Baixe o app para aproveitar ainda mais
Prévia do material em texto
1 Licensed to Equipe TI divisaox@gmail.com Reference Solution for pdpf.vce 000-000 PDPF EXIN Privacy and Data Protection Foundation TestGuide4U (ExamGuidesForIT) Check Out Our Site at: www.e-junkie.com\TestGuide4u More Exams Can be Purchased through Credit Cards or Paypal Online Directly. Download link will be sent to your email immediately after the purchase. 2 Licensed to Equipe TI divisaox@gmail.com Score: 800/1000 Version: 1.0 Time Limit: 120 Minutes 3 Licensed to Equipe TI divisaox@gmail.com Exam A (149 questions) Question 1 What is the essence of the principle `Full Lifecycle Protection'? Delivering the maximum degree of data protection by default, ensuring that personal data are automatically protected in any given IT system or business practice. Ensuring that whatever business practice or technology is involved, processing is done according to the stated objectives, subject to independent verification. Embedding security measures to protect the data from the moment it is collected, throughout processing until it is destroyed at the end of the process. Prioritizing the protection of the interests of the individual by offering for example strong privacy defaults, appropriate notice or empowering user-friendly options. Explanation: Explanation Explanation/Reference: Question 2 A processor is instructed to report on customers who bought a product both last month and at least once in the three months before that. Unfortunately, the processor makes a mistake and uses personal data collected by another controller for a different purpose. The mistake is found before the report is created, and nobody has access to personal date he or she should not have had access to. How should the processor act on this situation and what should the controller do, if anything? The processor must notify the controller and the controller must notify the Data Protection Authority of a data breach. The processor must notify the controller of a data breach. The controller must assess the possible risk to the data subjects. The processor must notify the Data Protection Authority of a data breach. The controller must execute a PIA to assess the risk to data subjects. The processor must restart processing using the right data. There is no need for the controller to act. Explanation: Explanation 4 Licensed to Equipe TI divisaox@gmail.com Explanation/Reference: Question 3 The Supervisory Authority is notified whenever an organization intends to process personal data, except for some specific situations. The Supervisory Authority keeps a publicly accessible register of these data processing operations. What else is a legal obligation of the Supervisory Authority in reaction to such a notification? To assess compliance with the law in all classes where sensitive personal data is processed To assess the legitimacy of operations that involve specific risks for the data subjects To assess the legitimacy of binding contract(s) between the controller and the data processor(s) To give out a license for the data processing, specifying the types of personal data which are allowed Explanation: Explanation Explanation/Reference: Question 4 In what way are online activities of people most effectively used by modern marketers? By analyzing the logs of the web server it can be seen which products are top sellers, allowing them to optimize their marketing campaigns for those products. By tagging users of social media, profiles of their online behavior can be created. These profiles are used to ask them to promote a product. By tagging visitors of web pages, profiles of their online behavior can be created. These profiles are sold and used in targeted advertisement campaigns. Explanation: Explanation Explanation/Reference: 5 Licensed to Equipe TI divisaox@gmail.com Question 5 A German company wants to enter into a binding contract with a processor in the Netherlands for the processing of sensitive personal data of German data subjects. The Dutch Supervisory Authority is informed of the type of data and the aims of the processing, including the contract describing what data will be processed and what data protection procedures and practices will be in place. According to the GDPR, what should the Dutch Supervisory Authority do in this scenario? Report the data processing to the German Supervisory Authority and leave the supervising to them. Supervise the processing of personal data in accordance with Dutch Law. Supervise the processing of personal data in accordance with German Law. The Dutch Supervisory Authority should check that adequate binding contracts are in place. The German Supervisory Authority should supervise. Explanation: Explanation Explanation/Reference: Question 6 A person finds that a private videotape showing her in a very intimate situation has been published on a website. She never consented to publication and demands that the video is being removed without undue delay. According to the GDPR, what should be done next? Nothing. The video may be regarded as `news' and, therefore, the website is only exercising its right to freedom of expression and information. The controller erases the video from the website and, when possible, informs any controller who might process the same video, that it must be erased. The controller erases the video from the website. There is no obligation however, to inform others who might have copied it, that it should be erased. The controller directs the person to seek a lawyer and informs that he cannot exclude before a juridical authorization. Explanation: Explanation Explanation/Reference: 6 Licensed to Equipe TI divisaox@gmail.com Question 7 For processing of personal data to be legal, a number of requirements must be fulfilled. What is a requirement for lawful personal data processing? A `code of conduct', describing what the processing exactly entails, must be in place. The data subject must have given consent, prior to the processing to begin. The processing must be reported to and allowed by the Data Processing Authority There must be a legitimate ground for the processing of personal data. Explanation: Explanation Explanation/Reference: Question 8 Under what EU legislation is data transfer between the EEA and the U.S.A. allowed? An adequacy decision based on the Privacy Shield program An adequacy decision by reason of US domestic legislation The Transatlantic Trade an Investment Partnership (TTIP) The U.S.A.'s commitment to join the European Economic Area Explanation: Explanation Explanation/Reference: Reference: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en 7 Licensed to Equipe TI divisaox@gmail.com Question 9 According to the GDPR, for which situations should a Data Protection Impact Assessment (DPIA) be conducted? For all projects that include technologies or processes that require data protection For all sets of similar processing operations with comparable risks For any situation where technologies and processes will be subject to a risk assessment For technologies and processes that are likely to result in a high risk to the rights of data subjects Explanation: Explanation Explanation/Reference: Reference: https://eugdprcompliant.com/dpia-guidelines/ Question 10 While paying with a credit card, the card is skimmed (i.e. the data on the magnetic strip is stolen). The magnetic strip contains the account number, expiration date, cardholder's name and address, PIN number and more. What kind of a data breach is this? Material Non-material Verbal Explanation: Explanation Explanation/Reference: 8 Licensed to Equipe TI divisaox@gmail.com Question 11 Someone regularly receives offers from a store where he purchased something five years ago. He wants the company to stop sending offers andto wipe his personal data. Which aspect of the rights of a data subject in the General Data Protection Regulation (GDPR) requires the company to comply? The right to erasure The right to rectification The right to restriction of processing The right to withdraw consent Explanation: Explanation Explanation/Reference: Reference: https://gdpr-info.eu/art-7-gdpr/ Question 12 Important technical requirements set out in the General Data Protection Regulation (GDPR) are about data quality. One is the obligation to ensure appropriate security, including protection against unauthorized or unlawful processing. What is another important technical requirement? To ascertain that personal data collection is adequate, relevant and limited to what is necessary in relation to the purposes To control that data collected for specified, explicit and legitimate purposes is not further processed for other purposes To keep personal data accurate and up to date, ensuring that inaccurate data are erased or rectified without delay To make