Privacy and Data Protection Foundation Exam PDPF Dumps Questions

1. What is the essence of the principle ‘Full Lifecycle Protection’?

2. A processor is instructed to report on customers who bought a product both last month and at least once in the three months before that. Unfortunately, the processor makes a mistake and uses personal data collected by another controller for a different purpose. The mistake is found before the report is created, and nobody has access to personal date he or she should not have had access to.

How should the processor act on this situation and what should the controller do, if anything?

3. The Supervisory Authority is notified whenever an organization intends to process personal data, except for some specific situations. The Supervisory Authority keeps a publicly accessible register of these data processing operations.

What else is a legal obligation of the Supervisory Authority in reaction to such a notification?

4. In what way are online activities of people most effectively used by modern marketers?

5. A German company wants to enter into a binding contract with a processor in the Netherlands for the processing of sensitive personal data of German data subjects. The Dutch Supervisory Authority is informed of the type of data and the aims of the processing, including the contract describing what data will be processed and what data protection procedures and practices will be in place.

According to the GDPR, what should the Dutch Supervisory Authority do in this scenario?

6. A person finds that a private videotape showing her in a very intimate situation has been published on a website. She never consented to publication and demands that the video is being removed without undue delay.

According to the GDPR, what should be done next?

7. For processing of personal data to be legal, a number of requirements must be fulfilled.

What is a requirement for lawful personal data processing?

8. Under what EU legislation is data transfer between the EEA and the U.S.A. allowed?

9. According to the GDPR, for which situations should a Data Protection Impact Assessment (DPIA) be conducted?

10. While paying with a credit card, the card is skimmed (i.e. the data on the magnetic strip is stolen). The magnetic strip contains the account number, expiration date, cardholder’s name and address, PIN number and more.

What kind of a data breach is this?

11. Someone regularly receives offers from a store where he purchased something five years ago. He wants the company to stop sending offers and to wipe his personal data.

Which aspect of the rights of a data subject in the General Data Protection Regulation (GDPR) requires the company to comply?

12. Important technical requirements set out in the General Data Protection Regulation (GDPR) are about data quality. One is the obligation to ensure appropriate security, including protection against unauthorized or unlawful processing.

What is another important technical requirement?

13. According to the GDPR, what is a mandatory topic in a DPIA report?

14. What is the role of the one assigned the responsibility to govern the purposes and means of processing personal data within an organization, according to the GDPR?

15. The GDPR states that records of processing activities must be kept by the controller. To whom must the controller make these records available, if requested?

16. Which situation is considered a data breach according to the GDPR?

17. A controller discovers that a data subject, who had given consent for the processing of his data, has passed away.

What this implies for data processing according to the General Data Protection Regulation (GDPR)?

18. According to the GDPR, what is the main reason to consider data protection in the initial design phase?

19. When does the GDPR require data subjects consent to a cookie?

20. A personal data breach has occurred, and the controller is writing a draft notification for the supervisory authority.

The following information is already in the notification:

- The nature of the personal data breach and its possible consequences.

- Information regarding the parties that can provide additional information about the data breach.

What other information must the controller provide?

21. The General Data Protection Regulation (GDPR) formalizes the data subject’s right to data portability.

What is the objective of data portability?

22. Personal data as defined in the GDPR can be divided into several types. One of these types is described: Data that directly or indirectly reveal someone’s racial or ethnic background, political, philosophical, religious views, union affiliation and data related to health or sex life and sexual orientation.

What type of personal data is this?

23. The General Data Protection Regulation (GDPR) is based on the principles of proportionality and subsidiarity.

What is the meaning of “proportionality” in this context?

24. What is a responsibility of Supervisory Authorities in EEA countries?

25. A controller can contract out the processing of personal data to another company, provided a written contract between these partners is in place.

Which clause in this contract is a responsibility of the controller?

26. What is the purpose of Data Life Cycle Management (DLM)?

27. An architect, leaving a building site, puts his laptop for a moment beside his car on the road, while answering his phone. When driving away he sees in the mirror his laptop being crushed by an enormous lorry driving over it. All his files on the design of the building and the calculations he worked on are lost. His only consolation is that those were the only files on the device.

In terms of the GDPR, what happened?

28. What is considered a personal data processing for the General Data Protection Regulation (GDPR)?

29. Which cause is a data breach according to the GDPR?

30. “The controller shall implement appropriate technical and organizational measures for ensuring that (…) only personal data which are necessary for each specific purpose of the processing are processed.”

Which term in the GDPR is defined here?

31. What does the principle of ‘data minimization’ mean?

32. According to Article.33 of the GDPR the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.

What is the maximum penalty for non-compliance with this notification obligation?

33. How are the terms privacy and data protection related?

34. What is the definition of privacy related to the General Data protection Regulation (GDPR)?

35. What is the most important difference between the 95/46/EC and the GDPR?

36. What should be done by the EU member states and is not a responsibility of the supervisory authorities?

37. Personal data can be transferred outside of the EEA. According to the GDPR, which transfers outside the EEA are always lawful?

38. The General Data Protection Regulation (GDPR) allows processing of personal data only for purposes explicitly permitted by law. A tax advisor wants to file income tax returns for a neighbor.

Which of the legitimate grounds in the GDPR applies?

39. What does the GDPR concept of ‘binding corporate rules’ (BCR) imply?

40. A written contract between a controller and a processor is called a data processing agreement.

According to the GDPR, what does not have to be covered in the written contract?

41. The General Data Protection Regulation (GDPR) came into effect on May 25, 2018, what is the legal status of this regulation?

42. GDPR quotes in one of its principles that personal data should be adequate, relevant and limited to what is necessary in relation to its purpose.

What principle is this?

43. A company is planning to process personal data. The recently appointed data protection officer (DPO) executes a data protection impact assessment (DPIA). The DPO finds that all computers have a setting causing monitors to show a screen saver after five seconds of inaction.

However, the computers are not locked automatically. When employees leave their desk, they usually do not lock their computers either.

What is this an example of?

44. Which organizations need to comply with the General Data Protection Regulation (GDPR)?

45. In the contract between the controller and processor for the processing of personal data, which of the options below represents the sole responsibility of the Controller?

46. Which of the parts below can implement data protection by design (from conception)?

47. After appearing in a photo posted by a friend on a social network, a person felt embarrassed and decided that he wants the photo to be deleted.

According to the General Data Protection Regulation (GDPR), does that person have the right to delete this photo?

48. What is the main objective of the “Lifecycle Protection” principle?

49. Which of the following options describes the concept of data minimization?

50. Which of the following types of transfers of personal data outside the European Economic Area (EEA) is allowed?