Special Summer Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

PECB GDPR PECB Certified Data Protection Officer Exam Practice Test

Page: 1 / 8
Total 80 questions

PECB Certified Data Protection Officer Questions and Answers

Question 1

Question:

All the statements below regarding thelawfulness of processingare correct,except:

Options:

A.

Processing is necessary for theperformance of a contractto which the data subject is a party.

B.

Processing is necessary toobtain consentfrom the data subject.

C.

Processing is necessary toprotect the vital interestsof the data subject or another natural person.

D.

Processing is necessary for thelegitimate interestspursued by the controller, except where overridden by the interests or fundamental rights of the data subject.

Question 2

Scenario 7: EduCCS is an online education platform based in Netherlands. EduCCS helps organizations find, manage, and deliver their corporate training. Most of EduCCS's clients are EU residents. EduCCS is one of the few education organizations that have achieved GDPR compliance since 2019. Their DPO is a full-time employee who has been engaged in most data protection processes within the organization. In addition to facilitating GDPR compliance, the DPO acts as an intermediary point between EduCCS and other relevant interested parties. EduCCS's users canbenefit from the variety of up-to-date training library and the possibility of accessing it through their phones, tablets, or computers. EduCCS's services are offered through two main platforms: online learning and digital training. To use one of these platforms, users should sign on EduCCS's website by providing their personal information. Online learning is a platform in which employees of other organizations can search for and request the training they need. Through its digital training platform, on the other hand, EduCCS manages the entire training and education program for other organizations. Organizations that need this type of service need to provide information about their core activities and areas where training sessions are needed. This information is then analyzed by EduCCS and a customized training program is provided. In the beginning, all IT-related services were managed by two employees of EduCCS. However, after acquiring a large number of clients, managing these services became challenging That is why EduCCS decided to outsource the IT service function to X-Tech. X-Tech provides IT support and is responsible for ensuring the security of EduCCS's network and systems. In addition, X-Tech stores and archives EduCCS's information including their training programs and clients' and employees' data. Recently, X-Tech made headlines in the technology press for being a victim of a phishing attack. A group of three attackers hacked X-Tech’s systems via a phishing campaign which targeted the employees of the Marketing Department. By compromising X-Tech's mail server, hackers were able to gain access to more than 200 computer systems. Consequently, access to the networks of EduCCS’s clients was also allowed. Using EduCCS's employee accounts, attackers installed a remote access tool on EduCCS's compromised systems. By doing so, they gained access to personal information of EduCCS's clients, training programs, and other information stored in its online payment system. The attack was detected by X-Tech’s system administrator. After detecting unusual activity in X-Tech’s network, they immediately reported it to the incident management team of the company. One week after being notified about the personal data breach, EduCCS communicated the incident to the supervisory authority with a document that outlined the reasons for the delay revealing that due to the lack of regular testing or modification, their incident response plan was not adequately prepared to handle such an attack.Based on this scenario, answer the following question:

Question:

ShouldEduCCS document information related to the personal data breach, includingfacts, its impact, and the remedial action taken?

Options:

A.

Yes, EduCCS should document any personal data breachto enable the supervisory authority to verify compliancewithGDPR's Article 33(Notification of a personal data breach to the supervisory authority).

B.

Yes, EduCCS should document the personal data breachto allow the supervisory authority to determine if the breach must be communicated to data subjects.

C.

No, EduCCS wasnot the direct target of the attack, so itcannot document details about the breach, its impact, or remedial actions.

D.

No, EduCCS must report the breachonly if more than 100,000 individuals were affected.

Question 3

Scenario5:

Recpond is a German employment recruiting company. Their services are delivered globally and include consulting and staffing solutions. In the beginning. Recpond provided its services through an office in Germany. Today, they have grown to become one of the largest recruiting agencies, providing employment to more than 500,000 people around the world. Recpond receives most applications through its website. Job searchers are required to provide the job title and location. Then, a list of job opportunities is provided. When a job position is selected, candidates are required to provide their contact details and professional work experience records. During the process, they are informed that the information will be used only for the purposes and period determined by Recpond. Recpond's experts analyze candidates' profiles and applications and choose the candidates that are suitable for the job position. The list of the selected candidates is then delivered to Recpond's clients, who proceed with the recruitment process. Files of candidates that are not selected are stored in Recpond's databases, including the personal data of candidates who withdraw the consent on which the processing was based. When the GDPR came into force, the company was unprepared. The top management appointed a DPO and consulted him for all data protection issues. The DPO, on the other hand, reported the progress of all data protection activities to the top management. Considering the level of sensitivity of the personal data processed by Recpond, the DPO did not have direct access to the personal data of all clients, unless the top management deemed it necessary. The DPO planned the GDPR implementation by initially analyzing the applicable GDPR requirements. Recpond, on the other hand, initiated a risk assessment to understand the risks associated with processing operations. The risk assessment was conducted based on common risks that employment recruiting companies face. After analyzing different risk scenarios, the level of risk was determined and evaluated. The results were presented to the DPO, who then decided to analyze only the risks that have a greater impact on the company. The DPO concluded that the cost required for treating most of the identified risks was higher than simply accepting them. Based on this analysis, the DPO decided to accept the actual level of the identifiedrisks. After reviewing policies and procedures of the company. Recpond established a new data protection policy. As proposed by the DPO, the information security policy was also updated. These changes were then communicated to all employees of Recpond.Based on this scenario, answer the following question:

Question:

According to scenario 5, what should Recpond have considered whenassessing the risksrelated toprocessing operations?