sure that personal data is processed lawfully, fairly and in transparent manner in relation to the data subject Explanation: Explanation Explanation/Reference: Reference: http://www.privacy-regulation.eu/en/article-5-principles-relating-to-processing-of- personal-data-GDPR.htm 9 Licensed to Equipe TI divisaox@gmail.com Question 13 According to the GDPR, what is a mandatory topic in a DPIA report? Systematic description of the fiduciary duties to ensure compliance to all relevant laws and regulations An assessment of the necessity and proportionality of the processing operations in relation to the purposes The documentation of the risks to the rights and freedoms of the data protection officer The measures envisaged to address the privacy compliance frameworks risks Explanation: Explanation Explanation/Reference: Question 14 What is the role of the one assigned the responsibility to govern the purposes and means of processing personal data within an organization, according to the GDPR? Controller Data Protection Officer Data Subject Processor Explanation: Explanation Explanation/Reference: Reference: https://www.i-scoop.eu/gdpr/data-controller-data-controller-duties/ 10 Licensed to Equipe TI divisaox@gmail.com Question 15 The GDPR states that records of processing activities must be kept by the controller. To whom must the controller make these records available, if requested? The data processor The Data Protection Officer The European Commission The supervisory authority Explanation: Explanation Explanation/Reference: Reference: https://www.whitecase.com/publications/article/chapter-10-obligations-controllers- unlocking-eu-general-data-protection Question 16 Which situation is considered a data breach according to the GDPR? A processor deletes personal data after his contract with the controller expired. A processor leaves his computer unattended, where colleagues may be able to access it. After a disk crash a processor restores personal data from a recent back-up. After processing a processor deletes personal data on instruction of the controller. Explanation: Explanation Explanation/Reference: 11 Licensed to Equipe TI divisaox@gmail.com Question 17 A controller discovers that a data subject, who had given consent for the processing of his data, has passed away. What this implies for data processing according to the General Data Protection Regulation (GDPR)? With the death of the data owner, the controller can continue processing the data, as they are no longer under the GDPR. The data can only be processed by the controller respecting the consent provided by the holder. The controller must delete the data of the holder, since with the death of the holder the consent is automatically revoked. The controller can process the data of a deceased person as long as it anonymizes the data. Explanation: Explanation Explanation/Reference: Explanation: With the death of the data subject, the controller can process the data in any way he wishes, since personal data of deceased persons is not within the scope of the GDPR. Recital 27 says: This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons. Question 18 According to the GDPR, what is the main reason to consider data protection in the initial design phase? It ensures efficiency in project phases It ensures privacy by default It reduces the risk of fraud It reduces the risk of liability Explanation: Explanation Explanation/Reference: 12 Licensed to Equipe TI divisaox@gmail.com Question 19 When does the GDPR require data subjects consent to a cookie? Always, because a cookie is regarded as online identifier Never, as the EU Cookie Law does not require explicit consent Only if the cookie contains authentication information of the data subject Only if the cookie contains shopping basket items Explanation: Explanation Explanation/Reference: Reference: https://eugdprcompliant.com/cookies-consent-gdpr/ Question 20 A personal data breach has occurred, and the controller is writing a draft notification for the supervisory authority. The following information is already in the notification: - The nature of the personal data breach and its possible consequences. - Information regarding the parties that can provide additional information about the data breach. What other information must the controller provide? Information of local and national authorities that were informed about the data breach. Name and contact details of the data subjects whose data may have been breached Suggested measures to mitigate the adverse consequences of the data breach. The information needed to access the personal data that have been breached. Explanation: Explanation Explanation/Reference: Explanation: Information of local and national authorities that were informed about the data breach. Incorrect. The supervisory authority must be made aware of reports to supervisory authorities in other EEA countries. Reports to local authorities, for instance the police, do not need to be reported. 13 Licensed to Equipe TI divisaox@gmail.com Name and contact details of the data subjects whose data may have been breached. Incorrect. The supervisory authority requires an estimate of the number of data subjects involved, not their personal data. Suggested measures to mitigate the adverse consequences of the data breach. Correct. The controller should add suggested measures to mitigate the adverse consequences of the data breach. (Literature: A, Chapter 7; GDPR Article 33(q)) The information needed to access the personal data that have been breached. Incorrect. The supervisory authority needs to know the type of personal data involved, but does not need access to the data themselves. Question 21 The General Data Protection Regulation (GDPR) formalizes the data subject's right to data portability. What is the objective of data portability? The controller has the right to move the data subject's personal data from one organization to another. The data subject has the right to move personal data concerning him or her. The data subject has the right to move his/her personal data when moving to another country. The Supervisory Authority authorizes the movement of personal data. Explanation: Explanation Explanation/Reference: 14 Licensed to Equipe TI divisaox@gmail.com Question 22 Personal data as defined in the GDPR can be divided into several types. One of these types is described: Data that directly or indirectly reveal someone's racial or ethnic background, political, philosophical, religious views, union affiliation and data related to health or sex life and sexual orientation. What type of personal data isthis? Direct personal data Indirect personal data Pseudonymized data Special category personal data Explanation: Explanation Explanation/Reference: Explanation: Direct personal data. Incorrect. Both direct and indirect data are described. Indirect personal data. Incorrect. Both direct and indirect data are described. Pseudonymized data. Incorrect. Pseudonymized data cannot directly reveal information. Special category personal data. Correct. This is a definition of special category personal data. (Literature: A, Chapter 1; GDPR Article 4) Question 23 The General Data Protection Regulation (GDPR) is based on the principles of proportionality and subsidiarity. What is the meaning of "proportionality" in this context? Personal data can be processed according to the use of requirements. Personal data cannot be reused without explicit and informed consent. Personal data can only be processed if there are no other means to achieve the purposes. Personal data must be adequate, relevant and not excessive in relation to the purposes. Explanation: Explanation Explanation/Reference: 15 Licensed to Equipe TI divisaox@gmail.com Explanation: Recital 170 mentions "Since the objective of this Regulation, namely to ensure an equivalent level of protection of natural persons and the free flow of personal data throughout the Union, cannot be sufficiently achieved by the Member States and can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective." Proportionality says that personal data should be collected according to the purpose of processing, that is, proportional, and data that will not be used for the purpose should not be collected. Subsidiarity is a principle that says that personal data can only be processed if there are no other means to achieve the objective. Therefore, the less personal data used, the less the possibilities of violating privacy. These two principles Subsidiarity and Proportionality are constantly charged in the EXIN exam. Question 24 What is a responsibility of Supervisory Authorities in EEA countries? Research on security breaches of corporate information Supervision of all data processing operations controlled by a controller in an EEA country Supervision of