s privacy, but the terms are not synonyms.
B) Incorrect. Data protection is not related to physical integrity or physical privacy.
C) Correct. Data protection are some of the measures needed to protect a person’s privacy. (Literature: A, Chapter 1)

Question 4

Q

Personal data as defined in the GDPR can be divided into several types. One of these types is described: Data that directly or indirectly reveal someone’s racial or ethnic background, political, philosophical, religious views, union affiliation and data related to health or sex life and sexual orientation. What type of personal data is this?

A) Direct personal data
B) Indirect personal data
C) Pseudonymized data
D) Special category personal data

Answer

A

A) Incorrect. Both direct and indirect data are described.
B) Incorrect. Both direct and indirect data are described.
C) Incorrect. Pseudonymized data cannot directly reveal information.
D) Correct. This is a definition of special category personal data. (Literature: A, Chapter 1; GDPR Article 4).

Question 5

Q

Which data subject right is explicitly defined by the GDPR?

A) A copy of personal data must be provided in the format requested by the data subject.
B) Access to personal data must be provided free of charge for the data subject.
C) Personal data must always be changed at the request of the data subject.
D) Personal data must always be erased if the data subject requests this.

Answer

A

A) Incorrect. It must be provided in a structured, commonly used and machine-readable format, but not necessarily in any format the data subject specifies.
B) Correct. Data subjects have a right to a copy of their data free of charge. However, only the first copy has to be free. (Literature: A, Chapter 4)
C) Incorrect. Only erroneous data has to be rectified.
D) Incorrect. The right to erasure has several exceptions to this, for instance if the data are needed for the establishment, exercise or defense of legal claims.

Question 6

Q

A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Which role in data protection is defined here?

A) Controller
B) Processor
C) Supervisory authority
D) Third party

Answer

A

A) Correct. The controller determines the purpose and means of the processing. (Literature: A, Chapter 1; GDPR Article 4(7))
B) Incorrect. The controller determines the purpose of the processing, the processor works on the controller’s instructions.
C) Incorrect. The supervisory authority monitors and enforces compliance with the GDPR requirements.
D) Incorrect. A third party has no role in determining the purpose of the processing. Any party that determines the purpose would become a new controller.

Question 7

Q

When personal data are processed, who is ultimately responsible for demonstrating compliance with the GDPR?

A) Controller
B) Data protection officer (DPO)
C) Processor
D) Supervisory authority

Answer

A

A) Correct. The controller is responsible for adequate data security measures and must be able to demonstrate compliance with the GDPR. (Literature: A, Chapter 2)
B) Incorrect. The DPO has expert knowledge and assists the controller or processor to monitor internal compliance.
C) Incorrect. The processor is the one who processes personal data according to the instructions of the controller. The controller remains ultimately responsible though
D) Incorrect. The controller needs to demonstrate compliance with the GDPR if requested by the supervisory authority.

Question 8

Q

To plan the amount of parking space needed, a local government monitors and saves the license plate number of every car that enters and leaves the city center. They have obtained permission to collect data on the number of cars present in the city center. By comparing the license plate time of entry and exit the number of cars present every moment of each day is calculated. Each month a report is created detailing the average number of cars in the city center at specific moments for every day of the week. At every entrance to the city center, a billboard clearly states what data is collected by whom, the purpose of the processing and the fact that the license plate numbers are saved securely for up to two years, because the measurements will be repeated next year.Which of the basic principles for legitimate processing of personal data is violated in this scenario?

A) Personal data are collected for specified, explicit and legitimate purposes and not further processed.
B) Personal data are kept in a form permitting identification of data subjects for no longer than is necessary.
C) Personal data are processed in a manner that ensures appropriate security of the personal data.
D) Personal data are processed in a transparent manner in relation to the data subject.

Answer

A

A) Incorrect. The local government is entitled to collect data on the number of cars present.
B) Correct. In the given scenario, there is no need to retain the data of a specific car identifying the owner once it has left the area. (Literature: A, Chapter 2; GDPR Article 5)
C) Incorrect. The scenario does not suggest inappropriate security.
D) Incorrect. The processing is taking place transparently, since it is communicated properly to the data subjects.

Question 9

Q

The GDPR refers to the principles of proportionality and subsidiarity. What is the meaning of subsidiarity in this context?

A) Personal data can only be processed in accordance with the purpose specification.
B) Personal data cannot be reused without explicit and informed consent.
C) Personal data may only be processed when there are no other means to achieve the purposes.
D) Personal data must be adequate, relevant and not excessive in relation to the purposes.

Answer

A

A) Incorrect. This is one of the legal limitations.
B) Incorrect. This is one of the legal limitations.
C) Correct. This is the definition of subsidiarity. (Literature: A, Chapter 3; GDPR Article 35(7)
D) Incorrect. This is the definition of proportionality.

Question 10

Q

According to the principle of purpose limitation, data should not be processed beyond the legitimate purpose defined. However, further processing is allowed in a few specific cases, provided that appropriate safeguards for the rights and freedoms of the data subjects are taken.For which purpose is further processing not allowed?

A) For archiving purposes in the public interest
B) For direct marketing and commercial purposes
C) For generalized statistical purposes
D) For scientific or historical research purposes

Answer

A

A) Incorrect. With the safeguards in place, further processing is allowed for archiving purposes in the public interest.
B) Correct. This is not a purpose that is allowed, if it is not the original legitimate purpose of the processing. (Literature: A, Chapter 2)
C) Incorrect. With the safeguards in place, further processing is allowed for generalized statistical purposes.
D) Incorrect. With the safeguards in place, further processing is allowed for research purposes.

Question 11

Q

A person is moving from city A to city B, within an EEA member state. In city A he was a patient of the local hospital A. In city B, he becomes a patient of hospital B. The patient has opted out of the national electronic patients file system. The patient asks hospital A to forward his medical file directly to hospital B. According to the GDPR, what is allowed? A) The hospital in A can send the data directly to hospital B, as requested by the patient B) The hospital in A can send the file to hospital B, before the patient has requested it C) The hospital in A can send the medical file to the data subject, but not to another hospital D) The hospital in A cannot send the file, because there is no legitimate ground for processing

Answer

A

A) Correct. The right to portability allows this. (Literature: A, Chapter 3) B) Incorrect. The hospital in B can only acquire the file from A with consent or if it is in the vital interest of the data subject and consent cannot be obtained. C) Incorrect. The data subject can ask for the data to be sent directly. D) Incorrect. A request, which implies consent, of the data subject is a sufficient legitimate ground.

Question 12

Q

A company is planning to process personal data. The recently appointed data protection officer (DPO) executes a data protection impact assessment (DPIA). The DPO finds that all computers have a setting causing monitors to show a screen saver after five seconds of inaction. However, the computers are not locked automatically. When employees leave their desk, they usually do not lock their computers either.What is this an example of?

A) Data access
B) Personal data breach
C) Security incident
D) Security vulnerability

Answer

A

A) Incorrect. The data have not been accessed.
B) Incorrect. No personal data has been processed unauthorized yet, so it is not a breach.
C) Incorrect. Processing has yet to begin, there is no reason to assume an incident has taken place.
D) Correct. Confidentiality of the data cannot be guaranteed if employees leave their workstation without locking the computer. (Literature: A, Chapter 2; GDPR Article 5(1)(f))

Question 13

Q

”The controller shall implement appropriate technical and organizational measures for ensuring that (.) only personal data which are necessary for each specific purpose of the processing are processed.” Which term in the GDPR is defined here?

A) Compliance
B) Data protection by design and by default
C) Embedded data protection

Answer

A

A) Incorrect. Compliance means meeting rules or standards.
B) Correct. By default, the minimum of personal data is to be processed for the shortest possible period, using the best possible security measures to prevent unauthorized access. Data protection by design refers to processing that includes appropriate measures to implement data protection principles. (Literature: A, Chapter 8; GDPR Article 25)
C) Incorrect. Embedded data protection is the result of data protection by design.

Question 14

Q

According to the GDPR, what is a task of a supervisory authority?

A) Implement technical and organizational measures to ensure compliance
B) Investigate security breaches of corporate information
C) Monitor and enforce the application of the GDPR

Answer

A

A) Incorrect. This is the task of the controller.
B) Incorrect. Only breaches of personal data are a concern of the supervisory authority.
C) Correct. This is the main task of any supervisory authority. (Literature: A, Chapter 7)

Question 15

Q

According to the GDPR, what is a description of binding corporate rules (BCR)

A) A decision on the safety of transferring personal data to a non-EEA country
B) A measure to compensate for the lack of personal data protection in a third country
C) A set of agreements covering personal data transfers between non-EEA countries
D) A set of approved rules on personal data protection used by a group of enterprises

Answer

A

A) Incorrect. This refers to adequacy decisions.
B) Incorrect. This refers to appropriate safeguards.
C) Incorrect. The GDPR does not cover agreements between non-EEA countries.
D) Correct. BCR are a set of rules approved by the supervisory authorities. (Literature: A, Chapter 3; GDPR Article 47)

Question 16

Q

A controller wants to outsource processing of personal data to a processor. What must be done before outsourcing?

A) The controller must ask the supervisory authority for permission to outsource the processing of the data.
B) The controller must ask the supervisory authority if the agreed written contract is compliant with the regulations.
C) The controller and processor must draft and sign a written contract guaranteeing the confidentiality of the data.
D) The processor must show the controller that all demands agreed in the service level agreement (SLA) are met.

Answer

A

C) The controller and processor must draft and sign a written contract guaranteeing the confidentiality of the data.

