Privacy & Data Protection Essentials Courseware - English. Ruben Zeegers
stakeholders.
B) Incorrect.
C) Incorrect.
9 / 20 'Informed consent' is a lawful basis to process personal data under the GDPR. The purpose of the processing for which consent is given should be documented.
At what time in the process should the data subject's consent be obtained?
A) After the purpose specification is presented and before personal data is collected.
B) Before the purpose specification is conceived and presented.
C) Before the personal data is processed.
D) Before the personal data is published or disseminated.
A) Correct. Consent can only be informed after the purpose specification is presented to the data subject. Source: GDPR recitals (32), (42).
B) Incorrect. Consent can only be informed after the purpose specification is presented to the data subject.
C) Incorrect. Collection of personal data is 'processing' and as such needs informed consent of the data subject.
D) Incorrect. Publishing and dissemination of personal data are 'processing' and as such need informed consent of the data subject.
10 / 20 The processing of personal data has to meet certain quality requirements.
What is one of these quality requirements defined by the GDPR?
A) The data processed must be archived.
B) The data processed must be encrypted.
C) The data processed must be indexed.
D) The data processed must be relevant.
A) Incorrect. No such requirement is defined by the GDPR.
B) Incorrect. No such requirement is defined by the GDPR.
C) Incorrect. No such requirement is defined by the GDPR.
D) Correct. This requirement is defined by the GDPR. Source: White Paper – Privacy, Personal Data and the GDPR - § 3.1.2 Proportionality and subsidiarity
11 / 20 "The controller shall implement appropriate technical and organizational measures for ensuring that (...) only personal data which are necessary for each specific purpose of the processing are processed."
Which term in the GDPR is defined?
A) Compliance
B) Data protection by default
C) Privacy by design
D) Embedded protection
A) Incorrect. Compliance is the state or fact of according with - or meeting rules or standards.
B) Correct. By default, the minimum of personal data is to be processed for the shortest possible period, using the best possible security measures to prevent unauthorized access. Source: EU GDPR, A pocket guide - Chapter 3 The Regulation – Data protection by design and by default & GDPR art. 20 (2).
C) Incorrect. Data protection by design refers to a design that includes appropriate measures to implement data protection principles.
D) Incorrect. Embedded data protection is the result of data protection by design.
12 / 20 What is the term used in the GDPR for unauthorized disclosure of, or access to, personal data?
A) Confidentiality violation
B) Data breach
C) Incident
D) Security incident
A) Incorrect. GDPR uses the term data breach. Not every data breach is a confidentiality violation.
B) Correct. Source: EU GDPR, A pocket guide - Chapter 3 The Regulation – Data breaches & GDPR article 4 (12)
C) Incorrect. GDPR uses the term data breach. Not every incident is a data breach.
D) Incorrect. GDPR uses the term data breach. Not every security incident is a data breach.
13 / 20 A social services organization plans to design a new database to administrate its clients and the care they need.
In order to request permission with the supervisory authority, what is one of the first important steps to be taken?
A) Collect data about the clients and the amount and kind of care needed and provided.
B) Conduct a data protection impact assessment (DPIA) to assess the risks of the intended processing.
C) Obtain consent of the clients for the intended processing of their personal data.
A) Incorrect. Collecting medical personal data is by definition 'processing sensitive data'. Permission of the DPA and the data subject is needed beforehand.
B) Correct. When asking consent to process data, the data subject 'should be made aware of risks, rules, safeguards and rights ...' Source: EU GDPR, A pocket guide - Chapter 3 The Regulation – Consent & GDPR recital (39).
C) Incorrect. When asking consent to process data, the data subject 'should be made aware of risks, rules, safeguards and rights ...' A PIA is needed first to assess those risks and safeguards.
14 / 20 A Dutch controller has contracted the processing of sensitive personal data out to a processor in a North African country, without consulting the supervisory authority. Is was discovered and he was penalized by the supervisory authority. Six months later the authority finds out that the controller is guilty of the same transgression again for another processing operation.
What is the maximum penalty the supervisory authority can impose in this case?
A) € 750,000
B) €1,230,000
C) € 10,000,000 or 2% of the company's worldwide turnover, whichever is higher
D) € 20,000,000 or 4% of the company's worldwide turnover with a minimum of € 20,000,000 whichever is higher
A) Incorrect. According to GDPR art. 83.3 the maximum fine is 4% of the company's worldwide turnover with a minimum of € 20.000.000.
B) Incorrect. According to GDPR art. 83.3 the maximum fine is 4% of the company's worldwide turnover with a minimum of € 20.000.000.
C) Incorrect. According to GDPR art. 83.3 the maximum fine is 4% of the company's worldwide turnover with a minimum of € 20.000.000
D) Correct. This is the maximum for a violation. Source: White Paper – Privacy, Personal Data and the GDPR - §7.3.3 General conditions for imposing administrative fines.
15 / 20 Supervisory Authorities are assigned a number of responsibilities aimed at making sure data protection regulations are complied with.