all data processing operations where the data subjects are residents of an EEA country Explanation: Explanation Explanation/Reference: 16 Licensed to Equipe TI divisaox@gmail.com Question 25 A controller can contract out the processing of personal data to another company, provided a written contract between these partners is in place. Which clause in this contract is a responsibility of the controller? To ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. To make available all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections. To process the personal data only on documented instructions, including with regard to transfers of personal data to a third country or an international organization. To provide sufficient guarantees for appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR. Explanation: Explanation Explanation/Reference: Question 26 What is the purpose of Data Life Cycle Management (DLM)? Ensuring that an adequate level of data protection is in place during some of the stages in the data life cycle. Guaranteeing that personal data is processed in compliance with the GDPR during its lifetime. Managing personal data in a way that guarantees the data is accurate and kept up to date. Explanation: Explanation Explanation/Reference: 17 Licensed to Equipe TI divisaox@gmail.com Question 27 An architect, leaving a building site, puts his laptop for a moment beside his car on the road, while answering his phone. When driving away he sees in the mirror his laptop being crushed by an enormous lorry driving over it. All his files on the design of the building and the calculations he worked on are lost. His only consolation is that those were the only files on the device. In terms of the GDPR, what happened? a data breach a security incident a security issue a vulnerability Explanation: Explanation Explanation/Reference: Question 28 What is considered a personal data processing for the General Data Protection Regulation (GDPR)? Analysis of data regarding the cause of death in the last 10 years. Creating a backup with records of names, addresses, enrollment of students. Conducting analysis of personal data related to health issues, but which have previously been anonymized. Statistical publication with intention to vote, help anonymously. Explanation: Explanation Explanation/Reference: Explanation: Anonymized data is not under the scope of the GDPR, nor are data from deceased persons. Organizations that handle only this type of data do not need to conform to the GDPR. Anonymized data reads data that is not possible to reverse in order to identify the data subject. There is also pseudonymized data, in which case it is possible to perform the reversal and identify the data holder. 18 Licensed to Equipe TI divisaox@gmail.com Question 29 Which cause is a data breach according to the GDPR? illegally obtained corporate data from a human resources management system Personal data is processed without a binding contract. Personal data is processed by anyone other than the controller, processor or, possibly, subprocessor The operation of a vulnerable server in the internal network of the processor Explanation: Explanation Explanation/Reference: Question 30 "The controller shall implement appropriate technical and organizational measures for ensuring that (...) only personal data which are necessary for each specific purpose of the processing are processed." Which term in the GDPR is defined here? Compliance Data protection by default and by design Embedded data protection Explanation: Explanation Explanation/Reference: Explanation: Compliance. Incorrect. Compliance means meeting rules or standards. Data protection by design and by default. Correct. By default, the minimum of personal data is to be processed for the shortest possible period, using the best possible security measures to prevent unauthorized access. Data protection by design refers to processing that includes appropriate measures to implement data protection principles. (Literature: A, Chapter 8; GDPR Article 25) 19 Licensed to Equipe TI divisaox@gmail.com Embedded data protect. Incorrect. Embedded data protection is the result of data protection by design. Question 31 What does the principle of `data minimization' mean? Personal data shall be accurate and where necessary kept up to date. Personal data shall be adequate and limited to what is necessary for the purposes of the processing. Personal data shall be processed in a manner that ensures appropriate security of the personal data. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Explanation: Explanation Explanation/Reference: Question 32 According to Article.33 of the GDPR the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. What is the maximum penalty fornon- compliance with this notification obligation? 10.000.000 or 2% of the annual global turnover, whichever is higher 20.000.000 or 4% of the annual global turnover, whichever is higher Up to 500.000 with a minimum of 120.000 Up to 820.000 with a minimum of 350.000 Explanation: Explanation Explanation/Reference: Explanation: 10.000.000 or 2% of the annual global turnover, whichever is higher. Correct. This is the maximum according to the GDPR for infringement of the personal data breach notification obligation. (Literature: A, Chapter 7; GDPR Article 33) 20 Licensed to Equipe TI divisaox@gmail.com 20.000.000 or 4% of the annual global turnover, whichever is higher. Incorrect. This fine is given for non-compliance or non-conformity to the basic principles for processing, including conditions for consent. Up to 500.000 with a minimum of 120.000. Incorrect. This is an outdated number based on the Dutch Penal code. GDPR rules specify higher fines. Up to 820.000 with a minimum of 350.000. Incorrect. This is an outdated number based on the Dutch Penal code. GDPR rules specify higher fines. Question 33 How are the terms privacy and data protection related? Data protection is the right to privacy. The terms are synonymous. Privacy includes the right to the protection of personal data. Explanation: Explanation Explanation/Reference: Question 34 What is the definition of privacy related to the General Data protection Regulation (GDPR)? A situation in which one is not observed or distributed by the government or uninvited people. The right to respect for a person's private and family life, his home and his correspondence. The fundamental right to respect a person's physical and mental integrity. The right to be protected against unsolicited intrusion into a computer or network and the processing of personal data by third parties. Explanation: Explanation Explanation/Reference: 21 Licensed to Equipe TI divisaox@gmail.com Question 35 What is the most important difference between the 95/46/EC and the GDPR? 95/46/EC applies as law in all EEA member states while the GDPR is a guidance. 95/46/EC applies to processing of data on EEA residents worldwide and the GDPR does not. The GDPR applies as law in all EEA member states while 95/46/EC is a guidance. The GDPR applies to persons and organizations which process personal data within EEA member states. The scope of 95/46/EC is more restricted in this aspect. Explanation: Explanation Explanation/Reference: Question 36 What should be done by the EU member states and is not a responsibility of the supervisory authorities? Impose administrative fines to controllers Make rules for penalizing other GDPR infringements Order the controller to notify the data subject about a breach Receive and process data breach notifications from controllers Explanation: Explanation Explanation/Reference: Question 37 Personal data can be transferred outside of the EEA. According to the GDPR, which transfers outside the EEA are always lawful? Transfers based on the laws of the non-EEA country concerns Transfers falling under World Trade Organization rules Transfers governed by approved binding corporate rules (BCR) Transfers within a global corporation or organization Explanation: Explanation 22 Licensed to Equipe TI divisaox@gmail.com Explanation/Reference: Explanation: Transfers based on the laws of the non-EEA country concerned. Incorrect. This would also require an adequacy decision confirming that those laws are sufficient. Transfers falling under World Trade Organization rules. Incorrect. WTO only covers free trade of goods and services. Transfers governed by approved binding corporate rules (BCR). Correct. Binding corporate rules approved by a supervisory authority involved make the transfer lawful. (Literature: A, Chapter 7; GDPR Article 47) Transfers within a global corporation or organization. Incorrect. This would also require that they adopt official binding corporate rules. Reference: https://edps.europa.eu/data-protection/data-protection/reference-library/international- transfers_en