A) Incorrect. The controller does not have to ask the supervisory authority for permission for each instance of outsourcing.
B) Incorrect. The supervisory authority is not a legal counsel and will not check contracts for compliance.
C) Correct. There must be a written contract guaranteeing the confidentiality of the data, listing the purposes and means of processing as defined by the controller and specifying that processor will only process on instruction of the controller. Both parties must sign this contract. (Literature: A, Chapter 8; GDPR Article 28(3))
D) Incorrect. An SLA is not enough as it will focus on operations, not necessarily on purposes.

Question 17

Q

What is a description of data protection by design and by default? A) An approach that implements data protection from the start B) An indication of timeframes if processing relates to erasure C) Data may only be collected for explicit and legitimate purposes D) Not holding more data than is strictly required for processing

Answer

A

A) Correct. This is a correct description. (Literature: A, Chapter 8; GDPR Article 25(1)) B) Incorrect. This is a description of a data protection impact assessment (DPIA). C) Incorrect. This is a description of measures taken to comply with the principle of purpose limitation. D) Incorrect. This is a description of procedures to comply with the principle of data minimization.

Question 18

Q

According to the GDPR, when is a data protection impact assessment (DPIA) obligatory? A) When a project includes technologies or processes that use personal data B) When processing is likely to result in a high risk to the rights of data subjects C) When similar processing operations with comparable risks are repeated

Answer

A

A) Incorrect. Only for technologies and processes that are likely to result in a high risk to the rights of data subjects is the DPIA mandatory. B) Correct. For processing operations which are likely to result in a high risk, a DPIA is obligatory to assess those risks and to design mitigation measures. (Literature: A, Chapter 6; GDPR Article 35) C) Incorrect. This is a case in which a DPIA does not need to be repeated.

Question 19

Q

What is the main use of a persistent cookie? A) To ensure that the user’s personal data are stored securely on the server B) To personalize the user’s experience of the website during a next visit C) To record every keystroke made by a computer user to find out passwords D) To save the pages a user has bookmarked in the user’s browser history

Answer

A

A) Incorrect. Cookies are not used to store data on the server. B) Correct. This is the main purpose of a persistent cookie. (Literature: A, Chapter 8) C) Incorrect. Cookies are not malicious by nature, but the mechanism can be exploited maliciously. D) Incorrect. The bookmarks and browser history are saved, but not in a cookie.

Question 20

Q

A company wishes to use personal data of their customers. They wish to start sending all female customers a customized newsletter. What right do all data subjects have in this scenario?

A) The right to compensation
B) The right to object to profiling
C) The right to rectification

Answer

A

A) Incorrect. It is unlikely that all data subjects will suffer harm that must be compensated in this scenario.
B) Correct. All data subjects have a right to object to the processing of personal data for direct marketing, including profiling. This is clearly profiling. (Literature: A, Chapter 4)
C) Incorrect. It is unlikely that the company has incorrect data on all data subjects, so the right to rectification does not apply.

Question 21

Q

The processing of personal data has to meet general rules on quality. What is one of these rules defined by the GDPR?

A) The data processed must be archived.
B) The data processed must be encrypted.
C) The data processed must be indexed.
D) The data processed must be relevant.

Answer

A

A) Incorrect. No such requirement is defined by the GDPR.
B) Incorrect. No such requirement is defined by the GDPR.
C) Incorrect. No such requirement is defined by the GDPR.
D) Correct. This requirement is defined by the GDPR. See: Course slides 66 (day 1) General rules on quality

Question 22

Q

Every time personal data is processed, proportionality and subsidiarity must be checked. What is the requirement for the personal data being processed? A) It must be limited always to what is necessary to achieve the defined goals and must be limited to the least “intrusive” data. B) It must be handled by the smallest number of employees possible and they must work for the Controller or an affiliate. C) It must be limited to a predefined storage size and the system used must be financed by the Controller. D) It must be used for the smallest number of purposes possible and this may not be done outside the premises of the Processor.

Answer

A

A) Correct. These terms mean you collect no more data than needed to achieve the predefined goal(s), and you always try to use data that has the least impact on the privacy of the Data Subject. See: Course slide 81 (day 1) Proportionality & subsidiarity check. B) Incorrect. The number of employees or their affiliation to some subsidiary has nothing to do with these terms. C) Incorrect. Storage size and who finances the systems used has nothing to do with these terms. D) Incorrect. As long as the Data Subject gives consent the number of goals is not explicitly restricted, nor is the location.

Question 23

Q

"The controller shall implement appropriate technical and organizational measures for ensuring that (...) only personal data which are necessary for each specific purpose of the processing are processed." Which term in the General Data Protection Regulation (GDPR) is defined? A) Compliance B) Data protection by default C) Data protection by design D) Embedded protection

Answer

A

A) Incorrect. Compliance is the state or fact of according with - or meeting rules or standards. B) Correct. By default the minimum of personal data is to be processed for the shortest possible period, using the best possible security measures to prevent unauthorized access. See: GDPR art. 20 (2). C) Incorrect. Data protection by design refers to a design that includes appropriate measures to implement data protection principles. D) Incorrect. Embedded data protection is the result of data protection by design.

Question 24

Q

What is the term used in the General Data Protection Regulation (GDPR) for unauthorized disclosure of, or access to, personal data? A) confidentiality violation B) data breach C) incident D) security incident

Answer

A

A) Incorrect. GDPR uses the term data breach. Not every data breach is a confidentiality violation. B) Correct. See: GDPR article 4 (12) C) Incorrect. GDPR uses the term data breach. Not every incident is a data breach. D) Incorrect. GDPR uses the term data breach. Not every security incident is a data breach.

Question 25

Q

It has been ascertained that a data breach of sensitive personal data occurred. To whom must this ultimately be reported according to the General Data Protection Regulation (GDPR)? A) the Data Protection Authority (DPA) B) the Data Protection Officer (DPO) C) the manager of the department D) the police

Answer

A

A) Correct. Data breaches must be reported to the DPA if they might have a significant impact on the security of the data subject or their personal data. See Course slide 98 (day 1) Notification by telecom organisations. B) Incorrect. Even though it might be reported to an internal DPO, in the end it must be reported to the DPA. C) Incorrect. Even though it might be reported to the manager, in the end it must be reported to the DPA. D) Incorrect. Data breaches don't necessarily have to be reported to the police, but in the end they must be reported to the DPA.

Question 26

Q

While performing a backup, a data server disk crashes. Both the data and the backup are lost. The disk contained personal data but no sensitive data. What kind of incident is this? A) data breach B) security breach C) security incident

Answer

A

A) Correct. Personal data irretrievably lost is regarded as unauthorized processing, which makes it a data breach. See: GDPR Chapter I, Article 4, Definitions. B) Incorrect. Personal data irretrievably lost is regarded as unauthorized processing, which makes it a data breach. C) Incorrect. Personal data irretrievably lost is regarded as unauthorized processing, which makes it a data breach.

Question 27

Q

Someone working for a trade union took a draft newsletter home to finish it there for the members. The USB stick containing the draft and the mailing list, was lost. Apart from the privacy authority, to whom should this data breach also be reported? A) all members on the mailing list B) the board of the trade union C) the police

Answer

A

A) Correct. See: Course slide 98 & 102 (day 1) Notification of the Data Subject. B) Incorrect. This is sensitive data, so the loss must be reported to both the privacy authority and the data subjects. C) Incorrect. This is sensitive data, so the loss must be reported to both the privacy authority and the data subjects.

Question 28

Q

A social services organization plans to design a new database to administrate its clients and the care they need. In order to request permission from the Data Protection Authority (DPA), what is one of the first important steps to be taken? A) Collect data about the clients and the amount and kind of care needed and provided. B) Conduct a Privacy Impact Assessment (PIA) to assess the risks of the intended processing. C) Obtain consent of the clients for the intended processing of their personal data.

Answer

A

A) Incorrect. Collecting medical personal data is by definition 'processing sensitive data'. Permission of the DPA and the data subject is needed beforehand. B) Correct. When asking consent to process data, the data subject 'should be made aware of risks, rules, safeguards and rights ...' See: GDPR recital (39). A PIA is needed to assess those risks and safeguards. C) Incorrect. When asking consent to process data, the data subject 'should be made aware of risks, rules, safeguards and rights ...'. A PIA is needed first to assess those risks and safeguards.

Question 29

Q

In which case should the Data Subjects always be notified of a data breach? A) The breach did not lead to a significant probability for detrimental consequences for the protection of personal data. B) The personal data was processed at a facility of the Processor that is not located within the borders of the EU. C) The personal data was processed by a party that did not yet sign a binding contract with the Controller. D) The system on which the personal data was processed was attacked causing damage to its storage devices.

Answer

A

A) Incorrect. If there is no significant negative (potential) impact on the Data Subjects, there is no obligation to notify them of the breach. You should still consider it though. B) Incorrect. The location where the data is processed is of no significance to the obligation to notify Data Subjects of data breaches. C) Correct. Any situation where personal data is processed by another party than the Controller without a binding contract guaranteeing compliance to the GDPR is always considered a data breach. See: Course slide 103 (day 1) Notification of the Data Subject. D) Incorrect. Damage to storage devices will make access to the data difficult or even impossible, but does not imply illegal processing. Processing might even become impossible altogether in this particular example.

