Exin PDPF Dumps

The organization minimizes the risk of costly adjustments in processes or the redesign of systems in a later stage. Incorrect. This aspect may strengthen the confidence of management, but not of customers or citizens.

The organization prevents non-compliance with the GDPR and minimizes the risk of fines. Incorrect. Preventing fines may strengthen the confidence of management, but not of customers or citizens.

The organization proves that it takes privacy seriously and aims for compliance with the GDPR. Correct. Doing a DPIA shows customers or citizens that the company is serious about data protection. (Literature: A, Chapter 8)

By applying the concept of least privilege to the personal data collected, stored or otherwise

processed. Incorrect. Data minimization does not address least privilege.

By limiting access rights to staff who need the personal data for the intended processing operations. Incorrect. This describes the concept of limiting authorization for instance to comply with the principle of integrity and confidentiality.

By limiting file sizes, through saving all personal data that is processed in the smallest possible format. Incorrect. Data minimization according to the GDPR is not about storage size, but about minimalizing the use of personal data.

By limiting the personal data to what is adequate, relevant and necessary for the processing purposes.

Correct. This is the essence of the description in the GDPR. (Literature: A, Chapter 2; GDPR Article 5(1)(c))

The numerous powers of the Supervisory Authority are divided into:

-Investigative powers;

-Correcting powers;

-Advisory and authorization powers.

The investigative powers provided for in Article 58, Paragraph 1 are:

a) To order the controller and the processor, and, where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of its tasks;

b)To carry out investigations in the form of data protection audits;

c)To carry out a review on certifications issued pursuant to Article 42(7);

d)To notify the controller or the processor of an alleged infringement of this Regulation;

e)To obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;

f)To obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.

Confidentiality violation. Incorrect. GDPR uses the term personal data breach. Not every data breach is a confidentiality violation.

Personal data breach. Correct. This is the definition of a personal data breach. (Literature: A, Chapter 5; GDPR Article 4(12))

Security breach. Incorrect. GDPR uses the term personal data breach. Not every security breach is a data breach. Not every data breach is a personal data breach.

Security incident. Incorrect. GDPR uses the term personal data breach. Not every security incident is a data breach.

This is an issue that addresses two very important points – sensitive data and data from minors.

As these are, it is necessary to inform the Supervisory Authority and those responsible for the data subjects. Article 34 mentions:

1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

Recital 38 says:

Children merit specific protection regarding their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.

Another option says: “A server is attacked and exploited by a hacker”, however, here it does not provide information if that server contained personal data.

The other wrong option is: "Strategic company data is mistakenly shared". Strategic data is not personal data.

For these reasons, the correct option is “Personal data processed without the consent of the controller”. Note: even if the processor has a contract that authorizes the processing of personal data on behalf of the controller, it cannot perform any treatment to which it was not previously authorized, nor can it sub-process without the knowledge and consent of the controller.

The GDPR is functional law in all member states of the EEA. Some Articles allow for member states law to provide for more specific rules. Correct. The GDPR is European law but the Regulation does not exclude Member state law that sets out the circumstances for specific processing situations. (Literature: A, Chapter 1; GDPR Recital 10)

The GDPR is a recommendation of the European Commission that EEA countries’ law authorities improve their laws on the protection of personal data. Incorrect. An EU recommendation is not binding. The GDPR is a functional European law in all member states.

The GDPR sets out minimum conditions and requirements. Member states need to pass national laws to meet these minimum requirements. Incorrect. This is the description of an EU Directive.

Companies have tax obligations to be fulfilled, so financial data cannot be deleted.

The data subject has several rights under the GDPR, however there are limitations. These rights cannot run counter to other specific legislation. In this case, the holder can exercise the right of Opposition instead of Exclusion. In the Right of Opposition, he requests the Controller to cease the processing of his data for non- consented purposes. An example of Opposition: in Brazil there was the website naomeperturbe.com.br, where millions of Brazilians could oppose the inconvenient calls made by the telecommunication service providers.

When there is a processor and an operator in EEA countries, the competent authority will be the location of the Controller, however the Supervisory authority of the Controller is considered to be a concerned Supervisory Authority (who has interests).

Therefore, the Processor Supervisory Authority evaluates and approves the rules of the contract, in accordance with Article 57 of the GDPR, and must notify the Controller Supervisory Authority.

In its Article 57, the GDPR legislates on the Responsibilities of the Supervisory Authority. In its first paragraph, items “r” and “s”:

r)Authorise contractual clauses and provisions referred to in Article 46(3);

s)Approve binding corporate rules pursuant to Article 47.

In its Article 5, which deals with the Principles relating to the processing of personal data, paragraph 1, the GDPR describes:

1. Personal data shall be:

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

(«data minimisation»);

Article 5 mentions all GDPR principles for processing personal data.

The data minimization principle refers to the purpose of the law that only the data that is required for processing should be collected.

This is also favorable to businesses. The less data is collected, the less likely violations are to occur and consequently the impacts also decrease.

The GDPR has 173 recitals. The Recitals introduce a better understanding of the law and its articles. The Articles, which are 99 in total, contain the mandatory requirements of the law.

As stated in the statement, Article 9 concerns the treatment of special categories of personal data, also called sensitive data.

This is a type of question that is often asked by EXIN. Important to remember which types of data are categorized as sensitive.

Article 9: Processing of special categories of personal data

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

Examples of sensitive data: Race, skin color, family tree, political party, political party affiliation, religious beliefs, illness, test results, digital, facial recognition and sexual preference. These are just a few examples.

Verify that the processor has sufficient security guarantees that are essential for the Controller to remain in

compliance with the GDPR. Remember that the responsibility is always of the controller who must take care of the data of the data subjects that have been entrusted to him.

Recital 81 mentions the following:

(81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organizational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.

Anonymized data is not under the scope of the GDPR, nor are data from deceased persons. Organizations that handle only this type of data do not need to conform to the GDPR.

Anonymized data reads data that is not possible to reverse in order to identify the data subject. There is also pseudonymized data, in which case it is possible to perform the reversal and identify the data holder.

Personal data are collected for specified, explicit and legitimate purposes and not further processed. Incorrect. The local government is entitled to collect data on the number of cars present.

Personal data are kept in a form permitting identification of data subjects for no longer than is necessary. Correct. In the given scenario, there is no need to retain the data of a specific car identifying the owner once it has left the area (Literature: A, Chapter 2; GDPR Article 5)

Personal data are processed in a manner that ensures appropriate security of the personal data. Incorrect. The scenario does not suggest inappropriate security.

Personal data are processed in a transparent manner in relation to the data subject. Incorrect. The processing is taking place transparently, since it is communicated properly to the data subjects.

Article 57 legislates on the Responsibilities of the Supervisory Authority. In paragraph 1, item “a” says: “monitor and enforce the application of this Regulation”.