Options:

A.

Risks should be identifiedbased on threats and vulnerabilitiesthat the company faces.

B.

Risks should be analyzedusing a quantitative approach, sincerisk scenariosmake the evaluation process difficult.

C.

Risks should beassessed based on the risk-based approachadopted by the DPO.

D.

Risks should be assessedonly when a supervisory authority requires it.

Question 4

Scenario:

Ashop ownerdecided to install avideo surveillance systemto protect the property against theft. However, thecameras also capture a considerable part of the store next door.

Question:

Which statement below iscorrectin this case?

Options:

A.

Controllers or processors that provide the means of processing personal data for such activities should operate undercommunity privacy requirements.

B.

This provisiondoes not fall under GDPR requirementsas it does not pose a high threat to the rights and freedoms of data subjects.

C.

Controllers or processors of personal data under this provisionfall under GDPR, since the cameras should capture only the premises of the shop owner who installed the cameras.

D.

GDPR does not applyto personal data collected by surveillance camerasif used for security purposes.

Question 5

Bus Spot is one of the largest bus operators in Spain. The company operates in local transport and bus rental since 2009. The success of Bus Spot can be attributed to the digitization of the bus ticketing system, through which clients can easily book tickets and stay up to date on any changes to their arrival or departure time. In recent years, due to the large number of passengers transported daily. Bus Spot has dealt with different incidents including vandalism, assaults on staff, and fraudulent injury claims. Considering the severity of these incidents, the need for having strong security measures had become crucial. Last month, the company decided to install a CCTV system across its network of buses. This security measure was taken to monitor the behavior of the company's employees and passengers, enabling crime prevention and ensuring safety and security. Following this decision, Bus Spot initiated a data protection impact assessment (DPIA). The outcome of each step of the DPIA was documented as follows: Step 1: In all 150 buses, two CCTV cameras will be installed. Only individuals authorized by Bus Spot will have access to the information generated by the CCTV system. CCTV cameras capture images only when the Bus Spot's buses are being used. The CCTV cameras will record images and sound. The information is transmitted to a video recorder and stored for 20 days. In case of incidents, CCTV recordings may be stored for more than 40 days and disclosed to a law enforcement body. Data collected through the CCTV system will be processed bv another organization. The purpose of processing this tvoe of information is to increase the security and safety of individuals and prevent criminal activity. Step 2: All employees of Bus Spot were informed for the installation of a CCTV system. As the data controller, Bus Spot will have the ultimate responsibility to conduct the DPIA. Appointing a DPO at that point was deemed unnecessary. However, the data processor’s suggestions regarding the CCTV installation were taken into account. Step 3: Risk Likelihood (Unlikely, Possible, Likely) Severity (Moderate, Severe, Critical) Overall risk (Low, Medium, High) There is a risk that the principle of lawfulness, fairness, and transparency will be compromised since individuals might not be aware of the CCTV location and its field of view. Likely Moderate Low There is a risk that the principle of integrity and confidentiality may be compromised in case the CCTV system is not monitored and controlled with adequate security measures. Possible Severe Medium There is a risk related to the right of individuals to be informed regarding the installation of CCTV cameras. Possible Moderate Low Step 4: Bus Spot will provide appropriate training to individuals that have access to the information generated by the CCTV system. In addition, it will ensure that the employees of the data processor are trained as well. In each entrance of the bus, a sign for the use of CCTV will bedisplayed. The sign will be visible and readable by all passengers. It will show other details such as the purpose of its use, the identity of Bus Spot, and its contact number in case there are any queries. Only two employees of Bus Spot will be authorized to access the CCTV system. They will continuously monitor it and report any unusual behavior of bus drivers or passengers to Bus Spot. The requests of individuals that are subject to a criminal activity for accessing the CCTV images will be evaluated only for a limited period of time. If the access is allowed, the CCTV images will be exported by the CCTV system to an appropriate file format. Bus Spot will use a file encryption software to encrypt data before transferring onto another file format. Step 5: Bus Spot's top management has evaluated the DPIA results for the processing of data through CCTV system. The actions suggested to address the identified risks have been approved and will be implemented based on best practices. This DPIA involves the analysis of the risks and impacts in only a group of buses located in the capital of Spain. Therefore, the DPIA will be reconducted for each of Bus Spot's buses in Spain before installing the CCTV system. Based on this scenario, answer the following question:

Question:

Is aDPIA necessaryfor Bus Spot?

Options:

A.

Yes, because the installation of aCCTV systemin Bus Spot’s buses involvessystematic monitoring of a large number of individuals.

B.

Yes, because the installation of a CCTV system in Bus Spot’s buses involves asystematic and extensive evaluation of personal aspectsrelating to natural personsbased on automated processing.

C.

No, because the installation of a CCTV system in Bus Spot’s buses doesnot involveprocessing of data that is likely to result in a high risk to the rights and freedoms of data subjects.

D.

No, because CCTV cameras used for security reasons are automaticallyexemptfrom GDPR requirements.

Question 6

Scenario:

Socianis a softwareused to collect medical records of patients, includingname, date of birth, social security number, and other personal data. The system stores data on asecure server with multi-layered security.

An organization usingSocianfor six months wants to ensure that itsprocessing activities comply with GDPR. TheDPO advised creating a list of processing activitiesrelated toSocian.

Question:

What should beincludedin theprocessing activities registers?

Options:

A.

Theseverity of the risksto therights and freedomsof data subjects.

B.