Question 38 The General Data Protection Regulation (GDPR) allows processing of personal data only for purposes explicitly permitted by law. A tax advisor wants to file income tax returns for a neighbor. Which of the legitimate grounds in the GDPR applies? Processing of the personal data is permitted in this case with explicit consent of the data subject. Processing of the personal data is permitted because this is necessary for compliance with a legal obligation to which the controller is subject. Processing of personal data is permitted in the course of a purely personal or household activity. Explanation: Explanation Explanation/Reference: 23 Licensed to Equipe TI divisaox@gmail.com Question 39 What does the GDPR concept of `binding corporate rules' (BCR) imply? A commission decision on the safety of data transfer to a third country A set of rules used by a group of enterprises concerning personal data protection in international transfers Measures to compensate for the lack of data protection in a third country Rules covering data transfers between third countries Explanation: Explanation Explanation/Reference: Question 40 A written contract between a controller and a processor is called a data processing agreement. According to the GDPR, what does not have to be covered in the written contract? The contractor code of business ethics and conduct that is used. Which data are covered by the data processing agreement The information security and personal data breach procedures The technical and organizational measures implemented Explanation: Explanation Explanation/Reference: Explanation: The contractor code of business ethics and conduct that is used. Correct. Although the GDPR endorses the use of codes of conduct and certification, it is not an obligation to have this clause to demonstrate compliance with the GDPR. (Literature: A, Chapter 8; GDPR Article 28(3)) The information security and personal data breach procedures. Incorrect. This is mandatory because it describes the obligations of the processor regarding the notification of a personal data breach (by the controller) to the supervisory authority. The technical and organizational measures implemented. Incorrect. This is mandatory because it describes technical and organizational measures the processor must take. 24 Licensed to Equipe TI divisaox@gmail.com Which data are covered by the data processing agreement. Incorrect. This is mandatory because it describes the personal data, including special category personal data, covered by the contract. Question 41 The General Data Protection Regulation (GDPR) came into effect on May 25, 2018, what is the legal status of this regulation? The GDPR is a functional law in all EU member states and Member States cannot rectify it. The GDPR is only a recommendation. Member States should create laws to suit Some articles in the GDPR provide guidance and allow Member States to draft more specific laws to suit. Explanation: Explanation Explanation/Reference: Explanation: When we have a Regulation, such as the GDPR, all EU member states are obliged to follow it. The regulation is a law and Member States cannot create laws that oppose it. Unlike the Directives that set objectives to be achieved, however, each Member State is free to decide how to apply them in its country. Question 42 GDPR quotes in one of its principles that personal data should be adequate, relevant and limited to what is necessary in relation to its purpose. What principle is this? integrity and confidentiality purpose limitation data minimization lawfulness, loyalty and transparency Explanation: Explanation Explanation/Reference: Explanation: 25 Licensed to EquipeTI divisaox@gmail.com In its Article 5, which deals with the Principles concerning the processing of personal data, paragraph 1, the GDPR describes: 1. Personal data shall be: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (�data minimisation�); In the Article 5 all the principles of GDPR for processing personal data are quoted. The data minimization principle refers to the purpose of the law that only the data that is required for processing should be collected. This is also favorable to businesses. The less data is collected, the less likely violations are to occur and consequently the impacts also decrease. Reference: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679 Question 43 A company is planning to process personal data. The recently appointed data protection officer (DPO) executes a data protection impact assessment (DPIA). The DPO finds that all computers have a setting causing monitors to show a screen saver after five seconds of inaction. However, the computers are not locked automatically. When employees leave their desk, they usually do not lock their computers either. What is this an example of? Security incident Personal data breach Security vulnerability Data access Explanation: Explanation Explanation/Reference: Explanation: Data access. Incorrect. The data have not been accessed. 26 Licensed to Equipe TI divisaox@gmail.com Personal data breach. Incorrect. No personal data has been processed unauthorized yet, so it is not a breach. Security incident. Incorrect. Processing has yet to begin, there is no reason to assume an incident has taken place. Security vulnerability. Correct. Confidentiality of the data cannot be guaranteed if employees leave their workstation without locking the computer. (Literature: A, Chapter 2; GDPR Article 5(1)(f)) Question 44 Which organizations need to comply with the General Data Protection Regulation (GDPR)? Only organizations that have employees in the European Union (EU). Only organizations that have their headquarters in the European Union (EU). All organizations anywhere in the world. All organizations located in the European Union and also organizations outside the European Union that offer goods or services to data subjects in the EU. Explanation: Explanation Explanation/Reference: Explanation: This is a question that has the most doubts: "Who needs to adapt?". For example: 1 - If you have a company in Brazil and sell products or services and process personal data from residents in the EU, in this case your company must conform to the GDPR. 2- If you have a company located in the EU and handle personal data. Transcribing here part of Article 3 of the GDPR: 1. This Regulation applies to the processing of personal data carried out in the context of the activities of an establishment of a controller or a subcontractor located in the territory of the Union, regardless of whether the processing takes place inside or outside the Union. 2. This Regulation applies to the processing of personal data of holders residing in the territory of the Union, carried out by a controller or processor not established in the Union, when the processing activities are related to: 27 Licensed to Equipe TI divisaox@gmail.com a) The provision of goods or services to such data subjects in the Union, regardless of the requirement for data subjects to make a payment; b) Control of their behavior, provided that such behavior takes place in the Union. Question 45 In the contract between the controller and processor for the processing of personal data, which of the options below represents the sole responsibility of the Controller? Erase all personal data after the completion of treatment-related services, deleting existing copies. Treat personal data only through documented instructions, including with regard to data transfers to third countries or international organizations. Ensure that the persons authorized to process personal data have made a commitment to confidentiality. Apply technical and organizational measures to ensure that only personal data that are necessary for each specific purpose of processing are processed. Explanation: Explanation Explanation/Reference: Explanation: The correct option is exclusively for the Controller, the others are for the Processor in accordance with Articles 25 and 28 of the GDPR. Question 46 Which of the parts below can implement data protection by design (from conception)? The data subject. The Data Protection Officer (DPO). The processor. The supervisory authority. Explanation: Explanation Explanation/Reference: 28 Licensed to Equipe TI divisaox@gmail.com Explanation: It is the duty of the processor to guarantee security in the treatment of the data entrusted to it by the controller. Question 47 After appearing in a photo posted by a friend on a social network, a person felt embarrassed and decided that he wants the photo to be deleted. According to the General Data Protection Regulation (GDPR), does that person have the right to delete this photo? False True Explanation: Explanation Explanation/Reference: Explanation: GDPR does not apply to the use of personal data for domestic purposes, however in this example the controller is the Social Network, as it performs the processing of the photos. Therefore, the owner has the right to delete this photo. For domestic purposes, data collection is not intended for professional or commercial purposes. Examples are the get-togethers of friends and family where we can collect names, phone numbers, e-mails to facilitate the organization, as well as taking pictures to record the moment. Now if you have a blog where you can record several moments with your friends and you monetize it in some way � watch out! � you are under the scope of GDPR. Whereas Recital 18: "This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities." 