Question 30

Q

A Dutch controller has contracted the processing of sensitive personal data out to a processor in a North African country, without consulting the Data Protection Authority (DPA). Is was discovered and he was penalized by the DPA. Six months later the DPA finds out that the controller is guilty of the same transgression again for another processing operation. What is the maximum penalty the DPA can impose in this case? A) € 750.000 B) €1.230.000 C) 2% of the company's worldwide turnover with a minimum of € 10.000.000 D) 4% of the company's worldwide turnover with a minimum of € 20.000.000

Answer

A

A) Incorrect. According to GDPR art. 83.3, the maximum fine is 4% of the company's worldwide turnover with a minimum of € 20.000.000. B) Incorrect. According to GDPR art. 83.3, the maximum fine is 4% of the company's worldwide turnover with a minimum of € 20.000.000. C) Incorrect. According to GDPR art. 83.3, the maximum fine is 4% of the company's worldwide turnover with a minimum of € 20.000.000 D) Correct. This is the maximum for a violation. See: GDPR art. 83.3.

Question 31

Q

1 / 40 A company implements a privacy policy, which helps to demonstrate compliance with the GDPR. It is recommended that this policy is made publicly accessible for several reasons. What is the main reason for making the privacy policy publicly available? A) To allow customers and partners to verify which personal data the organization must process B) To allow customers, partners and the supervisory authority to assess how personal data are handled C) To communicate the result of data protection impact assessments (DPIAs) performed in the organization D) To inform the supervisory authority of how the organization will respond after personal data breaches

Answer

A

A) Incorrect. Publicly available privacy policies do not establish which personal data must be processed by the organization. They provide transparency to the personal data processing. B) Correct. A publicly available policy supports transparency, allows customers and partners to assess it, and provides a clear statement that supervisory authorities and other regulators can assess the organization against. (Literature: A, Chapter 16) C) Incorrect. The result of the DPIAs are intended to be documented for internal consultation and should not be included in the privacy policy. D) Incorrect. How the organization responds to a data breach is part of the data breach response plan, which is an internal document and not required to be publicly available.

Question 32

Q

According to the GDPR, what information is not a mandatory part of a privacy policy? A) Information about international transfers of personal data to a third country B) Information about the identity and contact details of the controller C) Information relating to data security measures in the organization D) Information relating to retention periods and data subject's rights

Answer

A

A) Incorrect. This is mandatory. B) Incorrect. This is mandatory. C) Correct. This is part of an information security policy. (Literature: A, Chapter 16; GDPR Article 13) D) Incorrect. This is mandatory.

Question 33

Q

The GDPR embraces the principles of privacy by design and by default. The application of these principles includes the implementation of both technical and organizational measures. Why are organizational measures necessary? A) Because privacy by design and by default requires that the organization restricts personal data access to controllers only B) Because protecting the rights of data subjects, requires organizational processes that technical measures cannot cover C) Because the designation of a data protection officer (DPO), where mandatory, is regarded as an organizational measure

Answer

A

A) Incorrect. Organizational measures are meant to protect the data subjects’ rights and consist of procedures for fair and transparent processing. B) Correct. Some internal processes and procedures must be addressed by organizational measures to guarantee that the data subjects rights can be fully exercised in compliance with the GDPR. Technical tools and systems complement the organizational measures, but do not substitute them. (Literature: A, Chapter 9) C) Incorrect. Organizational measures are meant to protect the data subjects’ rights and consist of procedures for fair and transparent processing.

Question 34

Q

A company is setting up a project to create a new, free service for consumers. According to privacy by design, what is the most desirable time to discuss data protection? A) From the start of the project B) During the implementation phase C) When the project nears completion

Answer

A

A) Correct. Privacy and data protection must be promoted from the start of the project in line with the privacy by design principle. (Literature: A, Chapter 5; F) B) Incorrect. Discussing data protection in the implementation phase is too late. C) Incorrect. Discussing data protection in the project completion phase is too late.

Question 35

Q

Setting up a data protection management system (DPMS) is done in phases. The first phase in building a DPMS is called Data Protection and Privacy Preparation. A step in this phase is performing initial data audits and assessments. Why must these data audits and assessments be done in the Data Protection and Privacy Preparation phase of building a DPMS? A) Because the data audits and assessments analyze the awareness and readiness of staff regarding data protection and privacy B) Because the data audits and assessments identify risks regarding compliance, people and other related risks for the organization C) Because the data audits and assessments provide a clear overview of the current personal data flows inside and outside the organization D) Because the data audits and assessments provide an inventory of where different types of personal data are located within the organization

Answer

A

A) Incorrect. Data audits and assessments are not intended to provide an analysis of the awareness and readiness of staff regarding data protection and privacy. B) Correct. Data audits and assessments in this phase identify risks regarding compliance, individuals and other related risks. The outcome provides a first insight into what should be covered by the DPMS. (Literature: B, Chapter 2.2.1) C) Incorrect. Data audits and assessments are not used to provide insight into data flows inside and outside the organization. D) Incorrect. Data audits and assessments are not used to provide an inventory of where types of data are located within the organization, but to identify risks.

Question 36

Q

An organization wants to comply with the GDPR. They are building a data protection management system (DPMS). The build of the DPMS is in the first phase: Data Protection and Privacy Preparation. The data protection officer (DPO) has drafted a governance structure, established data flows, created a personal data inventory and established all three elements of the data protection and privacy program (step 7). What is the last step of the first phase of building a DPMS? A) Carry out an analysis of the communication and training aspects required for your company's staff regarding data protection and privacy B) Define clear roles and responsibilities in job descriptions and related documents, such as employment contracts of privacy managers and of a DPO C) Draft a comprehensive guide to all members responsible for data protection and privacy to achieve compliance with relevant legislation D) Draft and submit a report to the organization’s board about the steps taken so far, recommending action plans and a budget

Answer

A

A) Incorrect. This is one of the three elements of the data protection and privacy program that was already established in step 7. B) Incorrect. This step is taken much later in phase 2, step 4. C) Incorrect. This is the first step to be taken in phase 2. D) Correct. This is the last step to be taken in the first phase. (Literature: B, Chapter 2.2.1)

Question 37

Q

A company wants to build a data protection management system (DPMS). The first phase in building a DPMS is Data Protection and Privacy Preparation. Which step does not belong to this first phase? A) Develop draft implementation action plans B) Establish a data government organization C) Maintain data privacy documentation D) Perform initial data audits and assessments

Answer

A

A) Incorrect. This is a step that belongs to the first phase. B) Incorrect. This is a step that belongs to the first phase. C) Correct. This step belongs to phase 4: 'Data Protection and Privacy Governance'. The first phase consists of the following steps: conduct privacy analysis, collect privacy laws, analyze privacy impact, perform initial data audits and assessments, establish data governance organization, establish data flows and personal data inventory, establish data protection and privacy program, develop data protection and privacy implementation action plans. (Literature: B, Chapter 2.2) D) Incorrect. This is a step that belongs to the first phase.

Question 38

Q

A company wants to set up a data protection management system (DPMS). The second phase in building a DPMS is called Data Protection and Privacy Organization. One of the steps in phase 2 has the following objective: to integrate data protection and privacy thinking across the whole company and across all its functions Which step in phase 2 has this objective? A) Audit the measures and controls for privacy and data protection to identify gaps and errors B) Implement and operate the data protection and privacy computerized systems C) Inform employees about the status of the privacy and data protection program D) Maintain regular mutual communication for data protection and privacy issues

Answer

A

A) Incorrect. This audit can only take place after the full implementation. It is the outcome of phase 5. B) Incorrect. This is a technical measure to ensure data integrity, not a cultural measure to integrate data protection and privacy thinking across the whole company and all its functions. C) Incorrect. Although it is important for employees to know the status of the program, this type of communication is not enough to engage everyone and effectively integrate data protection and privacy thinking across the whole company and all its functions. D) Correct. Constant regular communication is a must to effectively implement the company’s data protection and privacy strategy in all company operations. (Literature: B, Chapter 2.2.2.)

Question 39

Q

A data protection officer (DPO) realizes the importance of maintaining regular communication with all other individuals who have been appointed and are accountable or responsible for data protection and privacy. This group of individuals should work towards an organization-wide outcome, regarding data protection and privacy. Which outcome benefits an organization the most? A) Creating a system where all data protection and privacy issues must be referred to and subsequently solved by the DPO B) Developing divergent perspectives on data protection and privacy while outsourcing or transferring data in the organization C) Instilling a collaborative and proactive approach to embedding data protection and privacy into all parts of the organization D) Raising awareness that outsourcing data protection and privacy creates shared responsibility and accountability for compliance

Answer

A

A) Incorrect. The company would benefit more if the regular communication instilled a culture change concerning data protection and privacy among all employees rather than leave all data protection and privacy problems solely to the DPO. B) Incorrect. The company would benefit more if the regular communication created a common perspective, aligned to the privacy mission statement, instead of divergent perspectives on data protection and privacy across the company. C) Correct. The regular communication with all individuals who are accountable and responsible for privacy and data protection within the organization allows them to better understand each department’s scenarios and challenges and to exchange ideas and suggestions on how to embed privacy and data protection into all systems, services, products and ongoing projects. (Literature: B, Chapter 2.2.2) D) Incorrect. The company would benefit more if the regular communication made all employees understand that they have responsibility and accountability for data protection and privacy of the information under their care, even when the activities or tasks are outsourced.