How thesupervisory authorityis notified in case of apersonal data breach.

C.

Thepersonal data protection techniquesused.

D.

Adetailed list of every individual who accessed the data.

Question 7

Scenario:

BookStis anonline bookshopthat collectspersonal databefore selling its products.Sarah signed up for an account, providing hername, email, and password. To purchase a book, Sarah was required to provide hershipping address and payment information, which isneeded to calculate shipping costsandcomplete the transaction.

Question:

Does the company have alegal basisfor processing Sarah's data?

Options:

A.

No, the processing isnot legally justifiedif it is only for sales purposes.

B.

Yes, the processing is necessary for theperformance of a contractto which the data subject is a party.

C.

No, the processing is legally justified only if it is necessary toprotect the vital interests of the data subject.

D.

Yes, but only if Sarah providesexplicit consentfor her data to be processed.

Question 8

Scenario:

An organization has been using astorage transfer serviceto importmarket-sensitive data, includingemail addresses and contact details, into acloud storage system. This change has affected theregistration processand has helped the organizationappropriately collect and store data.

Question:

Based on this scenario, what should theDPO monitorin the data processing register?

Options:

A.

Whether the organization hasobtained consentfrom the data subjects for this change.

B.

Whether the changes have beenreflected in the data processing registers.

C.

Whether the organization hasidentified storage transfer service’s technical and organizational measuresfor protection of personal data.

D.

Whether the organization hasnotified the supervisory authorityabout the change in storage methods.

Question 9

Bus Spot is one of the largest bus operators in Spain. The company operates in local transport and bus rental since 2009. The success of Bus Spot can be attributed to the digitization of the bus ticketing system, through which clients can easily book tickets and stay up to date on any changes to their arrival or departure time. In recent years, due to the large number of passengers transported daily. Bus Spot has dealt with different incidents including vandalism, assaults on staff, and fraudulent injury claims. Considering the severity of these incidents, the need for having strong security measures had become crucial. Last month, the company decided to install a CCTV system across its network of buses. This security measure was taken to monitor the behavior of the company's employees and passengers, enabling crime prevention and ensuring safety and security. Following this decision, Bus Spot initiated a data protection impact assessment (DPIA). The outcome of each step of the DPIA was documented as follows: Step 1: In all 150 buses, two CCTV cameras will be installed. Only individuals authorized by Bus Spot will have access to the information generated by the CCTV system. CCTV cameras capture images only when the Bus Spot's buses are being used. The CCTV cameras will record images and sound. The information is transmitted to a video recorder and stored for 20 days. In case of incidents, CCTV recordings may be stored for more than 40 days and disclosed to a law enforcement body. Data collected through the CCTV system will be processed bv another organization. The purpose of processing this tvoe of information is to increase the security and safety of individuals and prevent criminal activity. Step 2: All employees of Bus Spot were informed for the installation of a CCTV system. As the data controller, Bus Spot will have the ultimate responsibility to conduct the DPIA. Appointing a DPO at that point was deemed unnecessary. However, the data processor’s suggestions regarding the CCTV installation were taken into account. Step 3: Risk Likelihood (Unlikely, Possible, Likely) Severity (Moderate, Severe, Critical) Overall risk (Low, Medium, High) There is a risk that the principle of lawfulness, fairness, and transparency will be compromised since individuals might not be aware of the CCTV location and its field of view. Likely Moderate Low There is a risk that the principle of integrity and confidentiality may be compromised in case the CCTV system is not monitored and controlled with adequate security measures. Possible Severe Medium There is a risk related to the right of individuals to be informed regarding the installation of CCTV cameras. Possible Moderate Low Step 4: Bus Spot will provide appropriate training to individuals that have access to the information generated by the CCTV system. In addition, it will ensure that the employees of the data processor are trained as well. In each entrance of the bus, a sign for the use of CCTV will be displayed. The sign will be visible and readable by all passengers. It will show other details such as the purpose of its use, the identity of Bus Spot, and its contact number in case there are any queries. Only two employees of Bus Spot will be authorized to access the CCTV system. They will continuously monitor it and report any unusual behavior of bus drivers or passengers to Bus Spot. The requests of individuals that are subject to a criminal activity for accessing the CCTV images will be evaluated only for a limited period of time. If the access is allowed, the CCTV images will be exported by the CCTV system to an appropriate file format. Bus Spot will use a file encryption software to encrypt data before transferring onto another file format. Step 5: Bus Spot's topmanagement has evaluated the DPIA results for the processing of data through CCTV system. The actions suggested to address the identified risks have been approved and will be implemented based on best practices. This DPIA involves the analysis of the risks and impacts in only a group of buses located in the capital of Spain. Therefore, the DPIA will be reconducted for each of Bus Spot's buses in Spain before installing the CCTV system. Based on this scenario, answer the following question:

Question:

Based on scenario 6, Bus Spot decidednot to appoint a DPOwhen conducting the DPIA.

Which option iscorrectregarding this situation?

Options:

A.

Bus Spot can conduct a DPIA without designating a DPO, since the role of the DPO is only to give advice to the controller or processor.

B.

The DPIA conducted by Bus Spotis not validbecause they have not appointed a DPO.

C.

Bus Spot can conduct a DPIA only after appointing a DPO, since the DPO needs to control the DPIA process and observe how well risks are addressed.

D.

A DPO is mandatoryfor Bus Spot because CCTV surveillance involves high-risk processing.