29 Licensed to Equipe TI divisaox@gmail.com Question 48 What is the main objective of the "Lifecycle Protection" principle? All appropriate measures shall be taken to ensure that inaccurate data, taking into account the purposes for which they are processed, are erased or rectified without a delay. The processing of data must take place in a manner that ensures its security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage. Security measures should be in place from the moment data are collected until they are deleted. Data must be collected for specified, explicit and legitimate purposes and may not be further processed in a manner incompatible with those purposes. Explanation: Explanation Explanation/Reference: Explanation: Data Life Cycle Management (DLM) It aims to manage data flow throughout the lifecycle, from collection, processing, sharing, storage and deletion. Having the knowledge where the data travels, who is responsible, who has access, helps a lot to implement security measures. Question 49 Which of the following options describes the concept of data minimization? It is the minimization of data storage locations. It is the decrease in the space allocated for data storage. It is the limitation of data to the purposes for which it is treated. It is the use of data for the shortest possible time. Explanation: ExplanationExplanation/Reference: Explanation: 30 Licensed to Equipe TI divisaox@gmail.com In its Article 5, which deals with the Principles relating to the processing of personal data, paragraph 1, the GDPR describes: 1. Personal data shall be: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (�data minimisation�); Article 5 mentions all GDPR principles for processing personal data. The data minimization principle refers to the purpose of the law that only the data that is required for processing should be collected. This is also favorable to businesses. The less data is collected, the less likely violations are to occur and consequently the impacts also decrease. Reference: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679 Question 50 Which of the following types of transfers of personal data outside the European Economic Area (EEA) is allowed? Transfer between country governments. Transfers subject to the law of the countries involved. Transfers conducted through Standard Contractual Clauses. Transfers conducted under Compulsory Corporate Rules. Explanation: Explanation Explanation/Reference: Explanation: Compulsory Corporate Rules are rules used internally by multinational companies to transfer personal data. Thus, it is possible to transfer data between them, even if the destination company is in a country that does not have an adequate level of data protection. These rules are like an internal corporate code of conduct and do not cover transfers of personal data outside the corporate group. 31 Licensed to Equipe TI divisaox@gmail.com Do not confuse "Compulsory Corporate Rules" with "Standard Contractual Clauses". The last are clauses in contracts for international data transfer between companies (customer and supplier relationship) where the destination country does not have an adequate level of data protection, and depends on authorization from the Supervisory Authority. Article 58 of GDPR 3. supervisory authority shall have all of the following authorisation and advisory powers: a) to advise the controller in accordance with the prior consultation procedure referred to in Article 36. Question 51 Which of these options is an example of a data breach? Transfer of personal data outside the EU Loss of personal data A security incident related to corporate data. Explanation: Explanation Explanation/Reference: Explanation: Here is a catch between the options "Loss of personal data" and "Transfer of personal data outside the EU". A data breach is whenever something happens that has not been planned with the personal data, be it improper processing, improper sharing, loss of data, deletion, etc. That is, personal data must be used for a specific purpose, respecting the life cycle (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach. The transfer of personal data outside the EU can also be considered a violation if there is no authorization from the data subject and if the destination country does not offer legislation like the GDPR. Although there is no specific legislation, the Supervisory 32 Licensed to Equipe TI divisaox@gmail.com Authority can authorize the transfer of data provided that the company in the destination country accepts standard contractual clauses for the processing of this data. Article 46 of GDPR 1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Article 58 of GDPR 3. Each supervisory authority shall have all of the following authorisation and advisory powers: to authorise contractual clauses referred to in point (a) of Article 46(3). Question 52 Data protection and privacy are closely related terms. Which of these options best represent this relationship? Privacy is a part of data protection that aims to keep personal data confidential. Data protection is a part of privacy that aims to keep personal data confidential. The two terms have the same meaning. They are synonymous. Without protection of personal data there is no privacy. Explanation: Explanation Explanation/Reference: Explanation: A very repeated phrase is: "It is possible to have security without privacy, but it is not possible to have privacy without security". Privacy is a right that should be protected, and Data Protection are the measures that will be used to achieve this protection. 33 Licensed to Equipe TI divisaox@gmail.com Question 53 After notifying the supervisory authority, what should be the first action the controller must take when it finds a security breach where unauthorized people have accessed personal data? Contact the DPO for formal notification to the Supervisory Authority. Analyze whether sensitive data has been accessed. Register a Police Report at the cybercrime station. Notify data subjects that have been subject to a security breach. Explanation: Explanation Explanation/Reference: Explanation: It is necessary to check the extent of this personal data breach, what data has been accessed and what is the risk to his or her. Depending on this extension, in addition to notifying the supervisory authority, it will also be mandatory to notify the owners of the breached data. Question 54 Which of the following conflicts with the principle of limiting the purposes? The data is sold to another company without the consent of the data subject. Adapt the data to the purpose of the treatment. Store the data in a way that allows the identification of the data subjects. Data is used in an obscure manner to the data subject. Explanation: Explanation Explanation/Reference: Explanation: The principle of limitation of purposes says that personal data must be collected for specific, explicit and legitimate purposes and cannot be further processed in a way incompatible with those purposes. When the data is sold to another company, we can conclude that it was acquired by a controller for a specific purpose and that it subsequently sold it without the owner's knowledge and consent. 34 Licensed to Equipe TI divisaox@gmail.com Question 55 What year did the General Data Protection Regulation (GDPR) come into force? 2016 2018 2017 2019 Explanation: Explanation Explanation/Reference: Explanation: The deadline for companies to adapt and comply with GDPR was May 25, 2018. This is an important date and should be memorized. It is common to have this question in this exam. Article 99 of GDPR 1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. 