Question 40

Q

If an organization wants to develop, implement and manage a data protection management system (DPMS) this is done in several phases. The implementation of the DPMS has five phases describing: preparation, organization, development and implementation, governance, and evaluation and improvement. What are the phases of implementing a DPMS comparable to? A) A continual improvement process comparable to the PDCA-cycle B) A guide to the implementation of privacy governance C) An inventory of the data regulations as a preparation for the DPMS D) The impact of privacy regulations, rules and standards

Answer

A

A) Correct. The phases of implementing a DPMS describe a continual improvement process very close to the PDCA cycle. (Literature: A, Chapter 1; B, Chapter 2) B) Incorrect. This refers to phase 4 of the setting up of a DPMS. C) Incorrect. This is describing only a part of the second step of phase 1 (the preparation phase). D) Incorrect. This is describing only step 3 of phase 1.

Question 41

Q

A key element of the GDPR is that an organization must demonstrate compliance. The implementation of a data protection management system (DPMS) can help demonstrate compliance. Which phase of the implementation of a DPMS demonstrates compliance with the GDPR the most? A) Phase 1, the organization prepares for privacy and data protection implementation B) Phase 2, the organizational structures and mechanisms for privacy are established C) Phase 3, data protection and privacy measures are developed and implemented D) Phase 4, privacy governance mechanisms for the organization are established

Answer

A

A) Incorrect. This phase prepares for the implementation but does not include any form of compliance yet. B) Incorrect. This phase is the base for implementation of privacy requirements but does not demonstrate compliance itself. C) Correct. The implementation of procedures, policies and controls demonstrates compliance. (Literature: B, Chapter 2.2; GDPR Article 24(1)) D) Incorrect. This phase is important to stay compliant but requires implementation first.

Question 42

Q

A data protection officer (DPO) develops and implements a data protection and privacy management system (DPMS). The implementation is in phase 3: Data Protection and Privacy Development and Implementation. What must be done first in phase 3? A) Analyze and define the company’s needs and requirements for data protection and privacy B) Investigate employees’ knowledge and understanding of data protection and privacy concepts C) Research the industry's best practices and adapt them to the company’s needs and requirements D) Understand global data protection and privacy law and determine the relevance of that information

Answer

A

A) Correct. The first action is to understand and define the company’s needs and requirements, to establish the goals and objectives for the data protection and privacy strategies, plans and policies. (Literature: B, Chapter 2.2) B) Incorrect. This investigation must be done after analyzing and defining the company's needs and requirements. C) Incorrect. Industry best practices can only be adapted to the company after analyzing and defining the company's needs and requirements. D) Incorrect. Relevance of information can only be determined after analyzing and defining the company's needs and requirements.

Question 43

Q

A personal data breach response plan describes the following actions: - An external provider responds to the breach, provides public relations services and assists in minimizing the damage - The data protection officer (DPO) asks the supervisory authority for support - The processor notifies the business partners and data subjects about the data breach and asks their support Who is most likely to minimize the impact for third parties and data subjects? A) The external provider B) The DPO C) The processor

Answer

A

A) Correct. The external party provides services that are of help to quickly respond to a personal data breach and help minimize the impact for third parties and data subjects. (Literature: B, Chapter 2) B) Incorrect. The DPO must provide information and should be of assistance to the supervisory authority, not the other way around. C) Incorrect. There is no legal obligation for processors to notify business partners about a data breach. Also, the notification to data subjects should only be made (1) when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, and (2) by the controller, and not the processor.

Question 44

Q

Three health institutes work together to develop a mobile app for monitoring patients. Medical staff add their personal data and qualifications to the app, and patients add their personal data including medical data. The health institutes appoint a single data protection officer (DPO). To run a pilot, they need to put the app in app stores. After the app is in app stores, they test the security of the new app. As a safety precaution, the description states that the app is in a pilot phase. Only a few test data subjects download the app, but they use it for real and enter actual data. The test shows that the app is not secure at all. It can easily be hacked. A hacker could change health data of the patients and collect and use the data in unauthorized ways According to the GDPR, what must the DPO do? A) The DPO does not have to act, because the app is in a pilot phase and only a small number of patients is participating. B) The DPO does not have to act, because the impact of the vulnerabilities cannot be qualified as high risk during a pilot phase. C) The DPO must inform the patients and supervisory authority because the app results in a high risk to the patients’ rights and freedoms. D) The DPO must notify the supervisory authority and make sure the app’s security measures are adjusted to the required safety standards.

Answer

A

A) Incorrect. The number of data subjects is irrelevant. The qualification of high risk to the rights and freedoms of natural persons determines the actions to be taken. B) Incorrect. A pilot phase is no excuse for allowing data to be at risk. C) Correct. The controller has taken insufficient measures to ensure the security of the data. The risk is to special category personal data. Therefore, both the supervisory authority and the data subjects should be notified. (Literature: A, Chapter 14; GDPR, Article 33(1) and Article 34(1)) D) Incorrect. Both these actions are wise to take. However, the GDPR specifies the notification to the data subjects and does not specify that the security measures should be adjusted.

Question 45

Q

Compliance with the GDPR can be helped by implementing a systematic incident management regime. What is an outline of an effective incident management process? A) Recognize that an incident has occurred, respond to the immediate and long-term concerns, and track the incident to ensure that the steps taken were effective B) Recognize that an incident has occurred and report the incident to the data protection officer (DPO) to review the data flows and improve the security policies C) Track all incidents that involve personal data, perform a data protection impact assessment (DPIA) to analyze the risks and set up an improvement plan D) Track all instances of personal data processing to retrieve data after an incident more easily and ensure that response activities can be reduced to minimize costs.

Answer

A

A) Correct. This is an outline of an incident management process. (Literature: A, Chapter 14) B) Incorrect. Incidents must be reported to responsible staff. The DPO does not have to review data flows after every incident. C) Incorrect. DPIAs do not have to be done after every incident. D) Incorrect. It is ineffective to track all instances of personal data processing. This answer also misses the steps to respond to an incident and ensure the steps taken were effective.

Question 46

Q

The CEO has asked the privacy team to evaluate the organization in terms of data protection and privacy performance. A benchmark would be a proper way to objectively determine how well the organization is performing. What does the privacy benchmark not cover? A) A survey focused on the organization’s customer satisfaction regarding privacy B) Comparisons across business units or departments regarding privacy compliance C) The current privacy performance of the organization compared to that of one year ago D) The privacy performance of the organization measured against that of similar entities in the industry

Answer

A

A) Correct. A benchmark compares the current situation of the company with that of previous periods or the industry. In this case no comparison is made. Furthermore, not all customers are aware of privacy best practices, or have been exposed to the various privacy practices of your organization. (Literature: B, Chapter 2.2.5) B) Incorrect. The privacy benchmark does help to make comparisons across business units or departments regarding privacy compliance. C) Incorrect. Privacy benchmarking can also be used as a sort of self-assessment to compare the results against previous assessments to identify improvements or areas that may have deteriorated. D) Incorrect. Benchmarking is an objective methodology to compare the organization’s privacy performance with similar entities in the industry and with best practices.

Question 47

Q

An organization wants to use artificial intelligence (AI) and deep learning algorithms in the human resources (HR) department to look at employment relations, create employee capability profiles and define bonuses for individual targets. What must be done first and before implementing this new type of personal data processing? A) Conduct a data protection impact assessment (DPIA) B) Conduct a privacy assessment of the HR department C) Report the processing to the supervisory authority

Answer

A

A) Correct. The processing involves a new technology for profiling and is likely to result in a high risk to the rights and freedoms of natural persons, as it can significantly affect their behavior, activities and rewards at work. (Literature: A, Chapter 5; GDPR Article 35) B) Incorrect. Assessment of business unit compliance with the privacy policies is done on a periodic, unannounced basis, not when implementing a new type of processing. C) Incorrect. This is done after conducting the DPIA and only under certain conditions.

Question 48

Q

According to the GDPR, which activity is always a responsibility of the controller? A) Being responsible for performing a data protection impact assessment (DPIA) B) Contracting a security company for the protection of personal data in transit C) Implementing a new method to collect personal data from the customers D) Maintaining records of the processing activities carried out by the processor

Answer

A

A) Correct. Responsibility for DPIAs falls to the controller and should not be outsourced to a data processor. (Literature: A, Chapter 12; GDPR Article 35) B) Incorrect. This could be the responsibility of the processor, if prior written authorization exists. C) Incorrect. This could be the responsibility of the processor, if prior written authorization exists. D) Incorrect. This element is the responsibility of the processor. The controller maintains a record of the processing activities they control.

Question 49

Q

A hospital outsources its printing of patient invoices to a printing company. The printing company also prints invoices for other organizations. Due to an error, names and addresses were mixed up when they were sorted at the printing company, and a number of invoices were sent to the wrong patients. The hospital had carefully analyzed their own processes. The hospital had a robust verification process in place and has contractual agreements with the printing company. Why will the hospital be held responsible by the supervisory authority? A) Because the contract determines this B) Because the hospital is the controller C) Because the mix-up is between patients D) Because the verification has gone wrong

Answer

A

A) Incorrect. The hospital is accountable because, as the controller, it is subject to the accountability principle, determined by the GDPR. B) Correct. The GDPR states that “The controller shall be responsible [...], paragraph 1(‘accountability’)” for the lawfulness of processing. The controller will be held responsible and accountable by the supervisory authority, whatever contract may be in place between controller and processor. The controller should only use processors that provide sufficient guarantees that they implement appropriate technical and organizational measures. (Literature: A, Chapter 12; GDPR, article 5 (2)) C) Incorrect. It does not matter that the data subjects all belong to the same controller. Who is the controller is relevant here. D) Incorrect. There is nothing to indicate the verification went wrong. The supervisory authority will always hold the controller responsible.