Question 10

Scenario1:

MED is a healthcare provider located in Norway. It provides high-quality and affordable healthcare services, including disease prevention, diagnosis, and treatment. Founded in 1995, MED is one of the largest health organizations in the private sector. The company has constantly evolved in response to patients' needs.

Patients that schedule an appointment in MED's medical centers initially need to provide their personal information, including name, surname, address, phone number, and date of birth. Further checkups or admission require additional information, including previous medical history and genetic data. When providing their personal data, patients are informed that the data is used for personalizing treatments and improving communication with MED's doctors. Medical data of patients, including children, are stored in the database of MED's health information system. MED allows patients who are at least 16 years old to use the system and provide their personal information independently. For children below the age of 16, MED requires consent from the holder of parental responsibility before processing their data.

MED uses a cloud-based application that allows patients and doctors to upload and access information. Patients can save all personal medical data, including test results, doctor visits, diagnosis history, and medicine prescriptions, as well as review and track them at any time. Doctors, on the other hand, can access their patients' data through the application and can add information as needed.

Patients who decide to continue their treatment at another health institution can request MED to transfer their data. However, even if patients decide to continue their treatment elsewhere, their personal data is still used by MED. Patients’ requests to stop data processing are rejected. Thisdecision was made by MED’s top management to retain the information of everyone registered in their databases.

The company also shares medical data with InsHealth, a health insurance company. MED's data helps InsHealth create health insurance plans that meet the needs of individuals and families.

MED believes that it is its responsibility to ensure the security and accuracy of patients’ personal data. Based on the identified risks associated with data processing activities, MED has implemented appropriate security measures to ensure that data is securely stored and processed.

Since personal data of patients is stored and transmitted over the internet, MED uses encryption to avoid unauthorized processing, accidental loss, or destruction of data. The company has established a security policy to define the levels of protection required for each type of information and processing activity. MED has communicated the policy and other procedures to personnel and provided customized training to ensure proper handling of data processing.

Question:

Considering the nature of data processing activities described in scenario 1, is GDPR applicable to MED?

Options:

A.

Yes, GDPR is applicable to MED due to its processing activities involving personal information.

B.

Yes, MED’s use of cloud-based software to store and process health-related information necessitates compliance with GDPR’s data protection requirements.

C.

No, MED’s activities include healthcare services within one of the four EFTA states, which do not fall under the scope of GDPR.

D.

No, because MED operates only in Norway, and GDPR does not apply to domestic processing.

Question 11

Question:

What is themain purpose of conducting a DPIA?

Options:

A.

Toidentify the causesof the identified risks.

B.

Toextensively assess the impactsof the identified risks on individuals.

C.

Tomeasure the potential consequencesof the identified risks on the organization.

D.

Toeliminate all risksassociated with processing personal data.

Question 12

Scenario4:

Berc is a pharmaceutical company headquartered in Paris, France, known for developing inexpensive improved healthcare products. They want to expand to developing life-saving treatments. Berc has been engaged in many medical researches and clinical trials over the years. These projects required the processing of large amounts of data, including personal information. Since 2019, Berc has pursued GDPR compliance to regulate data processing activities and ensure data protection. Berc aims to positively impact human health through the use of technology and the power of collaboration. They recently have created an innovative solution in participation with Unty, a pharmaceutical company located in Switzerland. They want to enable patients to identify signs of strokes or other health-related issues themselves. They wanted to create a medical wrist device that continuously monitors patients' heart rate and notifies them about irregular heartbeats. The first step of the project was to collect information from individuals aged between 50 and 65. The purpose and means of processing were determined by both companies. The information collected included age, sex, ethnicity, medical history, and current medical status. Other information included names, dates of birth, and contact details. However, the individuals, who were mostly Berc's and Unty's customers, were not aware that there was an arrangement between Berc and Unty and that both companies have access to their personal data and share it between them. Berc outsourced the marketing of their new product to an international marketing company located in a country that had not adopted the adequacy decision from the EU commission. However, since they offered a good marketing campaign, following the DPO's advice, Berc contracted it. The marketing campaign included advertisement through telephone, emails, and social media. Berc requested that Berc’s and Unty's clients be first informed about the product. They shared the contact details of clients with the marketing company.Based on this scenario, answer the following question:

Question:

Is the transfer of data fromBerc to Untyin compliance with GDPR?

Options:

A.

Yes, Berc can transfer data to Unty because Switzerland provides a level of data protection that is "essentially equivalent” to that of the EU.

B.

Yes, Berc can transfer data to Unty because they collected data for the same purpose.

C.

No, Berc cannot transfer data to a company in Switzerland unless authorization from the supervisory authority in France is obtained.

D.

No, Berc must conduct a new DPIA before transferring data to Switzerland.

Question 13

Scenario 8:MA store is an online clothing retailer founded in 2010. They provide quality products at a reasonable cost. One thing that differentiates MA store from other online shopping sites is their excellent customer service.

MA store follows a customer-centered business approach. They have created a user-friendly website with well-organized content that is accessible to everyone. Through innovative ideas and services, MA store offers a seamless user experience for visitors while also attracting new customers. When visiting the website, customers can filter their search results by price, size, customer reviews, and other features. One of MA store's strategies for providing, personalizing, and improving its products is data analytics. MA store tracks and analyzes the user actions on its website so it can create customized experience for visitors.

In order to understand their target audience, MA store analyzes shopping preferences of its customers based on their purchase history. The purchase history includes the product that was bought, shipping updates, and payment details. Clients' personal data and other information related to MA store products included in the purchase history are stored in separate databases. Personal information, such as clients' address or payment details, are encrypted using a public key. When analyzing the shopping preferences of customers, employees access only the information about the product while the identity of customers is removed from the data set and replaced with a common value, ensuring that customer identities are protected and cannot be retrieved.