2. It shall apply from 25 May 2018. Question 56 How does a Supervisory Authority collaborate to the application of GDPR? Assists in the implementation of a data protection management system (at controller request). Monitor and enforce the application of this Regulation. Perform a Data Privacy Impact Analysis (DPI) at the request of the Data Protection Officer � DPO. Determines technical safety measures to be applied to the controller. Explanation: Explanation Explanation/Reference: 35 Licensed to Equipe TI divisaox@gmail.com Explanation: Article 57 legislates on the Responsibilities of the Supervisory Authority. In paragraph 1, item "a" says: "monitor and enforce the application of this Regulation". Question 57 Which of the alternatives describes one of the Supervisory Authority's responsibilities? Supervise the processing of data of holders residing in a country belonging to the European Economic Area (EEA). Consider the nature of thetreatment, and as far as possible, assist the controller in order to enable the controller to fulfill his obligation. Provide the controller with all necessary information to demonstrate compliance with obligations. Apply technical and organizational measures to ensure that only personal data that are necessary for each specific purpose of processing are processed. Explanation: Explanation Explanation/Reference: Explanation: The correct option is the responsibility of the Supervisory Authority, the others are the responsibility of the processor. GDPR Article 3 decrees: This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or; b) the monitoring of their behaviour as far as their behaviour takes place within the Union. 36 Licensed to Equipe TI divisaox@gmail.com Question 58 How does GDPR regulate this specific case? A woman uses the services of a gym in the city where she lives. Yet she will move to another town. So, she requests the current gym to transfer all her data, exercises, eating plans, physical evaluations, etc. to another gym in the new town. The current gym is not obliged to answer the holder request, because this could jeopardize the secret of its business. The current gym should send all her data directly to the new gym. The gym of the new town should get in contact with the gym and request the data. The current gym should provide the data to her. Explanation: Explanation Explanation/Reference: Explanation: The Article 20 of GDPR establishes the Right to data portability. The second paragraph mentions: In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. However, it is worth noting that the paragraph 1 of this article mentions: The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format... The utterance explains that she requested that the data was transferred, that is why the correct answer is "The current gym should send all her data directly to the new gym." (B) Yet she has the right to request her own data, so if the utterance was referenced in that way, the correct answer would be: "The current gym should provide the data to her." (D) 37 Licensed to Equipe TI divisaox@gmail.com Question 59 A company CEO travels to a meeting in another city. He takes a notebook with information about the company's new projects and acquisitions, which will be the subject of discussion at this meeting. These are the only data stored on the notebook. The notebook accidentally falls into the hotel's pool and all data is lost. What happened, considering the General Data Protection Regulation (GDPR)? A security incident A vulnerability A data breach A security risk Explanation: Explanation Explanation/Reference: Explanation: The purpose of GDPR is to protect personal data. In the case of this issue there was no loss of personal data, so it is not a data breach. Important A data breach is whenever something happens that has not been planned with the personal data, be it improper processing, improper sharing, loss of data, deletion, etc. That is, personal data must be used for a specific purpose, respecting the life cycle (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach. 38 Licensed to Equipe TI divisaox@gmail.com Question 60 When a data breach occurs in a company that has branches in several countries of the European Union, which supervisory authority is competent to take the appropriate measures? The Supervisory Authority of the country where the company's main establishment is located. The Supervisory Authority of the country where the subsidiary with the largest number of affected holders is located. The Supervisory Authority of the country that had the most affected holders. The Supervisory Authority of the country where the company's largest subsidiary is located. Explanation: Explanation Explanation/Reference: Explanation: Recital 124 tells us: "Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union and the controller or processor is established in more than one Member State, or where processing taking place in the context of the activities of a single establishment of a controller or processor in the Union substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the controller or processor should act as lead authority..." But what is Main Establishment? Article 4, paragraph 16, gives us the definitions: 16) �Main establishment�: a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the 39 Licensed to Equipe TI divisaox@gmail.com controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation. Question 61 The Control Authority may impose fines on organizations that are not meeting the mandatory requirements of the General Data Protection Regulation (GDPR). False True Explanation: Explanation Explanation/Reference: Explanation: Article 83 of GDPR 5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher... Article 51 of GDPR 2. Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union. 40 Licensed to Equipe TI divisaox@gmail.com Question 62 A person buys a product at a store located in the European Economic Area (EEA). At the time of purchase, you are asked to fill out a registration form and he informs his personal email. As is usual in many stores, in the next few days this person will start receiving several marketing emails. He considers the frequency of these emails to be very high. Demanding his rights, he asks the store to delete all his personal data. What the store must do according to the General Data Protection Regulation (GDPR)? The owner does not have this right, since he bought a product in the store, he has the right to send emails with new promotions. The store has 30 days from the date of receipt of the customer's request to delete all data at no cost to the customer. The store must delete customer data from its advertising list. Purchase data cannot be deleted, as financial data has to be kept longer. Explanation: ExplanationExplanation/Reference: Explanation: Companies have tax obligations to be fulfilled, so financial data cannot be deleted. The data subject has several rights under the GDPR, however there are limitations. These rights cannot run counter to other specific legislation. In this case, the holder can exercise the right of Opposition instead of Exclusion. In the Right of Opposition, he requests the Controller to cease the processing of his data for non-consented purposes. An example of Opposition: in Brazil there was the website naomeperturbe.com.br, where millions of Brazilians could oppose the inconvenient calls made by the telecommunication service providers. Question 63 Which of the following options is provided for in the GDPR and can be made by Member States? Approve national provisions for implementation of GDPR. Forcing the controller to notify the data subject of a breach. Audit controller and processor safety processes. Penalize controllers and processors. Explanation: 41 Licensed to Equipe TI divisaox@gmail.com Explanation Explanation/Reference: Explanation: Recital 10 of GDPR states: "Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation." It also says: "This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (`sensitive data'). However, this does not mean that Member States can approve a rule that goes against a GDPR guideline. Note that these national provisions are measures to increase the effectiveness of the law. Here is an example the case of Ireland where it was established that the DPO is responsible for data breaches, something that is not provided for in the GDPR. Question 64 The GDPR contains several items. Which of these contains mandatory requirements? Recitals Articles Explanation: Explanation Explanation/Reference: Explanation: The GDPR has 173 recitals. The Recitals introduce a better understanding of the law and its articles. The Articles, which are 99 in total, contain the mandatory requirements of the law. 42 Licensed to Equipe TI divisaox@gmail.com Question 65 What is the main purpose of the General Data Protection Regulation (GDPR)? Protecting the data of everyone in Europe. Protect the data of everyone in the world. Protect data of data subjects located in the European Economic Area (EEA), regardless of the country of processing. Protect confidential business data. Explanation: Explanation Explanation/Reference: Explanation: Besides to what many persons think, the GDPR does not apply only to the EU, but to all member countries of the European Economic Area (EEA) that includes, in addition to the EU member countries, Iceland, Liechtenstein and Norway. Question 66 A company's director's notebook is accidentally wet, which permanently damages the equipment so that it cannot recover its data. The lost data concerned the financial reports of the company. What happened in this case according to GDPR? A vulnerability A threat A security incident A data violation Explanation: Explanation Explanation/Reference: Explanation: The lost reports did not contain personal data, in this case GDPR is not applicable and is a security incident. 