Question 50

Q

When a controller and a processor sign a contract for the processing of personal data, they both have specific responsibilities. Some of these responsibilities are prescribed by the GDPR and others can be arranged in the contract. According to the GDPR, when does the processor always need written authorization by the controller? A) When the processor contracts a company to protect data during transfers B) When the processor contracts a third party to process personal data C) When the processor implements a new method to collect personal data D) When the processor implements a new method to delete personal data

Answer

A

A) Incorrect. This element is or might be at the determination of the processor according to the contract, as it is not clearly defined by the GDPR. B) Correct. This engaging of another processor cannot be done without the prior specific or general written authorization of the controller. (Literature: A, Chapter 12; GDPR Article 28(2)) C) Incorrect. This element is or might be at the determination of the processor according to the contract, as it is not clearly defined by the GDPR. D) Incorrect. This element is or might be at the determination of the processor according to the contract, as it is not clearly defined by the GDPR.

Question 51

Q

Who has the legal obligation to keep records of processing activities? A) The chief information officer B) The chief privacy officer C) The controller and processor D) The data protection officer (DPO)

Answer

A

A) Incorrect. The chief information officer has the overall responsibility for information technology and information management. B) Incorrect. The chief privacy officer should create engagement for GDPR compliance within the organization. C) Correct. Both controller and processor are required to keep a record of all processing activities. (Literature: A, Chapter 12; GDPR Article 30) D) Incorrect. Although in practice it is the DPO that creates inventories, holds a register of processing activities and has been given the responsibility to maintain these records, this is done under the legal obligation of the controller or processor.

Question 52

Q

A North American organization based in the European Economic Area (EEA) processes personal data of natural persons. It processes ethnicity data on a large scale. According to the GDPR, an organization is required to appoint a data protection officer (DPO) in three specific cases. In this case, for what reason is it mandatory for this organization to appoint a DPO? A) Foreigners’ personal data are processed B) Personal data are processed in a third country C) Personal data of minorities are processed D) Special categories of personal data are processed on a large scale

Answer

A

A) Incorrect. This is not one of the three basic conditions specified in the GDPR. B) Incorrect. This is not one of the three basic conditions specified in the GDPR. C) Incorrect. This is not one of the three basic conditions specified in the GDPR. D) Correct. This is one of the cases specified in the GDPR, when the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9. Ethnic or racial data is specifically mentioned in Article 9 of the GDPR. The other two conditions are: (1) processing is carried out by a public authority or body, except for courts acting in their judicial capacity, (2) processing that requires regular and systematic monitoring of data subjects on a large scale. These three basic conditions apply to both controllers and processors. (Literature: A, Chapter 2; GDPR Article 9 and Article 37)

Question 53

Q

A data protection officer (DPO) works for the Ministry of Transportation, which is a national department. A new project is announced to monitor people's driving behavior on the national highways. The Ministry wants to use an intelligent video analysis system to single out cars and automatically recognize license plates. The state secretary is in a hurry to get the project started and worries that privacy issues might cause unwelcome delays. What should the DPO do? A) Ask the state secretary to contact the supervisory authority, because this is clearly outside the DPO’s scope B) Assure the state secretary that a data protection impact assessment (DPIA) is unnecessary, if data subjects are informed of the data processing C) Inform the state secretary that a DPIA is mandatory for the large-scale monitoring of a public space D) Urge the state secretary to reconsider the project because mass surveillance data processing is prohibited

Answer

A

A) Incorrect. A DPO should be sufficiently qualified to discuss this. B) Incorrect. Informing data subjects will not exempt an organization from the responsibility to do a DPIA. C) Correct. The project demands systematic monitoring of a publicly accessible area on a large scale, and this is one of the three mandatory scenarios for performing a DPIA. (Literature: A, Chapter 5; GDPR Article 35(3)(c)) D) Incorrect. Monitoring, surveillance and profiling are not prohibited, as long as people’s rights and freedoms are sufficiently protected.

Question 54

Q

Data protection officers (DPOs) are bound by secrecy or confidentiality concerning the performance of their tasks. In relation to which party is the DPO exempted from this secrecy or confidentiality to seek advice? A) The board of directors of the company B) The data protection and privacy network members team C) The information security officer (ISO) D) The supervisory authority

Answer

A

A) Incorrect. Being easily accessible does not mean that the DPO should ask for advice of board members. The DPO should fulfill an independent role. B) Incorrect. Being easily accessible does not mean that the DPO should ask for advice of the data protection and privacy network members' team. C) Incorrect. Being easily accessible does not mean that the DPO should ask for advice of the ISO. D) Correct. The obligation of secrecy and or confidentiality does not prohibit the DPO from contacting and seeking advice from the supervisory authority. (Literature: A, Chapter 2; GDPR Article 36 and Article 39(1)(e))

Question 55

Q

A data protection impact assessment (DPIA) is a tool to identify data protection risks, especially the ones which are likely to highly affect the rights and freedoms of natural persons. Why can the DPIA be seen as part of an organization's wider risk management? A) Because the DPIA assesses all security risks of the organization under review and replaces any other risk assessment or risk management B) Because the DPIA assesses risks by the likelihood and severity of the risk, similar to other well-defined components of risk management C) Because the DPIA is mandatory for each project, according to the GDPR, which reduces all other legal requirements for risk management

Answer

A

A) Incorrect. A DPIA only focuses on personal data protection and privacy risks. B) Correct. This is the link between DPIA and risk management. (Literature: A, Chapter 2; GDPR Recital 90) C) Incorrect. A DPIA is not always required and it does not diminish needs for other risk management.

Question 56

Q

According to the GDPR, what should always be part of a data protection impact assessment (DPIA)? A) Develop a subject access request procedure to ensure compliance with data subjects’ rights B) Identify the personal data that are processed and the intended purposes of the processing C) Notify the data subjects that an assessment will take place and request their explicit consent D) Set up an incident response plan and define appropriate safeguards to avoid data breaches

Answer

A

A) Incorrect. This is a possible measure, based on the outcome of a DPIA. B) Correct. Every DPIA should start with a description of the intended processing and the purposes of the processing. (Literature: A, Chapter 8; GDPR, Article 35(7)(a)) C) Incorrect. Consent is not required to do a DPIA. D) Incorrect. This is a possible measure, based on the outcome of a DPIA.

Question 57

Q

An organization develops a new product to find underperforming employees. They search their internet history and analyze work behavior using artificial intelligence (AI). Although the software engineers do not fully understand the algorithm, management decides to fire the bottom 10% employees. The data protection officer (DPO) is concerned about the impact of this product and informs the board that a data protection impact assessment (DPIA) is required. What is not part of the reason why a DPIA is mandatory? A) The automation of the personal data processing B) The evaluation that may affect the data subjects significantly C) The processing of special categories of personal data D) The systematic monitoring of personal aspects of natural persons

Answer

A

A) Incorrect. This is a reason for a DPIA being mandatory. B) Incorrect. This is a reason for a DPIA being mandatory. C) Correct. While the system will be collecting personal data, these data are not considered special categories of data. (Literature: A, Chapter 8; GDPR Article 35) D) Incorrect. This is a reason for a DPIA being mandatory.

Question 58

Q

What is not an outcome of a data protection impact assessment (DPIA)? A) A log of access to confidential data, with an automated authorization check B) A record of data subjects’ views on the intended processing operations C) A systematic description of the intended processing operations D) An assessment of risks to the rights and freedoms of data subjects

Answer

A

A) Correct. This is not an outcome of a DPIA, but is an ongoing activity performed by information security. (Literature: A, Chapter 8 and Chapter 3; GDPR Article 35) B) Incorrect. This is a possible outcome of the DPIA. C) Incorrect. This is a possible outcome of the DPIA. D) Incorrect. This is a possible outcome of the DPIA.

Question 59

Q

The GDPR details what the output of a data protection impact assessment (DPIA) must contain at a minimum. What is not mandatory in a DPIA? A) A description of the processing and its purposes B) An assessment of the necessity and proportionality of the processing operations in relation to the purposes C) An assessment of the risks to the rights and freedoms of data subjects D) The advice of the supervisory authority

Answer

A

A) Incorrect. This is a mandatory part of the DPIA. B) Incorrect. This is a mandatory part of the DPIA. C) Incorrect. This is a mandatory part of the DPIA. D) Correct. It is not always mandatory to consult with the supervisory authority, and it is not mandatory to include a log of the advice in the DPIA. (Literature: A, Chapter 5; GDPR Article 35(7) and Article 36(1))

Question 60

Q

A data protection impact assessment (DPIA) shows that the intended processing involves collecting more data on individual customers than is necessary to achieve the intended purpose. According to the GDPR, what is the most appropriate response? A) Anonymize the data as soon as possible B) Introduce a training and awareness program C) Limit the period of time for which the data is stored D) Reduce the amount of data collected

Answer

A

A) Incorrect. This is a mitigating risk measure, but the unnecessary data are not allowed to be processed in the first place. B) Incorrect. This is a mitigating risk measure, but the unnecessary data are not allowed to be processed in the first place. C) Incorrect. This is a mitigating risk measure, but the unnecessary data are not allowed to be processed in the first place D) Correct. This implements the principle of data minimization and reduces the risks for the data subjects. (Literature: A, Chapter 8; GDPR 5(1))

Question 61

Q

What is best done first, before starting a data protection impact assessment (DPIA)? A) Determining measures to address the identified risks B) Determining whether there is a need for a DPIA C) Identifying the risks to the rights and freedoms of data subjects

Answer

A

A) Incorrect. This is part of a DPIA and done after determining the need for one. B) Correct. The organization needs to determine whether the law requires a DPIA or if the needs of the organization demand one. (Literature: A, Chapter 5; GDPR Article 35(7)) C) Incorrect. This is part of a DPIA and done after determining the need for one.