Last year, MA store announced that they suffered a personal data breach where personal data of clients were leaked. The personal data breach was caused by an SQL injection attack which targeted MA store’s web application. The SQL injection was successful since no parameterized queries were used.

Based on this scenario, answer the following question:

Which de-identification method has MA store used when analyzing the shopping preferences of its customers?

Options:

A.

Differential privacy

B.

Generalizing data with k-anonymity

C.

Scrambling

Question 14

Question:

Organization XYZ has just appointed aDPO. As such, XYZ needs toestablish the DPO's rolein the employment contract.

Which of the statements belowholds true?

Options:

A.

The DPO acts as acontact pointbetween thesupervisory authoritiesand the controller.

B.

The DPO acts as acontact pointbetween thecontroller and the processor.

C.

The DPO acts as acontact pointbetween the organization’stop management and employees.

D.

The DPO acts as adecision-makeron all data processing activities.

Question 15

Scenario:2

Soyled is a retail company that sells a wide range of electronic products from top European brands. It primarily sells its products in its online platforms (which include customer reviews and ratings), despite using physical stores since 2015. Soyled's website and mobile app are used by millions of customers. Soyled has employed various solutions to create a customer-focused ecosystem and facilitate growth. Soyled uses customer relationship management (CRM) software to analyze user data and administer the interaction with customers. The software allows the company to store customer information, identify sales opportunities, and manage marketing campaigns. It automatically obtains information about each user's IP address and web browser cookies. Soyled also uses the software to collect behavioral data, such as users’ repeated actions and mouse movement information. Customers must create an account to buy from Soyled’s online platforms. To do so, they fill out a standard sign-up form of three mandatory boxes (name, surname, email address) and a non-mandatory one (phone number). When the user clicks the email address box, a pop-up message appears as follows: “Soyled needs your email address to grant you access to your account and contact you about any changes related to your account and our website. For further information, please read our privacy policy.' When the user clicks the phone number box, the following message appears: “Soyled may use your phone number to provide text updates on the order status. The phone number may also be used by the shipping courier." Once the personal data is provided, customers create a username and password, which are used to access Soyled's website or app. When customers want to make a purchase, they are also required to provide their bank account details. When the user finally creates the account, the following message appears: “Soyled collects only the personal data it needs for the following purposes: processing orders, managing accounts, and personalizing customers' experience. The collected data is shared with our network and used for marketing purposes." Soyled uses personal data to promote sales and its brand. If a user decides to close the account, the personal data is still used for marketing purposes only. Last month, the company received an email from John, a customer, claiming that his personal data was being used for purposes other than those specified by the company. According to the email, Soyled was using the data for direct marketing purposes. John requested details on how his personal data was collected, stored, and processed. Based on this scenario, answer the following question:

Question:

Based on scenario2, Soyled only has threemandatory fieldsin its sign-up form. On which GDPR principle is this decision based?

Options:

A.

Lawfulness, fairness, and transparency

B.

Purpose limitation

C.

Data minimization

D.

Storage limitation

Question 16

Scenario6:

Bus Spot is one of the largest bus operators in Spain. The company operates in local transport and bus rental since 2009. The success of Bus Spot can be attributed to the digitization of the bus ticketing system, through which clients can easily book tickets and stay up to date on any changes to their arrival or departure time. In recent years, due to the large number of passengers transporteddaily. Bus Spot has dealt with different incidents including vandalism, assaults on staff, and fraudulent injury claims. Considering the severity of these incidents, the need for having strong security measures had become crucial. Last month, the company decided to install a CCTV system across its network of buses. This security measure was taken to monitor the behavior of the company's employees and passengers, enabling crime prevention and ensuring safety and security. Following this decision, Bus Spot initiated a data protection impact assessment (DPIA). The outcome of each step of the DPIA was documented as follows: Step 1: In all 150 buses, two CCTV cameras will be installed. Only individuals authorized by Bus Spot will have access to the information generated by the CCTV system. CCTV cameras capture images only when the Bus Spot's buses are being used. The CCTV cameras will record images and sound. The information is transmitted to a video recorder and stored for 20 days. In case of incidents, CCTV recordings may be stored for more than 40 days and disclosed to a law enforcement body. Data collected through the CCTV system will be processed bv another organization. The purpose of processing this tvoe of information is to increase the security and safety of individuals and prevent criminal activity. Step 2: All employees of Bus Spot were informed for the installation of a CCTV system. As the data controller, Bus Spot will have the ultimate responsibility to conduct the DPIA. Appointing a DPO at that point was deemed unnecessary. However, the data processor’s suggestions regarding the CCTV installation were taken into account. Step 3: Risk Likelihood (Unlikely, Possible, Likely) Severity (Moderate, Severe, Critical) Overall risk (Low, Medium, High) There is a risk that the principle of lawfulness, fairness, and transparency will be compromised since individuals might not be aware of the CCTV location and its field of view. Likely Moderate Low There is a risk that the principle of integrity and confidentiality may be compromised in case the CCTV system is not monitored and controlled with adequate security measures. Possible Severe Medium There is a risk related to the right of individuals to be informed regarding the installation of CCTV cameras. Possible Moderate Low Step 4: Bus Spot will provide appropriate training to individuals that have access to the information generated by the CCTV system. In addition, it will ensure that the employees of the data processor are trained as well. In each entrance of the bus, a sign for the use of CCTV will be displayed. The sign will be visible and readable by all passengers. It will show other details such as the purpose of its use, the identity of Bus Spot, and its contact number in case there are any queries. Only two employees of Bus Spot will be authorized to access the CCTV system. They will continuously monitor it and report any unusual behavior of bus drivers or passengers to Bus Spot. The requests of individuals that are subject to a criminal activity for accessing the CCTV images will be evaluated only for a limited period of time. If the access is allowed, the CCTV images will be exported by the CCTV system to an appropriate file format. Bus Spot will use a file encryption software to encrypt data before transferring onto another file format. Step 5: Bus Spot's top management has evaluated the DPIA results for the processing of data through CCTV system. The actions suggested to address the identified risks have been approved and will be implemented based on best practices. This DPIA involves the analysis of the risks and impacts in only a group of buses located in the capital of Spain. Therefore, the DPIA will be reconducted for each of Bus Spot's buses in Spain before installing the CCTV system. Based on this scenario, answer the following question:

