PDPF Exam Dumps - Exin Privacy & Data Protection Questions and Answers

The lost reports did not contain personal data, in this case GDPR is not applicable and is a security incident.

Important

A data breach is whenever something that has not been planned with personal data happens, be it improper processing, improper sharing, loss of data, deletion, etc. In other words, personal data must be used for a specific purpose, respecting the life cycle of the same (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach.

The GDPR has 173 recitals. The Recitals introduce a better understanding of the law and its articles. The Articles, which are 99 in total, contain the mandatory requirements of the law.

There are some types of cookies, each with its own purpose.

Cookies are considered personal data, as they can identify a person.

In the case of the issue we are talking about the Tracking Cookies. These monitor our browsing activities and bombard us with advertisements and advertisements.

You may have already encountered the situation of searching for a particular product on the internet and then seeing ads for that product or similar on various websites.

The deadline for companies to adapt and comply with GDPR was May 25, 2018. This is an important date and should be memorized. It is common to have this question in this exam.

Article 99 of GDPR

1.This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

2.It shall apply from 25 May 2018.

Besides to what many persons think, the GDPR does not apply only to the EU, but to all member countries of the European Economic Area (EEA) that includes, in addition to the EU member countries, Iceland, Liechtenstein and Norway.

Compulsory Corporate Rules are rules used internally by multinational companies to transfer personal data. Thus, it is possible to transfer data between them, even if the destination company is in a country that does not have an adequate level of data protection. These rules are like an internal corporate code of conduct and do not cover transfers of personal data outside the corporate group.

Do not confuse "Compulsory Corporate Rules" with "Standard Contractual Clauses". The last are clauses in contracts for international data transfer between companies (customer and supplier relationship) where the destination country does not have an adequate level of data protection, and depends on authorization from the Supervisory Authority.

Article 58 of GDPR

3. supervisory authority shall have all of the following authorisation and advisory powers:

a) to advise the controller in accordance with the prior consultation procedure referred to in Article 36.

Yes, because the shopkeeper cannot identify the owner of the telephone. Incorrect. The issue is not whether the shopkeeper can identify the visitor, but that it is technically possible to do so.

Yes, because the visitor has automatically consented by connecting to the Wi-Fi. Incorrect. Consent must be an active, informed and free act of agreement to the processing. To see a MAC-address, the visitor does not need to be logged onto the Wi-Fi.

No, because the telephones MAC-address must be regarded as personal data. Correct. The phone’s signal is a unique code that can be linked to the owner of the phone. The data must be regarded as personal data, because it is technically possible to identify the visitor. (Literature: A, Chapter 3; GDPR Article 26 and 30)

No, because the telephone providers are the owners of the MAC-addresses. Incorrect. The shopkeeper is not allowed to keep the data or process it because it must be regarded as personal data. The telephone provider is not the owner of the MAC-address, nor is the telephone provider protected by the GDPR.

Article 28 of the GDPR in its paragraph 3 mentions:

This contract or other normative act stipulates, inter alia, that the subcontractor:

a)processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

b)ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

c)takes all measures required pursuant to Article 32;

d)respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;

e)taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;

f)assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;

g)at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

h)makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Article 22 provides for this type of damage to the data subject and legislates on “Automated individual decisions, including profiling”:

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.