43 Licensed to Equipe TI divisaox@gmail.com Important A data breach is whenever something that has not been planned with personal data happens, be it improper processing, improper sharing, loss of data, deletion, etc. In other words, personal data must be used for a specific purpose, respecting the life cycle of the same (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach. Question 67 Which condition below allows personal data to be processed legally? A Data Privacy Impact Assessment (DPIA) should be performed prior to data collection. Data processing must be previously authorized by the Supervisory Authority. Holders' rights must be protected by a privacy policy. There must be a legitimate basis for data processing. Explanation: Explanation Explanation/Reference: Explanation: Article 6 legislates on the lawfulness of treatment and in it cites the 6 legal bases provided: 1 - the data subject has given consent to the processing of his or her personal data for one or more specific purposes; 2- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering a contract 3 - processing is necessary for compliance with a legal obligation to which the controller is subject; 4- processing is necessary in order to protect the vital interests of the data subject or of another natural person; 44 Licensed to Equipe TI divisaox@gmail.com 5 - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; 6 - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which requires protection of personal data, in particular where the data subject is a child. Question 68 When personal data are processed, who is ultimately responsible for demonstrating compliance with the GDPR? Data protection officer (DPO) Supervisory authority Processor Controller Explanation: Explanation Explanation/Reference: Explanation: Controller. Correct. The controller is responsible for adequate data security measures and must be able to demonstrate compliance with the GDPR. (Literature:A, Chapter 2) Data protection officer (DPO). Incorrect. The DPO has expert knowledge and assists the controller or processor to monitor internal compliance. Processor. Incorrect. The processor is the one who processes personal data according to the instructions of the controller. The controller remains ultimately responsible though. Supervisory authority. Incorrect. The controller needs to demonstrate compliance with the GDPR if requested by the supervisory authority. 45 Licensed to Equipe TI divisaox@gmail.com Question 69 The word privacy is never mentioned in the General Data Protection Regulation (GDPR) text. Despite this, what would be the best definition of the privacy according to the Regulation? The right not to have your life monitored by technologies. Have freedom of expression. The right to respect for private and family life, for home and communications. The right to have your personal data protected. Explanation: Explanation Explanation/Reference: Explanation: Privacy is a right that must be protected, and Data Protection are the measures that will be used to achieve this protection. Data protection and privacy complement each other, but they are not the same. A well-known phrase is: "You can have security without privacy, but you cannot have privacy without security". Recital 4 of the GDPR says: The processing of personal data should be designed to serve individuals. The right to protection of personal data is not absolute; it must be considered in relation to its role in society and balanced with other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedom and principles recognized in the Charter, enshrined in the Treaties, namely respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscienceand religion, freedom of expression and information, freedom of business, the right to action and an impartial tribunal, and cultural, religious and linguistic diversity. 46 Licensed to Equipe TI divisaox@gmail.com Question 70 One of the basic principles of the General Data Protection Regulation (GDPR) is subsidiarity. What is subsidiarity to GDPR? Personal data can only be collected for explicit, legitimate and specific purposes and cannot be processed for any other purpose. Only the personal data needed to achieve a specific purpose should be collected. The least privacy-violating means should be used when processing personal data. Personal data must be kept for a period not longer than necessary. Explanation: Explanation Explanation/Reference: Explanation: Whereas Recital 170 mentions: "Since the objective of this Regulation, namely to ensure an equivalent level of protection of natural persons and the free flow of personal data throughout the Union, cannot be sufficiently achieved by the Member States and can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective". Subsidiarity is a principle that says that personal data can only be processed if there are no other means to achieve the objective. Therefore, the less personal data used, the less the chances of violating privacy. Note that in the quotation in Recital 170 above, the principle of proportionality was highlighted in bold. Equally important to subsidiarity. Proportionality says that personal data must be collected according to the purpose of processing, that is proportional, and data that will not be used for the purpose should not be collected. These two principles Subsidiarity and Proportionality are constantly charged in the EXIN exam. 47 Licensed to Equipe TI divisaox@gmail.com Question 71 The controller responsible for the UK Child Sexual Abuse Investigation body reported a data breach to the supervisory authority in the UK on 28 February 2019. People who had registered their interest in participating in forums and debates for victims of child sexual abuse received an email that contained the email addresses of everyone else who had also registered. Which category does this data breach fit into? This data breach should only be reported to the Data Protection Authority. This data breach should only be reported to data subjects. It is not necessary to notify the Supervisory Authority, as this data breach presents minimal risks to the holders. This data breach must be reported to the Data Protection Authority and the data subjects. Explanation: Explanation Explanation/Reference: Explanation: Here we have a very common catch in EXIN exams. In this matter, the personal data that was breached included the email addresses. Although the group is a subject considered sensitive by the GDPR, only other participants who had registered took notice. As it does not present a high risk to data subjects, there is no need to notify the data subject as well. Only the Supervisory Authority is enough. However, after notifying the Supervisory Authority, it may decide that the data subject should also be notified, but for that matter this is not considered. Article 33 of the GDPR legislates on the topic "Notification of a personal data breach to the supervisory authority". 1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. 48 Licensed to Equipe TI divisaox@gmail.com Important The deadline for notification of data breaches to the Supervisory Authority is generally charged in the EXIN exam. This period is 72 hours. Question 72 In its Article 9 the GDPR categorizes some types of personal data as "sensitive". Of these below which are considered sensitive? Date of birth of a person. A person's home address. Soccer team that a person supports. Result of a medical examination. Explanation: Explanation Explanation/Reference: Explanation: As stated in the statement, Article 9 concerns the treatment of special categories of personal data, also called sensitive data. This is a type of question that is often asked by EXIN. Important to remember which types of data are categorized as sensitive. Article 9: Processing of special categories of personal data 1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. Examples of sensitive data: Race, skin color, family tree, political party, political party affiliation, religious beliefs, illness, test results, digital, facial recognition and sexual preference. These are just a few examples. 