Question:

Which step of theDPIA methodologydid Bus Spotmisswhen conducting the DPIA?

Options:

A.

Thenecessity and proportionality evaluationstep, where it should have determined thelawful basis for data processing.

B.

The stepdescribing the data processing activities, where it should have detailed thescope, nature, context, and purposes of the processing.

C.

Thealignment with GDPR-defined DPIA guidelines, where it should have adhered to the regulatory framework and methodology outlined by the GDPR.

D.

Thesupervisory authority approvalstep, where it should have obtained prior authorization before implementing the CCTV system.

Question 17

Which statement below regarding the difference between anonymization and pseudonymization is correct?

Options:

A.

Anonymization is reversible and the original data can be retrieved with the use of a public key encryption, while pseudonymization is not reversible and can be used only for non-identifiable data, such as gender, nationality, and occupation

B.

Anonymization is not reversible and the original data cannot be attributed to an individual, while pseudonymization is reversible and the original data can be attributed to an individual with the use of additional information

C.

Anonymization is the process of replacing a portion of the data with a common value to keep the identity of individuals anonymous, whereas pseudonymization is the process of adding mathematical noise to the data

Question 18

Bus Spot is one of the largest bus operators in Spain. The company operates in local transport and bus rental since 2009. The success of Bus Spot can be attributed to the digitization of the bus ticketing system, through which clients can easily book tickets and stay up to date on any changes to their arrival or departure time. In recent years, due to the large number of passengers transported daily. Bus Spot has dealt with different incidents including vandalism, assaults on staff, and fraudulent injury claims. Considering the severity of these incidents, the need for having strong security measures had become crucial. Last month, the company decided to install a CCTV system across its network of buses. This security measure was taken to monitor the behavior of the company's employees and passengers, enabling crime prevention and ensuring safety and security. Following this decision, Bus Spot initiated a data protection impact assessment (DPIA). The outcome of each step of the DPIA was documented as follows: Step 1: In all 150 buses, two CCTV cameras will be installed. Only individuals authorized by Bus Spot will have access to the information generated by the CCTV system. CCTV cameras capture images only when the Bus Spot's buses are being used. The CCTV cameras will record images and sound. The information is transmitted to a video recorder and stored for 20 days. In case of incidents, CCTV recordings may be stored for more than 40 days and disclosed to a law enforcement body. Data collected through the CCTV system will be processed bv another organization. The purpose of processing this tvoe of information is to increase the security and safety of individuals and prevent criminal activity. Step2: All employees of Bus Spot were informed for the installation of a CCTV system. As the data controller, Bus Spot will have the ultimate responsibility to conduct the DPIA. Appointing a DPO at that point was deemed unnecessary. However, the data processor’s suggestions regarding the CCTV installation were taken into account. Step 3: Risk Likelihood (Unlikely, Possible, Likely) Severity (Moderate, Severe, Critical) Overall risk (Low, Medium, High) There is a risk that the principle of lawfulness, fairness, and transparency will be compromised since individuals might not be aware of the CCTV location and its field of view. Likely Moderate Low There is a risk that the principle of integrity and confidentiality may be compromised in case the CCTV system is not monitored and controlled with adequate security measures. Possible Severe Medium There is a risk related to the right of individuals to be informed regarding the installation of CCTV cameras. Possible Moderate Low Step 4: Bus Spot will provide appropriate training to individuals that have access to the information generated by the CCTV system. In addition, it will ensure that the employees of the data processor are trained as well. In each entrance of the bus, a sign for the use of CCTV will be displayed. The sign will be visible and readable by all passengers. It will show other details such as the purpose of its use, the identity of Bus Spot, and its contact number in case there are any queries. Only two employees of Bus Spot will be authorized to access the CCTV system. They will continuously monitor it and report any unusual behavior of bus drivers or passengers to Bus Spot. The requests of individuals that are subject to a criminal activity for accessing the CCTV images will be evaluated only for a limited period of time. If the access is allowed, the CCTV images will be exported by the CCTV system to an appropriate file format. Bus Spot will use a file encryption software to encrypt data before transferring onto another file format. Step 5: Bus Spot's top management has evaluated the DPIA results for the processing of data through CCTV system. The actions suggested to address the identified risks have been approved and will be implemented based on best practices. This DPIA involves the analysis of the risks and impacts in only a group of buses located in the capital of Spain. Therefore, the DPIA will be reconducted for each of Bus Spot's buses in Spain before installing the CCTV system. Based on this scenario, answer the following question:

Question:

You are appointed as theDPO of Bus Spot.