Question 62

Q

A company performs a data protection impact assessment (DPIA). Why is data mapping useful for a DPIA? A) It assesses all organizational risks to privacy. B) It helps to gain an overview of the personal data in use. C) It helps to inform all relevant parties.

Answer

A

A) Incorrect. Data mapping does not assess risks. B) Correct. Data mapping identifies data in use. Mapped data flows help to identify potential risks that must be assessed. (Literature: A, Chapter 7) C) Incorrect. Data mapping is not used to inform parties.

Question 63

Q

A privacy expert is hired by an organization. They wish to outsource part of their data processing activities. The expert performs a data protection impact assessment (DPIA) on the processing that involves a data processor. One of the main steps of a DPIA requires the controller to provide all the input and does not require the processor to be involved. Which step is that? A) Assessment of the necessity and proportionality of the processing B) Assessment of the risks to the rights and freedoms of data subjects C) Mitigating measures to address the risks, including safeguards D) Systematic descriptions of the intended processing operations

Answer

A

A) Correct. This is the responsibility of the controller and does not involve the processor. (Literature: A, Chapter 12) B) Incorrect. Input is needed from the processor on potential risks. C) Incorrect. Input is needed on the mitigating measures taken by the processor. D) Incorrect. To make a full description, input from the processor is needed.

Question 64

Q

A large company is struggling financially. The board wants employees to work more efficiently. The board starts an experiment in which the internet activities of the employees are monitored. The data are analyzed to see where more efficiency can be achieved. People categorized as inefficient might be dismissed. Why must a data protection impact assessment (DPIA) be done before using the new procedure? A) Because a large company has many employees. Therefore, the processing will be large scale. B) Because it is an experiment. A DPIA is required for new and experimental processing activities. C) Because it is systematic processing. The decisions might significantly affect the employees.

Answer

A

A) Incorrect. The large scale may be of influence but is not a criterion by its own. Large scale monitoring in a public space would be a criterion. However, the company is not a public space. B) Incorrect. It is irrelevant whether it concerns an experiment or an ordinary processing activity. C) Correct. This is defined as one of the three cases in which a DPIA is mandatory. (Literature: A, Chapter 5; GDPR Article 35(3)(b))

Answer 65

A

A) Incorrect. For processing activities involving automated decision making, including profiling, a DPIA is always required. B) Correct. The risks automated decision-making brings with it need special attention. How to mitigate the risk should be carefully described. A mitigation could be to allow human intervention. (Literature: A, Chapter 5; GDPR Article 35) C) Incorrect. Data need to be secured in general, but data subjects have the right of access. D) Incorrect. This is part of a DPIA, but it is not most appropriate for specific attention if automated decisions are made.

Answer 66

A

A) Incorrect. This is a personal data breach involving special category personal data. B) Incorrect. The accidental loss of any personal data, and especially special category personal data, is also considered a personal data breach. C) Incorrect. Even if the incident is caused by a natural disaster or force majeure, this must be considered a personal data breach. D) Correct. This is a data breach, but no personal data are compromised. It is not a personal data breach. (Literature: A, Chapter 3; GDPR Article 4(12))

Answer 67

A

A) Incorrect. The timeframe in which the incident is resolved is unimportant. B) Incorrect. A threat is not enough. A notification is only mandatory when a personal data breach occurred, that is likely to result in a risk to the rights and freedoms of natural persons. C) Incorrect. The incident management process may be unable to identify the incident within 72 hours. The GDPR states that personal data breaches must be reported "without undue delay and where feasible not later than 72 hours after having become aware of it". D) Correct. Notification to the supervisory authority is mandatory for incidents involving personal data, that are likely to result in a risk to the rights and freedoms of natural persons. (Literature: A, Chapter 14; GDPR Article 33(1))

Answer 68

A

A) Incorrect. Only personal data breaches that result in a high risk to the rights of data subject must be reported. Although it can be good practice to report all personal data breaches to avoid breaking the law, this is not mandatory. B) Incorrect. The data subjects’ rights are not at risk, so they do not need to be informed. It is not the supervisory authority’s task to inform the data subjects. C) Incorrect. The legitimate interest of the company is a legal ground for processing. It does not relate to personal data breaches and how these must be reported. D) Correct. The strong encryption and backup are enough to guarantee the confidentiality and availability of the personal data. Therefore, this data breach is unlikely to result in a risk to the rights and freedoms of natural persons. It is not mandatory to report this data breach to the supervisory authority. (Literature: A, Chapter 14; GDPR Article 33(1))

Answer 69

A

A) Correct. Data subjects should be informed if the personal data breach poses a high risk to their rights and freedoms. (Literature: A, Chapter 14; GDPR Article 34(1)) B) Incorrect. Only personal data breaches that pose a high risk must also be reported to the data subjects. C) Incorrect. The 72 hours are the timeframe within which the personal data breach should be reported to the supervisory authority. Not all personal data breaches must be reported to the data subjects. D) Incorrect. Notification does not depend on the underlying cause of the personal data breach.

Answer 70

A

A) Incorrect. An audit control plan is not documented in the incident response process. B) Incorrect. A DPIA is not documented in the incident response process. C) Correct. Throughout the incident response process, evidence should be gathered and preserved to provide a clear picture of what happened and why the organization was unable to prevent the incident. (Literature: A, Chapter 14) D) Incorrect. A system recovery plan is not documented in the incident response process.

Answer 71

A

A) Correct. One of the responsibilities of DPAs is to provide general advice on how to comply with the regulations. See: Course slides 46 (day 2A) Responsibilities (powers) and tasks of the AP . B) Incorrect. A DPA will give general advice on what they consider an appropriate level of security. They will however not tell you what specific measures you need to take to achieve that level. Even if they want to they would not be able to, because there simply is no one-size-fits-all solution. C) Incorrect. DPAs don’t have the obligation, nor the capacity to investigate all breaches they know of. But they will investigate those they deem significant or noteworthy. D) Incorrect. A DPA is not a legal council. They don’t review contracts or Binding Corporate Rules. However in the course of an investigation they might take a look at a specific contract or set of BCRs.

Answer 72

A

A) Incorrect. Religious associations are permitted to process personal data relating to their former and current members, but it is not lawful to transfer personal data out of the EU in response to a legal requirement from a third country. B) Correct. See: https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-4-cross-border-data- transfers; GDPR art. 48. C) Incorrect. It is not lawful to transfer personal data out of the EU in response to a legal requirement from a third country, not even with consent of the data subject. D) Incorrect. Processing of sensitive data outside EU can be lawful, but not in response to a request from a third country government.

Answer 73

A

A) Correct. The ruling is an adequacy decision in accordance with the GDPR regarding processing in 3rd countries. See: GDPR recitals 104 and 106. B) Incorrect. An exception is about transfers essential to respond to terrorist offences or serious crimes (art. 11) C) Incorrect. The ruling is an adequacy decision in accordance with the GDPR regarding processing in 3rd countries. D) Incorrect. The ruling is an adequacy decision in accordance with the GDPR regarding processing in 3rd countries.

Answer 74

A

C) They avoid the need to approach each Data Protection Authority in the EU separately. A) Incorrect. BCRs are drafted so organizations do not have to use written underpinning contracts for each affiliate separately. B) Incorrect. BCRs are valid within an organization and all its affiliates only. They do not apply to other parties. C) Correct. Once BCRs are approved by one DPA inside the EU you don’t have to ask the other DPAs inside the EU to approve them anymore. See: Course slides 79-81(day 2A) Binding Corporate Rules. D) Incorrect. BCR must be authorized by a DPA too.

Answer 75

A

A) Incorrect. This is a direct obligation of the GDPR to processors. B) Incorrect. This is a direct obligation of the GDPR to processors. C) Incorrect. This is a direct obligation of the GDPR to processors. D) Correct. This is a direct obligation of the GDPR to processors. Source: GDPR art. 22 (3).

Answer 76

A

C) The Controller and Processor must draft and sign a written contract guaranteeing the confidentiality of the data.

A) Incorrect. You don’t have to ask the DPA for permission for each instance of outsourcing.
B) Incorrect. The DPA is not a legal council and will not check contracts for compliance.
C) Correct. There must be a written contract guaranteeing the confidentiality of the data in which the Controller defines the goals and means of processing. Both parties must sign this contract. See: Course slide 17-26 (Day 2A) Written contract between the Controller and the Processor.
D) Incorrect. An SLA is not enough as it will focus on operations, not necessarily on defining goals.

Answer 77

A

A) Incorrect. This is an aspect of End-to-End Security – Lifecycle Protection, one of the other six basic principles.
B) Incorrect. Privacy by Design rejects the approach that Privacy has to compete with other legitimate interests, design objectives, and technical capabilities. All objects need to be accommodated in a positive-sum “win-win” manner.
C) Correct, this is the essence. See: Cavoukian, Ann. 2011. Privacy by design, the 7 principles. (https://www.iab.org/wp-content/IAB uploads/2011/03/fred_carter.pdf)
D) Incorrect. This is an aspect of ‘privacy embedded into design’, one of the other six basic principles.

