Exin PDPF Privacy and Data Protection Foundation Exam Practice Test

Article 9 of the GDPR legislation on “Treatment of special categories of personal data”.

Also called sensitive data.

In its first paragraph it quotes:

“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”

With the death of the data subject, the controller can process the data in any way he wishes, since personal data of deceased persons is not within the scope of the GDPR.

Recital 27 says: This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.

Companies have tax obligations to be fulfilled, so financial data cannot be deleted.

The data subject has several rights under the GDPR, however there are limitations. These rights cannot run counter to other specific legislation. In this case, the holder can exercise the right of Opposition instead of Exclusion. In the Right of Opposition, he requests the Controller to cease the processing of his data for non- consented purposes. An example of Opposition: in Brazil there was the website naomeperturbe.com.br, where millions of Brazilians could oppose the inconvenient calls made by the telecommunication service providers.

The purpose of GDPR is to protect personal data. In the case of this issue there was no loss of personal data, so it is not a data breach.

Important

A data breach is whenever something happens that has not been planned with the personal data, be it improper processing, improper sharing, loss of data, deletion, etc. That is, personal data must be used for a specific purpose, respecting the life cycle (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach.

It is up to a supervisory authority to inspect and take measures to compel companies to conform to the GDPR.

According to paragraph 1 of Article 51.

1. Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’).

Chapter VI of the GDPR talks about laws on independent supervisory authorities.

The GDPR is functional law in all member states of the EEA. Some Articles allow for member states law to provide for more specific rules. Correct. The GDPR is European law but the Regulation does not exclude Member state law that sets out the circumstances for specific processing situations. (Literature: A, Chapter 1; GDPR Recital 10)

The GDPR is a recommendation of the European Commission that EEA countries’ law authorities improve their laws on the protection of personal data. Incorrect. An EU recommendation is not binding. The GDPR is a functional European law in all member states.

The GDPR sets out minimum conditions and requirements. Member states need to pass national laws to meet these minimum requirements. Incorrect. This is the description of an EU Directive.

Compulsory Corporate Rules are rules used internally by multinational companies to transfer personal data. Thus, it is possible to transfer data between them, even if the destination company is in a country that does not have an adequate level of data protection. These rules are like an internal corporate code of conduct and do not cover transfers of personal data outside the corporate group.

Do not confuse "Compulsory Corporate Rules" with "Standard Contractual Clauses". The last are clauses in contracts for international data transfer between companies (customer and supplier relationship) where the destination country does not have an adequate level of data protection, and depends on authorization from the Supervisory Authority.

Article 58 of GDPR

3. supervisory authority shall have all of the following authorisation and advisory powers:

a) to advise the controller in accordance with the prior consultation procedure referred to in Article 36.

Article 22 provides for this type of damage to the data subject and legislates on “Automated individual decisions, including profiling”:

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

A copy of personal data must be provided in the format requested by the data subject. Incorrect. It must be provided in a structured, commonly used and machine-readable format, but not necessarily in any format the data subject specifies.

Access to personal data must be provided free of charge for the data subject. Correct. Data subjects have a right to a copy of their data free of charge. However, only the first copy has to be free. (Literature: A, Chapter 4)

Personal data must always be changed at the request of the data subject. Incorrect. Only erroneous data has to be rectified.

Personal data must always be erased if the data subject requests this. Incorrect. The right to erasure has several exceptions to this, for instance if the data are needed for the establishment, exercise or defense of legal claims.

An approach that implements data protection from the start. Correct. This is a correct description. (Literature: A, Chapter 8; GDPR Article 25(1))

An indication of timeframes if processing relates to erasure. Incorrect. This is a description of a data protection impact assessment (DPIA).

Data may only be collected for explicit and legitimate purposes. Incorrect. This is a description of measures taken to comply with the principle of purpose limitation.

Not holding more data than is strictly required for processing. Incorrect. This is a description of procedures to comply with the principle of data minimization.

Article 20 Right to data portability:

1.The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

The front line with the data holder is the Controller, see image. So, it is he who has to show compliance, who must be concerned with the legality of processing, who must implement security measures.

The correct option is the responsibility of the Supervisory Authority, the others are the responsibility of the processor.

GDPR Article 3 decrees:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

a)the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or;

b)the monitoring of their behaviour as far as their behaviour takes place within the Union.

To ensure that the user’s personal data are stored securely on the server. Incorrect. Cookies are not used to store data on the server.

To personalize the user’s experience of the website during the next visit. Correct. This is the main purpose of a persistent cookie. (Literature: A, Chapter 8)

To record every keystroke made by a computer user to find out passwords. Incorrect. Cookies are not malicious by nature, but the mechanism can be exploited maliciously.

To save the pages a user has bookmarked in the user’s browser history. Incorrect. The bookmarks and browser history are saved, but not in a cookie.

When there is a processor and an operator in EEA countries, the competent authority will be the location of the Controller, however the Supervisory authority of the Controller is considered to be a concerned Supervisory Authority (who has interests).

Therefore, the Processor Supervisory Authority evaluates and approves the rules of the contract, in accordance with Article 57 of the GDPR, and must notify the Controller Supervisory Authority.

In its Article 57, the GDPR legislates on the Responsibilities of the Supervisory Authority. In its first paragraph, items “r” and “s”:

r)Authorise contractual clauses and provisions referred to in Article 46(3);

s)Approve binding corporate rules pursuant to Article 47.