PDPF Online Practice Questions and Answers

Correct Answer: B

Here is a catch between the options "Loss of personal data" and "Transfer of personal data outside the EU".

A data breach is whenever something happens that has not been planned with the personal data, be it improper processing, improper sharing, loss of data, deletion, etc. That is, personal data must be used for a specific purpose, respecting the life cycle (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach.

The transfer of personal data outside the EU can also be considered a violation if there is no authorization from the data subject and if the destination country does not offer legislation like the GDPR. Although there is no specific legislation, the Supervisory Authority can authorize the transfer of data provided that the company in the destination country accepts standard contractual clauses for the processing of this data.

Article 46 of GDPR

1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

Article 58 of GDPR

3. Each supervisory authority shall have all of the following authorisation and advisory powers: to authorise contractual clauses referred to in point (a) of Article 46(3).

Correct Answer: A

Recital 10 of GDPR states:

"Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation."

It also says: "This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (`sensitive data').

However, this does not mean that Member States can approve a rule that goes against a GDPR guideline. Note that these national provisions are measures to increase the effectiveness of the law. Here is an example the case of Ireland where it was established that the DPO is responsible for data breaches, something that is not provided for in the GDPR.

Correct Answer: B

It aims to manage the flow of data throughout the life cycle, from collection, processing, sharing, storage and deletion.

Having the knowledge where the data travels, who is responsible, who has access, helps and a lot to implement security measures.

Correct Answer: D

When personal data is processed at a facility of the processor that is not located within the borders of the EEA. Incorrect. The location where the data is processed is of no significance to the obligation to notify data subjects of personal data breaches.

When personal data is processed by a party that agreed to the draft processing contract but has not yet sign it. Incorrect. Personal data processed by another party than the controller without a valid written contract is considered a personal data breach. In the given situation however, negative consequences for the data subjects are unlikely. Notifying the data subject is not obligatory in that case.

When the system on which the personal data is processed is attacked causing damage to its storage devices. Incorrect. Damage to storage devices will make access to the data difficult or even impossible but does not imply illegal processing.

When there is a significant probability that the breach will lead to a high risk for the privacy of the data subjects. Correct. If there is a significant probability of negative impact on the data subjects, the controller is obliged to notify them of the breach. (Literature: A, Chapter 5)

Correct Answer: B

The controller must ask the supervisory authority for permission to outsource the processing of the data. Incorrect. The controller does not have to ask the supervisory authority for permission for each instance of outsourcing.

The controller must ask the supervisory authority if the agreed written contract is compliant with the regulations. Incorrect. The supervisory authority is not a legal counsel and will not check contracts for compliance.

The controller and processor must draft and sign a written contract guaranteeing the confidentiality of the data. Correct. There must be a written contract guaranteeing the confidentiality of the data, listing the purposes and means of processing as defined by the controller and specifying that processor will only process on instruction of the controller. Both parties must sign this contract. (Literature: A, Chapter 8; GDPR Article 28(3))

The processor must show the controller that all demands agreed in the service level agreement (SLA) are met. Incorrect. An SLA is not enough as it will focus on operations, not necessarily on purposes.

Correct Answer: A

To advise the controller on the mitigation of privacy risks to protect the controller from liability claims for non-compliance. Incorrect. The supervisory authority has the task to monitor compliance and to advise on enhancements, but its purpose is not to protect the controller.

To fulfill the obligation in the GDPR to implement appropriate technical and organizational measures for data protection. Incorrect. The audit is not the implementation of the measures, but an assessment of the effectiveness of them.

To monitor and enforce the application of the GDPR by assessing that processing is performed in compliance with the GDPR. Correct. According to the GDPR this is an important task of a supervisory authority. (Literature: A, Chapter 7; GDPR Article 57 (1)(a))

Correct Answer: B

When a project includes technologies or processes that use personal data. Incorrect. Only for technologies

and processes that are likely to result in a high risk to the rights of data subjects is the DPIA mandatory.

When processing is likely to result in a high risk to the rights of data subjects. Correct. For processing

operations which are likely to result in a high risk, a DPIA is obligatory to assess those risks and to design

mitigation measures.

(Literature: A, Chapter 6; GDPR Article 35)

When similar processing operations with comparable risks are repeated. Incorrect. This is a case in which

a DPIA does not need to be repeated.

Correct Answer: B

Data protection and privacy are synonyms and have the same meaning. Incorrect. Data protection helps to protect a person's privacy, but the terms are not synonyms.

Data protection is the part of privacy that protects a person's physical integrity. Incorrect. Data protection is not related to physical integrity or physical privacy.

Data protection refers to the measures needed to protect a person's privacy. Correct. Data protection are some of the measures needed to protect a person's privacy. (Literature: A, Chapter 1)