Answer 78

A

A) Privacy can’t be guaranteed without identifying, implementing, and monitoring proper information security measures.

A) Correct. Privacy and Data Protection are about guaranteeing confidentiality of personal data a.o. This requires the implementation of security measures. See: Course slide 22 (Day 2B) Reliability requirements.
B) Incorrect. The DPA does not expect these roles to be integrated at all.
C) Incorrect. The regulations specify goals that must be met, but no specific measures that must be taken.

Answer 79

A

A) Incorrect. This aspect may strengthen the confidence of management, but not customers or citizens.
B) Incorrect. Preventing fines may strengthen the confidence of management, but not customers or citizens.
C) Correct. See: Course slide 20 (day 2B) Most important objectives of a DPIA 2.

Answer 80

A

A) Incorrect. The audit is not the implementation of the measures, but an assessment of their effectiveness.
B) Correct. According to GDPR art 57.1(a) this is an important task of the DPA as supervising authority.
C) Incorrect. The DPA has the task to monitor compliance and to advice on enhancements, but its purpose is not to protect the controller.

Answer 81

A

A) Incorrect. As a matter of fact the GDPR states the data collected must be adequate, implying it does not have to be the absolute minimum.
B) Correct. This is the very definition of data minimization (article 5.1.c). It is aimed at making sure only the data needed to achieve the defined goals are collected. See: Course slide 4 (day 2B) Data life cycle management and data minimisation.
C) Incorrect. Storage size has nothing to do with this principle.
D) Incorrect. DPAs do not set an upper limit on the number of items collected as long as they are limited to those needed to achieve the defined goals.

Answer 82

A

A) It contains information on what you are doing, for instance the products you select in a webshop before you actually order. A) Correct. A session cookie is kept in memory to save information on the session. It is erased when you close the session. See: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm B) Incorrect. A session cookie is erased when you close the session, so it cannot be used in a next session. C) Incorrect. A session cookie is erased when you close the session, so it cannot be used in a next session. D) Incorrect. A session cookie is erased when you close the session, so it cannot be used in a next session.

Answer 83

A

A) Yes`

A) Correct. The website has the obligation to notify the visitor that their information is being used for marketing purposes. They have the right to object to processing of personal data concerning him or her for marketing purposes. See: Course slide 37 (day 2B) Resistance direct marketing.
B) Incorrect. The website has the obligation to notify the visitor that their information is being used for marketing purposes. They have the right to object to processing of personal data concerning him or her for marketing purposes.

Answer 84

A

A) Incorrect. Just posting information about the company does not make you an expert in a field.
B) Correct. Answering (and actively answering) questions about a specific product on social media could make your company an expert. See: https://blog.kissmetrics.com/social-media-after-sale/
C) Incorrect. This is just bragging about how good your product is (and maybe it is not).
D) Incorrect. This is just showing that you as a company are developing new products and yes, it can help improve sales but it does not make the company an expert.

Answer 85

A

A) Correct. The data breach notification obligation as laid down in the Dutch Data Protection Act. See: Course slide 85 and further (day 2B) Personal data breach notification obligation.
B) Incorrect. A PIA is conducted when designing personal data processing operations.
C) Incorrect. The controller must first ascertain whether the incident is a data breach that needs to be reported.
D) Incorrect. The controller must first ascertain whether the incident is a data breach that needs to be reported.

Answer 86

A

A) Incorrect. Privacy is a right, data protection is the means to ensure it.
B) Correct. See: UN Universal Declaration of Human Rights 1984. art. 12. And http://gilc.org/privacy/survey/intro.html.
C) Incorrect. Privacy is a right, data protection is the means to ensure it.
D) Incorrect. Privacy is a right, data protection is the means to ensure it.

Answer 87

A

A) Incorrect. Directive 2002/58/EC amends some parts of Directive 97/66/EC.
B) Incorrect. This directive is about the retention of data collected for instance by internet providers.
C) Correct. This replacement is mentioned in the (sub)title of the regulation. Source: GDPR.
D) Incorrect. This Directive complements directive 95/46/EC to ensure an equivalent level of protection of fundamental rights and freedoms in the member states.

Answer 88

A

A) Incorrect. It has to be provided in a structured, commonly used and machine-readable format, but not necessarily in any format the Data Subject specifies.
B) Correct. However only the first copy has to be provided free of cost. See Course slide 32 (day 2A) Rights Data Subject
C) Incorrect. Only erroneous data has to be rectified.
D) Incorrect. Article 17 gives some exceptions to this like when the data is needed for the establishment, exercise or defense of legal claims.

Answer 89

A

A) Correct. An appointment with a medical specialist is ‘personal data concerning health’. See GDPR art. 9.1.
B) Incorrect. An IBAN is data uniquely related to a person, i.e. personal data. But not sensitive personal data according to GDPR art. 9.
C) Incorrect. A scientific journal for politics is not ‘personal data revealing political opinions, religious or philosophical beliefs’ and as such not sensitive personal data according to GDPR art. 9.
D) Incorrect. Only trade union membership and other personal data ‘revealing (…) political opinions, religious or philosophical beliefs’ is sensitive personal data according to GDPR art. 9.

Answer 90

A

A) Correct. Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. See: Course slide 5 (day 2A) Controller.
B) Incorrect. The GDPR defines the DPO as “A person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation.”
C) Incorrect. The Processor is the person or organization that processes personal data, but not necessarily the one who determines the why and how.

Answer 91

A

A) Incorrect. Any statement about an identifiable natural person is personal data according to the GDPR.
B) Correct. See: GDPR art.4(1).
C) Incorrect. Any statement about an identifiable natural person is personal data according to the GDPR.

Answer 92

A

C. The period for which the personal data will be stored.

Answer 93

A

B It is not lawful to transfer personal data out of the EU in response to a legal requirement from a third country.

Answer 94

A

D Data protection by design and by default.

Answer 95

A

A Any information relating to an identified or identifiable natural person.

Answer 96

A

A Up to €20,000,000 or 4% of the company’s worldwide annual turnover.

Answer 97

A

A When the data controller exercises its right to process personal data under ‘legitimate interest’ and provides a Data Privacy Notice to the data subject.

Answer 98

A

A Mailing a letter.

Answer 99

A

C Biometric data

Answer 100

A

A. Fair and Accurate Credit Transactions Act (FACTA)

Answer 101

A

B. European ownership of the organization very important to know as a privacy professional the EU laws are something to look into (as will the laws in other countries that follow be).

In the US there are still restrictions on processing data on European citizens, regardless of country of ownership, so B is the correct answer

Answer 102

A

A. Ensure legal compliance with E.U. data protection laws

Answer 103

A

A. European companies can freely develop and share demographic databases with U.S. companies

Answer 104

A

A. Have become the foundation of most data protection laws around the world today

Answer 105

A

a. A percentage of the company’s revenues worldwide

Answer 106

A

c. 2013 Snowden disclosures

Answer 107

A

d. All of the above

Answer 108

A

b. Privacy Shield Framework

Answer 109

A

a. Commitments by U.S. companies and U.S. authorities

Answer 110

A

b. Detailed explanations of U.S. laws

Answer 111

A

d. All of the above

Answer 112

A

c. U.S. Federal Trade Commission

Answer 113

A

d. All of the above

Answer 114

A

d. a and b

Answer 115

A

c. Standard Contract Clauses (SCCs)

Answer 116

A

d. All of the above

Answer 117

A

a. U.S. company agrees contractually to comply with EU law and submit to the authority of an EU privacy supervisory agency

Answer 118

A

d. All of the above

Answer 119

A

c. Obtain confirmation from the data controller they hold personal information of the data subject

Answer 120

A

d. All of the above

Answer 121

A

b. The 2013 Snowden disclosures invalidated the privacy practices of the U.S.

Answer 122

A

d. All of the above

Answer 123

A

c. Binding contractual clauses and Privacy Shield do not provide adequate protection from U.S. government surveillance practices

Answer 124

A

A. International branches or contractors are responsible for inappropriate uses of sensitive information.

Answer 125

A

B. Determine the risks associated with a new operation

Answer 126

A

C. Social Security Numbers

Answer 127

A

To monitor compliance with the GDPR 
• Advise controller and processors 
• Manage risk 
• Cooperate with supervisory authorities
 • Communicate with data subjects and supervisory authorities 
• Exercise professional secrecy

Answer 128

A

U.S. company offers a consumer cloud service in the EU

U.S. company expresses its intention to deal with EU users (e.g., offering services via a European domain, local currency payment, shipment to the EU, local telephone hotline numbers)
“U.S. company (Company A, the processor) offers data hosting services to another U.S. company (Company B, the controller). At face value, this arrangement would not be caught by the GDPR. However, if Company B (the controller) also acts on behalf of other legal entities within a group, and if personal data is transferred from these group legal entities to Company A (the processor), the arrangement may be caught by the GDPR. If one such group legal entity has an establishment in the EU (see no. 2 above), the GDPR comes into play via Article 3, Section 1.”
The processor is a sub-processor of a principal processor based in the EU

Answer 129

A

Definitions of key terms and concepts (e.g., controller)
No definition of sensitive data under the CCPA
No private right of action—except for data breaches—under the CCPA

Answer 130

A

A staff member or contractor tasked with ensuring and demonstrating compliance with EU data protection law; an expert in data protection law and practices.