What action would yousuggestwhen reviewing the results of theDPIApresented in scenario 6?

Options:

A.

Reconducting a DPIA for each busof Bus Spot isnot necessary, since the nature, scope, context, and purpose of data processing are similar in all buses.

B.

Displaying the identity of Bus Spot, its contact number, and the purpose of data processingin each bus isnot necessary; furthermore, it breaches thedata protection principles defined by GDPR.

C.

Using a data processor for CCTV images is not in compliance with GDPR, since the data generated from the CCTV system should be controlled and processed by Bus Spot.

D.

The DPIA should be reviewed annually, as CCTV surveillance presents ongoing risks to data subjects' privacy.

Question 19

Scenario3:

COR Bank is an international banking group that operates in 31 countries. It was formed as the merger of two well-known investment banks in Germany. Their two main fields of business are retail and investment banking. COR Bank provides innovative solutions for services such as payments, cash management, savings, protection insurance, and real-estate services. COR Bank has a large number of clients and transactions. Therefore, they process large information, including clients' personal data. Some of the data from the application processes of COR Bank, including archived data, is operated by Tibko, an IT services company located in Canada. To ensure compliance with the GDPR, COR Bank and Tibko have reached a data processing agreement Basedon the agreement, the purpose and conditions of data processing are determined by COR Bank. However, Tibko is allowed to make technical decisions for storing the data based on its own expertise. COR Bank aims to remain a trustworthy bank and a long-term partner for its clients. Therefore, they devote special attention to legal compliance. They started the implementation process of a GDPR compliance program in 2018. The first step was to analyze the existing resources and procedures. Lisa was appointed as the data protection officer (DPO). Being the information security manager of COR Bank for many years, Lisa had knowledge of the organization's core activities. She was previously involved in most of the processes related to information systems management and data protection. Lisa played a key role in achieving compliance to the GDPR by advising the company regarding data protection obligations and creating a data protection strategy. After obtaining evidence of the existing data protection policy, Lisa proposed to adapt the policy to specific requirements of GDPR. Then, Lisa implemented the updates of the policy within COR Bank. To ensure consistency between processes of different departments within the organization, Lisa has constantly communicated with all heads of GDPR. Then, Lisa implemented the updates of the policy within COR Bank. To ensure consistency between processes of different departments within the organization, Lisa has constantly communicated with all heads of departments. As the DPO, she had access to several departments, including HR and Accounting Department. This assured the organization that there was a continuous cooperation between them. The activities of some departments within COR Bank are closely related to data protection. Therefore, considering their expertise, Lisa was advised from the top management to take orders from the heads of those departments when taking decisions related to their field. Based on this scenario, answer the following question:

Question:

According to scenario 3,Tibko stores archived data on behalf of COR Bank. This means that Tibko is a:

Options:

A.

Data controller, since they control some of the data from the application processes of COR Bank.

B.

Data processor, since they store COR Bank's data based on the purpose and conditions defined by COR Bank.

C.

Joint controller with COR Bank, since they archive COR Bank's data and take technical decisions regarding data protection.

D.

Independent controller, since Tibko handles data security and storage.

Question 20

Scenario:

An organization conducted anonline surveyto gather opinions onglobal warming. The survey collected personal data, includingage, nationality, gender, and city of residence.

Question:

What should be considered whenidentifying this processing activity?

Options:

A.

Information on thepersonal data collectedand itssensitivity.

B.

Information abouthow the data is processed.

C.

Adescription of data subjectsand thecategories of personal datacollected.

D.

Thesurvey platform's technical security measures.

Question 21

Question:

You work in a company that providestraining services. One of the clientsrequests accessto information about thecategories of recipientsto whom theirpersonal data will be disclosed.

Whatactionsshould you take to becompliant with GDPR?

Options:

A.

Obtainauthorizationfrom the recipients before disclosing their identities.

B.

Verify the identityof the client by sendinglogin datato their mailing address.

C.

Inform the client thataccess to this type of information is not allowed, since it may result in ahigh riskto the rights and freedoms of recipients.

D.

Provide theclient with the requested informationabout the recipients of their data.

Question 22

Scenario3:

COR Bank is an international banking group that operates in 31 countries. It was formed as the merger of two well-known investment banks in Germany. Their two main fields of business are retail and investment banking. COR Bank provides innovative solutions for services such as payments, cash management, savings, protection insurance, and real-estate services. COR Bank has a large number of clients and transactions. Therefore, they process large information, including clients' personal data. Some of the data from the application processes of COR Bank, including archived data, is operated by Tibko, an IT services company located in Canada. To ensure compliance with the GDPR, COR Bank and Tibko have reached a data processing agreement Based on the agreement, the purpose and conditions of data processing are determined by COR Bank. However, Tibko is allowed to make technical decisions for storing the data based on its own expertise. COR Bank aims to remain a trustworthy bank and a long-term partner for its clients. Therefore, they devote special attention to legal compliance. They started the implementation process of a GDPR compliance program in 2018. The first step was to analyze the existing resources and procedures. Lisa was appointed as the data protection officer (DPO). Being the information security manager of COR Bank for many years, Lisa had knowledge of the organization's core activities. She was previously involved in most of the processes related to information systems management and data protection. Lisa played a key role in achieving compliance to the GDPR by advising the company regarding data protection obligations and creating a data protection strategy. After obtaining evidence of the existing data protection policy, Lisa proposed to adapt the policy to specific requirements of GDPR. Then, Lisa implemented the updates of the policy within COR Bank. To ensure consistency between processes of different departments within the organization, Lisa has constantly communicated with all heads of GDPR. Then, Lisa implemented the updates of the policy within COR Bank. To ensure consistency between processes of different departments within the organization, Lisa has constantly communicated with all heads of departments. As the DPO, she had access to several departments,including HR and Accounting Department. This assured the organization that there was a continuous cooperation between them. The activities of some departments within COR Bank are closely related to data protection. Therefore, considering their expertise, Lisa was advised from the top management to take orders from the heads of those departments when taking decisions related to their field. Based on this scenario, answer the following question:

