New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Exin PDPF Privacy and Data Protection Foundation Exam Practice Test

Demo: 22 questions
Total 149 questions

Privacy and Data Protection Foundation Questions and Answers

Question 1

An architect, leaving a building site, puts his laptop for a moment beside his car on the road, while answering his phone. When driving away he sees in the mirror his laptop being crushed by an enormous lorry driving over it. All his files on the design of the building and the calculations he worked on are lost. His only consolation is that those were the only files on the device.

In terms of the GDPR, what happened?

Options:

A.

a data breach

B.

a security incident

C.

a security issue

D.

a vulnerability

Question 2

In what way are online activities of people most effectively used by modern marketers?

Options:

A.

By analyzing the logs of the web server it can be seen which products are top sellers, allowing them to optimize their marketing campaigns for those products.

B.

By tagging users of social media, profiles of their online behavior can be created. These profiles are used to ask them to promote a product.

C.

By tagging visitors of web pages, profiles of their online behavior can be created. These profiles are sold and used in targeted advertisement campaigns.

Question 3

Which organizations need to comply with the General Data Protection Regulation (GDPR)?

Options:

A.

Only organizations that have employees in the European Union (EU).

B.

Only organizations that have their headquarters in the European Union (EU).

C.

All organizations anywhere in the world.

D.

All organizations located in the European Union and also organizations outside the European Union that offer goods or services to data subjects in the EU.

Question 4

What is the main purpose of the General Data Protection Regulation (GDPR)?

Options:

A.

Protecting the data of everyone in Europe.

B.

Protect the data of everyone in the world.

C.

Protect data of data subjects located in the European Economic Area (EEA), regardless of the country of processing.

D.

Protect confidential business data.

Question 5

A controller can contract out the processing of personal data to another company, provided a written contract between these partners is in place.

Which clause in this contract is a responsibility of the controller?

Options:

A.

To ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

B.

To make available all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections.

C.

To process the personal data only on documented instructions, including with regard to transfers of personal data to a third country or an international organization.

D.

To provide sufficient guarantees for appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR.

Question 6

The General Data Protection Regulation (GDPR) in its Article 30 legislates on the Records of treatment activities.

If requested, the controller must provide these records:

Options:

A.

To the data processor

B.

To the Data Protection Officer (DPO)

C.

The supervisory authority

D.

To the European Commission

Question 7

A breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. What is the exact term that is associated with this definition in the GDPR?

Options:

A.

Security breach

B.

Personal data breach

C.

Confidentiality violation

D.

Security incident

Question 8

Subcontracting treatment is regulated by contract or other regulatory act under Union or Member State law, which links the processor to the controller.

What this contract or other regulatory act stipulates?

Options:

A.

A process for testing, assessing and regularly evaluating the effectiveness of technical and organizational measures to ensure safe treatment.

B.

The processor assists the driver through technical and organizational measures to enable it to fulfill its obligation to respond to requests from data subjects.

C.

The description of categories of data subjects and categories of personal data

D.

The purpose of data processing

Question 9

Which of the following types of transfers of personal data outside the European Economic Area (EEA) is allowed?

Options:

A.

Transfer between country governments.

B.

Transfers subject to the law of the countries involved.

C.

Transfers conducted through Standard Contractual Clauses.

D.

Transfers conducted under Compulsory Corporate Rules.

Question 10

Which of the following conflicts with the principle of limiting the purposes?

Options:

A.

The data is sold to another company without the consent of the data subject.

B.

Adapt the data to the purpose of the treatment.

C.

Store the data in a way that allows the identification of the data subjects.

D.

Data is used in an obscure manner to the data subject.

Question 11

A secretary at a pediatric cardiology clinic instead of sending the doctor the list of patients scheduled for the day, sends it to all those responsible registered for the children with scheduled appointments.

According to the GDPR, does the Supervisory Authority need to be notified? And those responsible for the data holders?

Options:

A.

The Supervisory Authority must be notified, but there is no need to notify those responsible for the data subjects, as whoever had access to the data is also someone in the same situation.

B.

The Supervisory Authority must be notified and also those responsible for the holders who had their data exposed.

C.

There is no need to notify the Supervisory Authority, however those responsible for the holders who had

their data exposed must be notified.

D.

There is no need to notify the Supervisory Authority or those responsible for the data subjects, as whoever had access to the data is also someone in the same situation.

Question 12

A good practice is to lock the computer automatically or manually when you are away from the workstation.

The company’s DPO realizes that this procedure is not being followed by employees. This occurrence should be classified in which category?

Options:

A.