Answer 131

A

D. Adequacy decision

Answer 132

A

B. Department of Commerce

Answer 133

A

Communication with/involvement of the DPO in all issues related to personal data protection

DPO access to personal data and processing operations
Resources to help carry out tasks
Safeguards to enable the DPO to perform tasks independently
DPO reports to the highest levels of management

Answer 134

A

C. has laws about individual rights that are similar to those of the EU Data Protection Directive

D. has no limitations on transfers with countries in the European Economic Area

Answer 135

A

A. the US

Answer 136

A

D. all of the above

Answer 137

A

B. the EU

Answer 138

A

B. a third party to whom data is sent

Answer 139

A

B. a listing of publicly available information

Answer 140

A

C. the EU limits transmission of data with other countries while the US does not

Answer 141

A

C. transparency

Answer 142

A

A. To promote universal cooperation among privacy authorities

Reference: https://en.wikipedia.org/wiki/Global_Privacy_Enforcement_Network

Answer 143

A

B. Industries may not be strict enough in the creation and enforcement of rules

Answer 144

A

A. Fair and Accurate Credit Transactions Act

Answer 145

A

B. European ownership of the organization very important to know as a privacy professional the EU laws are something to look into (as will the laws in other countries that follow be). In the US there are still restrictions on processing data on European citizens, regardless of country of ownership, so B is the correct answer

Answer 146

A

Performance of a contract

Answer 147

A

B. A fine of up to €20m or 4% of the total worldwide annual turnover

Answer 148

A

D. All of the above

Answer 149

A

A. A certification body accredited by the supervisory authority

Answer 150

A

D. All of the above

Answer 151

A

A. The obligation to be able to demonstrate compliance with the GDPR

Answer 152

A

D. The supervisory authority must be notified of all breaches, unless the controller can demonstrate that the breach is unlikely to result in a risk to the rights and freedoms of natural persons

Answer 153

A

B. A security incident leads to the accidental loss of personal data

Answer 154

A

D. The results of the Data Protection Impact Assessment indicate that the processing involves a high risk that cannot be mitigated by the controller

Answer 155

A

C. Notifying the recipients would involve disproportionate effort

Answer 156

A

C. The breach is likely to result in a high risk to the rights and freedoms of the data subject

Answer 157

A

D. All of the above

Answer 158

A

A. The data subject, the recipients of the personal data and the supervisory authority

Answer 159

A

D. Processing for the establishment, exercise or defense of legal claims

Answer 160

A

B. The controller/processor must disclose the records on request of the supervisory authority

Answer 161

A

C. A description of the technical and organizational security measures

Answer 162

A

C. Data protection by design

Answer 163

A

A. Integrity and confidentiality

Answer 164

A

D. The controller

Answer 165

A

B. The transfer is demanded by a US presidential order

Answer 166

A

A. The establishment, exercise or defense of legal claims

Answer 167

A

A. The right to rectification

Answer 168

A

C. Processing by churches and religious associations

Answer 169

A

A. Data concerning a person’s health

Answer 170

A

B. The data subject has made the data public

Answer 171

A

D. Data subject

Answer 172

A

A. Accuracy

Answer 173

A

B. Storing anonymised personal data

Answer 174

A

C. Processing

Answer 175

A

C. Anonymized personal data

Answer 176

A

A. Article 2 Material scope

Answer 177

A

B. Processing of personal data wholly or partly by automated means

Answer 178

A

D. Recitals

The GDPR consists of two components: the articles and recitals.
The articles constitute the legal requirements organizations must follow to demonstrate compliance.The recitals provide additional information and supporting context to supplement the articles.

Answer 179

A

A. European Data Protection Board

The European Data Protection Board (EDPB) is an independent European body which shall ensure the consistent application of data protection rules throughout the European Union. The EDPB has been established by the General Data Protection Regulation (GDPR).

Answer 180

A

B. Controller

Answer 181

A

D. Regulation

EU treaties and EU regulations are directly applicable. They do not need any other acts of parliament in the member state to make them into law. Therefore, once a treaty is signed or a regulation is passed in Brussels by the Council of Ministers, it instantly becomes applicable in all member states.

Answer 182

A

C. Universal Declaration of Human Rights

Answer 183

A

A. EU Charter of Fundamental Rights

Answer 184

A

D. General Data Protection Regulation (EU)

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA).

Answer 185

A

A. HR and recruitment

A DPIA is required at least in the following cases: a systematic and extensive evaluation of the personal aspects of an individual, including profiling; processing of sensitive data on a large scale; systematic monitoring of public areas on a large scale.

The EDPB advises that high risk processing areas that may necessitate a DPIA are processing that involves new technologies or AI, genetic or biometric data, decisions made which are based on automated processing including profiling of data subjects, any large scale processing or combination of data from different data.

Answer 186

A

B.Inform the relevant stakeholders that the platform should not be used until Bicsma and the provider sign a legally binding agreement.

The correct answer is B.

The GDPR requires controllers to conclude binding agreements with all their processors. It is true that the U.S. has obtained an adequacy decision, the scope of which is limited to those U.S. organisations that comply with the Privacy Shield. It is also true that the GDPR regards personal data transfers under an adequacy decision as intra-EEA transfers. Yet the controller’s obligation to conclude legally binding agreements with its processors applies to all controller-processor relationships. The GDPR contains no specifications on the binding agreement:it may be drawn up either by the processor or the controller, and it may be a standard document which the controller accepts when accepting the terms of use. The only important point is that the agreement must be binding and must address all the requirements set out in Article 28 of the GDPR.The GDPR mandates that non-EU controllers and processors who process the personal data of individuals who are in the EU appoint a representative in the EU. Yet responsibilities for compliance with the GDPR cannot be transferred to the representative and having a representative is no guarantee for a controller’s or processor’s GDPR-compliance. Similarly, a processor’s data protection policy does not guarantee that the processor will process personal data in line with the GDPR.

Answer 187

A

B.‘Risk capacity’ refers to the amount of risk an organization needs to take in order to achieve its strategic objectives.

Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats, that change inevitably brings.

Risk tolerance is the degree of risk or uncertainty that is acceptable to an organization.Risk capacity, unlike tolerance, is the amount of risk that the investor “must” take in order to reach their financial goals

Answer 188

A

D) a privacy offense

A) Incorrect. A content related offense concerns dissemination of racist statements, (child) pornography or information inciting violence.
B) Incorrect. Economic offenses relate to unauthorized access to systems (hacking, distribution of viruses, etc.) computer espionage, -forgery, and -fraud.
C) Incorrect. Intellectual property offenses pertain to violations of copyright and related rights.
D) Correct. Any illegal processing of personal data is an offense

Answer 189

A

D) You cannot have privacy without data protection.

A) Incorrect. Privacy spans a lot of concepts like spatial, relational, bodily and information privacy. Data protection has no relation to some of these.
B) Incorrect. Privacy spans a lot of concepts like spatial, relational, bodily and information privacy. Data protection helps to guarantee some of these.
C) Incorrect. Data protection for example has nothing to do with spatial privacy.
D) Correct. Within the confines of my home I can have lots of privacy, without any data protection at all. See Course slides8-9 (day 1)

Answer 190

A

D) To strengthen and unify data protection for individuals within the EU.

A) Incorrect. The GDPR is a regulation, meaning it will repeal the data protection laws in the member states.
B) Incorrect. Its main objective is aimed at defining the data protection rights of individuals within the EU.
C) Incorrect. The GDPR does explicitly state data protection is a fundamental right, but its scope is limited to individuals within the EU.
D) Correct. The scope of the GDPR is limited to data protection as a right of individuals within the EU and aims to harmonize the rules for that within the EU. See:Course slide 24(day 1) European legislation on data protection.

Answer 191

A

A) any information relating to an identified or identifiable natural person

A) Correct. This is the official definition of the data protection. See: GDPR2016/679 Article 4: definition.
B) Incorrect. This definition is too generic.
C) Incorrect. This is the definition of sensitive data not of generic personal data.
D) Incorrect. This is the definition of information security from ISO/IEC 27000:2014.

Answer 192

A

B) trade union membership

A) Incorrect. Credit card details are not sensitive data according to the GDPR.
B) Correct. Membership of a trade union is sensitive data. See: GDPR art. 9 and Special categories of personal data, Course slide 58.
C) Incorrect. Passport details are not sensitive data according to the GDPR.
D) Incorrect. A social security number is not sensitive data ac

Answer 193

A

A) any operation that can be performed on personal data

A) Correct. See:GDPR art.4 (2)
B) Incorrect.‘Processing’ means any operation which is performed on personal data.
C) Incorrect.‘Processing’ means any operation which is performed on personal data.
D) Incorrect.‘Processing’ means any operation which is performed on personal data.

Answer 194

A

C) Supervisory / Data Protection Authority

A) Incorrect. See:GDPR2016/679, Article 4.
B) Incorrect. See:GDPR2016/679, Article 4.
C) Correct. See:GDPR2016/679, Article 4 and Article 51.
D) Incorrect. See:GDPR2016/679, Article 4.

Answer 195

A

A. Social Security number
B. Bank account number
C. Driver’s license number
F. Medical history

Answer 196

A

D. Adequacy decision

Answer 197

A

B. Department of Commerce

Answer 198

A

A. Data portability
B. Rectification of inaccurate or incomplete personal data
C. Erasure
D. Restriction of processing

Answer 199

A

A. Data portability
B. Rectification of inaccurate or incomplete personal data
C. Erasure
D. Restriction of processing

Answer 200

A

C. The right to respect for an individual’s privacy and family life.

Brainscape's Knowledge GenomeTM

Ch. 14 GDPR and International Privacy Quiz Flashcards

Brainscape's Knowledge Genome^TM