Question:

According to scenario 3,Lisa was appointed as the Data Protection Officer (DPO)of COR Bank. Is this action in compliance with GDPR?

Options:

A.

Yes, the DPO may be a staff member of the controller or processor or fulfill the tasks based on a service contract.

B.

Yes, the DPO must be a staff member of the controller or processor in all cases when processing includes special categories of data.

C.

No, an external DPO must be contracted when personal data is collected or processed by an organization that is not established in the European Union.

D.

No, Lisa cannot be appointed as a DPO because she was already an information security officer.

Question 23

Scenario3:

COR Bank is an international banking group that operates in 31 countries. It was formed as the merger of two well-known investment banks in Germany. Their two main fields of business are retail and investment banking. COR Bank provides innovative solutions for services such as payments, cash management, savings, protection insurance, and real-estate services. COR Bank has a large number of clients and transactions. Therefore, they process large information, including clients' personal data. Some of the data from the application processes of COR Bank, including archived data, is operated by Tibko, an IT services company located in Canada. To ensure compliance with the GDPR, COR Bank and Tibko have reached a data processing agreement Based on the agreement, the purpose and conditions of data processing are determined by COR Bank. However, Tibko is allowed to make technical decisions for storing the data based on its own expertise. COR Bank aims to remain a trustworthy bank and a long-term partner for its clients. Therefore, they devote special attention to legal compliance. They started the implementation process of a GDPR compliance program in 2018. The first step was to analyze the existing resources and procedures. Lisa was appointed as the data protection officer (DPO). Being the information security manager of COR Bank for many years, Lisa had knowledge of theorganization's core activities. She was previously involved in most of the processes related to information systems management and data protection. Lisa played a key role in achieving compliance to the GDPR by advising the company regarding data protection obligations and creating a data protection strategy. After obtaining evidence of the existing data protection policy, Lisa proposed to adapt the policy to specific requirements of GDPR. Then, Lisa implemented the updates of the policy within COR Bank. To ensure consistency between processes of different departments within the organization, Lisa has constantly communicated with all heads of GDPR. Then, Lisa implemented the updates of the policy within COR Bank. To ensure consistency between processes of different departments within the organization, Lisa has constantly communicated with all heads of departments. As the DPO, she had access to several departments, including HR and Accounting Department. This assured the organization that there was a continuous cooperation between them. The activities of some departments within COR Bank are closely related to data protection. Therefore, considering their expertise, Lisa was advised from the top management to take orders from the heads of those departments when taking decisions related to their field. Based on this scenario, answer the following question:

Question:

Lisa implemented the updates to the data protection policy. Is she responsible for this under GDPR?

Options:

A.

No, the DPO is only responsible for proposing changes and obtaining evidence regarding specific GDPR requirements in the policy.

B.

No, the DPO is responsible for monitoring compliance with GDPR butnotfor implementing the GDPR compliance policies.

C.

Yes, the DPO is responsible for implementing GDPR policies, procedures, and processes, as well as ensuring compliance.

D.

Yes, the DPO is responsible for all security-related tasks, including updating GDPR policies.

Question 24

Scenario 8:MA store is an online clothing retailer founded in 2010. They provide quality products at a reasonable cost. One thing that differentiates MA store from other online shopping sites is their excellent customer service.

MA store follows a customer-centered business approach. They have created a user-friendly website with well-organized content that is accessible to everyone. Through innovative ideas and services, MA store offers a seamless user experience for visitors while also attracting new customers. When visiting the website, customers can filter their search results by price, size, customer reviews, and other features. One of MA store's strategies for providing, personalizing, and improving its products is data analytics. MA store tracks and analyzes the user actions on its website so it can create customized experience for visitors.

In order to understand their target audience, MA store analyzes shopping preferences of itscustomers based on their purchase history. The purchase history includes the product that was bought, shipping updates, and payment details. Clients' personal data and other information related to MA store products included in the purchase history are stored in separate databases. Personal information, such as clients' address or payment details, are encrypted using a public key. When analyzing the shopping preferences of customers, employees access only the information about the product while the identity of customers is removed from the data set and replaced with a common value, ensuring that customer identities are protected and cannot be retrieved.

Last year, MA store announced that they suffered a personal data breach where personal data of clients were leaked. The personal data breach was caused by an SQL injection attack which targeted MA store’s web application. The SQL injection was successful since no parameterized queries were used.

Based on this scenario, answer the following question:

According to scenario 8, MA store analyzed shopping preferences of its customers by analyzing the product they have bought in the customer's purchase history. Which option is correct in this case?

Options:

A.

MA store can use this type of information for an indefinite period of time since it is anonymized

B.

MA store can use this type of information for a limited period of time since it is pseudonymized

C.

MA store can use this type of information only during the period for which data subjects have given consent

Page: 1 / 8
Total 80 questions