Classified as a security vulnerability

B.

Classified as a security incident

C.

There is no specific category.

D.

Classified as a data breach

Question 13

How does GDPR regulate this specific case?

A woman uses the services of a gym in the city where she lives. Yet she will move to another town. So, she requests the current gym to transfer all her data, exercises, eating plans, physical evaluations, etc. to another gym in the new town.

Options:

A.

The current gym is not obliged to answer the holder request, because this could jeopardize the secret of its business.

B.

The current gym should send all her data directly to the new gym.

C.

The gym of the new town should get in contact with the gym and request the data.

D.

The current gym should provide the data to her.

Question 14

The General Data Protection Regulation (GDPR) came into effect on May 25, 2018, what is the legal status of this regulation?

Options:

A.

The GDPR is a functional law in all EU member states and Member States cannot rectify it.

B.

The GDPR is only a recommendation. Member States should create laws to suit

C.

Some articles in the GDPR provide guidance and allow Member States to draft more specific laws to suit.

Question 15

When a data breach occurs in a company that has branches in several countries of the European Union, which supervisory authority is competent to take the appropriate measures?

Options:

A.

The Supervisory Authority of the country where the company’s main establishment is located.

B.

The Supervisory Authority of the country where the subsidiary with the largest number of affected holders

is located.

C.

The Supervisory Authority of the country that had the most affected holders.

D.

The Supervisory Authority of the country where the company’s largest subsidiary is located.

Question 16

A person finds that a private videotape showing her in a very intimate situation has been published on a website. She never consented to publication and demands that the video is being removed without undue delay.

According to the GDPR, what should be done next?

Options:

A.

Nothing. The video may be regarded as ‘news’ and, therefore, the website is only exercising its right to freedom of expression and information.

B.

The controller erases the video from the website and, when possible, informs any controller who might

process the same video, that it must be erased.

C.

The controller erases the video from the website. There is no obligation however, to inform others who might have copied it, that it should be erased.

D.

The controller directs the person to seek a lawyer and informs that he cannot exclude before a juridical authorization.

Question 17

What is the purpose of a data protection audit by the supervisory authority?

Options:

A.

To monitor and enforce the application of the GDPR by assessing that processing is performed in compliance with the GDPR.

B.

To fulfill the obligation in the GDPR to implement appropriate technical and organizational measures for data protection.

C.

To advise the controller on the mitigation of privacy risks to protect the controller from liability claims for

non-compliance.

Question 18

We know that when browsing the internet there is a lot of personal data that is collected. One mechanism for collecting this data is cookies.

How do marketers use this collected personal data?

Options:

A.

Collecting logs from web servers and running campaigns promoting products on social media.

B.

Collecting the logs from the web servers, they analyze which products are most visited and sold, promoting marketing campaigns for these products.

C.

They create behavioral profiles, applying tags to web page visitors. These profiles can be marketed and used in targeted marketing campaigns.

Question 19

According to the GDPR, when is a data protection impact assessment (DPIA) obligatory?

Options:

A.

When a project includes technologies or processes that use personal data

B.

When processing is likely to result in a high risk to the rights of data subjects

C.

When similar processing operations with comparable risks are repeated

Question 20

A shopkeeper wants to register how many visitors enter his shop every day. A system detects the MAC- address of each visitor’s smartphone. It is impossible for the shopkeeper to identify the owner of the phone from this signal, but telephone providers can link the MAC-address to the owner of the phone. According to the GDPR, is the shopkeeper allowed to use this method?

Options:

A.

Yes, because the shopkeeper cannot identify the owner of the telephone

B.

No, because the telephone providers are the owners of the MAC-addresses.

C.

No, because the telephone’s MAC-address must be regarded as personal data.

D.

Yes, because the visitor has automatically consented by connecting to the Wi-Fi

Question 21

One of the basic principles of the General Data Protection Regulation (GDPR) is subsidiarity.

What is subsidiarity to GDPR?

Options:

A.

Personal data can only be collected for explicit, legitimate and specific purposes and cannot be processed for any other purpose.

B.

Only the personal data needed to achieve a specific purpose should be collected.

C.

The least privacy-violating means should be used when processing personal data.

D.

Personal data must be kept for a period not longer than necessary.

Question 22

What is the main reason for performing data protection by design (from conception)?

Options:

A.

Develop technical measures for the protection of personal data.

B.

Enable better marketing campaigns targeted at customers.

C.

Collect as much data as possible for data processing.

D.

Reduce the risk of not meeting legal obligations.

Demo: 22 questions
Total 149 questions