49 Licensed to Equipe TI divisaox@gmail.com Question 73 A secretary at a pediatric cardiology clinic instead of sending the doctor the list of patients scheduled for the day, sends it to all those responsible registered for the children with scheduled appointments. According to the GDPR, does the Supervisory Authority need to be notified? And those responsible for the data holders? The Supervisory Authority must be notified, but there is no need to notify those responsible for the data subjects, as whoever had access to the data is also someone in the same situation. The Supervisory Authority must be notified and also those responsible for the holders who had their data exposed. There is no need to notify the Supervisory Authority, however those responsible for the holders who had their data exposed must be notified. There is no need to notify the Supervisory Authority or those responsible for the data subjects, as whoever had access to the data is also someone in the same situation. Explanation: Explanation Explanation/Reference: Explanation: This is an issue that addresses two very important points � sensitive data and data from minors. As these are, it is necessary to inform the Supervisory Authority and those responsible for the data subjects. Article 34 mentions: 1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. Recital 38 says: 50 Licensed to Equipe TI divisaox@gmail.com Children merit specific protection regarding their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child. Question 74 A breach of security that leads to the accidentalor unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. What is the exact term that is associated with this definition in the GDPR? Security breach Personal data breach Confidentiality violation Security incident Explanation: Explanation Explanation/Reference: Explanation: Confidentiality violation. Incorrect. GDPR uses the term personal data breach. Not every data breach is a confidentiality violation. Personal data breach. Correct. This is the definition of a personal data breach. (Literature: A, Chapter 5; GDPR Article 4(12)) Security breach. Incorrect. GDPR uses the term personal data breach. Not every security breach is a data breach. Not every data breach is a personal data breach. Security incident. Incorrect. GDPR uses the term personal data breach. Not every security incident is a data breach. 51 Licensed to Equipe TI divisaox@gmail.com Question 75 In the European Union we have: Directives and Regulations. What is the difference between them? The regulation provides guidance for EU Member States and they can create their own laws to conform to the regulation. A directive has the force of law and all EU Member States must follow it without changing it. The directive provides guidance for EU member states and they can create their own laws to suit the directive. A regulation has the force of law and all EU Member States must follow it without changing it. Explanation: Explanation Explanation/Reference: Explanation: When we have a Regulation, such as the GDPR, all EU member states are obliged to follow it and have a fixed date for entry into force. The regulation is a law and Member States cannot create laws that oppose it. Unlike the Directives that set objectives to be achieved, however, each Member State is free to decide how to apply them in its country. Important Prior to the GDPR, there was the "95/46 / EC First Data Protection Directive (European DP)". Approved in 1995, it was already aimed to protect personal data. This directive was replaced by the GDPR. "Article 94: 1. Directive 95/46 / EC is repealed with effect from 25 May 2018." In the EXIN PDPF exam this is a question that is routinely asked. "What directive has been replaced by GDPR?" Answer: 95/46 / EC. 52 Licensed to Equipe TI divisaox@gmail.com Question 76 A good practice is to lock the computer automatically or manually when you are away from the workstation. The company's DPO realizes that this procedure is not being followed by employees. This occurrence should be classified in which category? Classified as a security vulnerability Classified as a security incident There is no specific category. Classified as a data breach Explanation: Explanation Explanation/Reference: Explanation: This occurrence should be classified as a security vulnerability, as it does not state whether an incident occurred for this reason. However, the failure in this procedure can allow an incident to occur if an unauthorized person has access to the workstation. Vulnerability is the means by which an attack can cause an information security incident. Question 77 Which option below defines correctly data protection by design (from conception)? It's a methodology of data protection according to its form It's a concept that demonstrates the need to protect data since the beginning. It's a methodology about how the data should be collected Only data that is required for processing should be processed Explanation: Explanation Explanation/Reference: Explanation: 53 Licensed to Equipe TI divisaox@gmail.com When we are talking about protection by design, we are considering a data protection throughout the data lifecycle, from the collection, processing, sharing, storage and deletion. When we focus on protecting the data on all the phases risk of not fulfilling any legal obligations decreases significantly. Question 78 According to the GDPR, what is a description of binding corporate rules (BCR)? A decision on the safety of transferring personal data to a non-EEA country A set of approved rules on personal data protection used by a group of enterprises A measure to compensate for the lack of personal data protection in a third country A set of agreements covering personal data transfers between non-EEA countries Explanation: Explanation Explanation/Reference: Explanation: A decision on the safety of transferring personal data to a non-EEA country. Incorrect. This refers to adequacy decisions. A measure to compensate for the lack of personal data protection in a third country. Incorrect. This refers to appropriate safeguards. A set of agreements covering personal data transfers between non-EEA countries. Incorrect. The GDPR does not cover agreements between non-EEA countries. A set of approved rules on personal data protection used by a group of enterprises. Correct. BCR are a set of rules approved by the supervisory authorities. (Literature: A, Chapter 3; GDPR Article 47) 54 Licensed to Equipe TI divisaox@gmail.com Question 79 We know that when a personal data breach occurs, the data controller (Controller) must notify the Supervisory Authority within 72 hours, without justified delay. However, should the Controller do if it is unable to communicate within this time? Send the notification with the date of the violation changed, to remain within 72 hours. After 72 hours there is no longer any need to send notification of personal data breach. Do not notify and seek ways to hide the violation so that the Supervisory Authority or the titleholders are made aware Send the notification, even after 72 hours, accompanied by the reasons for the delay Explanation: Explanation Explanation/Reference: Explanation: Article 33 which deals with "Notification of a personal data breach to the supervisory authority" in its paragraph 1 legislates: 1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. Question 80 Which of the options below is classified as a personal data breach under the GDPR? Personal data processed without the consent of the controller. A server is attacked and exploited by a hacker. Data accessed by employees without permission. Strategic company data is mistakenly shared. Explanation: Explanation Explanation/Reference: 55 Licensed to Equipe TI divisaox@gmail.com Explanation: One of the options says: "Data accessed by employees without permission", in this case the question does not specify whether the data is personal or not. It is very common for EXIN to ask such a question. Another option says: "A server is attacked and exploited by a hacker", however, here it does not provide information if that server contained personal data. The other wrong option is: "Strategic company data is mistakenly shared". Strategic data is not personal data. For these reasons, the correct option is "Personal data processed without the consent of the controller". Note: even if the processor has a contract that authorizes the processing of personal data on behalf of the controller, it cannot perform any treatment to which it was not previously authorized, nor can it sub-process without the knowledge and consent of the controller. Question 81 What is called the adequacy decision that allows data transfer between the United States and the European Economic Area (EEA)? Regulation for transfer of personal data between
Compartilhar