PDPF Sample Questions Answers

This is an issue that addresses two very important points – sensitive data and data from minors.

As these are, it is necessary to inform the Supervisory Authority and those responsible for the data subjects. Article 34 mentions:

1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

Recital 38 says:

Children merit specific protection regarding their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.

When a project includes technologies or processes that use personal data. Incorrect. Only for technologies and processes that are likely to result in a high risk to the rights of data subjects is the DPIA mandatory.

When processing is likely to result in a high risk to the rights of data subjects. Correct. For processing operations which are likely to result in a high risk, a DPIA is obligatory to assess those risks and to design mitigation measures. (Literature: A, Chapter 6; GDPR Article 35)

When similar processing operations with comparable risks are repeated. Incorrect. This is a case in which a DPIA does not need to be repeated.

Whereas Recital 170 mentions: “Since the objective of this Regulation, namely to ensure an equivalent level of protection of natural persons and the free flow of personal data throughout the Union, cannot be sufficiently

achieved by the Member States and can rather, by reason of the scale or effects of the action, be better

achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective”.

Subsidiarity is a principle that says that personal data can only be processed if there are no other means to achieve the objective. Therefore, the less personal data used, the less the chances of violating privacy.

Note that in the quotation in Recital 170 above, the principle of proportionality was highlighted in bold. Equally important to subsidiarity. Proportionality says that personal data must be collected according to the purpose of processing, that is proportional, and data that will not be used for the purpose should not be collected.

These two principles Subsidiarity and Proportionality are constantly charged in the EXIN exam.

Personal data can only be processed in accordance with the purpose specification. Incorrect. This is one of the legal limitations.

Personal data cannot be reused without explicit and informed consent. Incorrect. This is one of the legal limitations.

Personal data may only be processed when there are no other means to achieve the purposes. Correct. This is the definition of subsidiarity. (Literature: A, Chapter 3; GDPR Article 35(7))

Personal data must be adequate, relevant and not excessive in relation to the purposes. Incorrect. This is the definition of proportionality.

Anonymized data is not under the scope of the GDPR, nor are data from deceased persons. Organizations that handle only this type of data do not need to conform to the GDPR.

Anonymized data reads data that is not possible to reverse in order to identify the data subject. There is also pseudonymized data, in which case it is possible to perform the reversal and identify the data holder.

With the death of the data subject, the controller can process the data in any way he wishes, since personal data of deceased persons is not within the scope of the GDPR.

Recital 27 says: This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.

A list of payments made using a credit card. Incorrect. Credit card data is personal data, but not special category data.

An address list of members of a political party. Correct. Personal data revealing political opinions is special personal data (Literature: A, Chapter 1; GDPR Article 9(1))

A genealogical register of someone’s ancestors. Incorrect. Genealogical information on living persons is personal data, but not special category. The GDPR does not apply to data on deceased persons.

The front line with the data holder is the Controller, see image. So, it is he who has to show compliance, who must be concerned with the legality of processing, who must implement security measures.

Article 9 of the GDPR legislation on “Treatment of special categories of personal data”.

Also called sensitive data.

In its first paragraph it quotes:

“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”

A very repeated phrase is: “It is possible to have security without privacy, but it is not possible to have privacy without security”.

Privacy is a right that should be protected, and Data Protection are the measures that will be used to achieve this protection.

GDPR requires that there is a contract between the processor and the controller. This contract establishes rules and responsibilities such as: the object and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, and the obligations and rights of the controller.

Quote from Article 28:

3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.

The purpose of GDPR is to protect personal data. In the case of this issue there was no loss of personal data, so it is not a data breach.

Important

A data breach is whenever something happens that has not been planned with the personal data, be it improper processing, improper sharing, loss of data, deletion, etc. That is, personal data must be used for a specific purpose, respecting the life cycle (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach.

GDPR does not apply to the use of personal data for domestic purposes, however in this example the controller is the Social Network, as it performs the processing of the photos. Therefore, the owner has the right to delete this photo.

For domestic purposes, data collection is not intended for professional or commercial purposes. Examples are the get-togethers of friends and family where we can collect names, phone numbers, e-mails to facilitate the organization, as well as taking pictures to record the moment. Now if you have a blog where you can record several moments with your friends and you monetize it in some way – watch out! – you are under the scope of GDPR.

Whereas Recital 18: “This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.”

When there is a processor and an operator in EEA countries, the competent authority will be the location of the Controller, however the Supervisory authority of the Controller is considered to be a concerned Supervisory Authority (who has interests).

Therefore, the Processor Supervisory Authority evaluates and approves the rules of the contract, in accordance with Article 57 of the GDPR, and must notify the Controller Supervisory Authority.

In its Article 57, the GDPR legislates on the Responsibilities of the Supervisory Authority. In its first paragraph, items “r” and “s”:

r)Authorise contractual clauses and provisions referred to in Article 46(3);

s)Approve binding corporate rules pursuant to Article 47.

The principle of limitation of purposes says that personal data must be collected for specific, explicit and legitimate purposes and cannot be further processed in a way incompatible with those purposes.

When the data is sold to another company, we can conclude that it was acquired by a controller for a specific purpose and that it subsequently sold it without the owner’s knowledge and consent.

Companies have tax obligations to be fulfilled, so financial data cannot be deleted.

The data subject has several rights under the GDPR, however there are limitations. These rights cannot run counter to other specific legislation. In this case, the holder can exercise the right of Opposition instead of Exclusion. In the Right of Opposition, he requests the Controller to cease the processing of his data for non- consented purposes. An example of Opposition: in Brazil there was the website naomeperturbe.com.br, where millions of Brazilians could oppose the inconvenient calls made by the telecommunication service providers.

It aims to manage the flow of data throughout the life cycle, from collection, processing, sharing, storage and deletion.

Having the knowledge where the data travels, who is responsible, who has access, helps and a lot to implement security measures.

Whenever a new technology is applied, a DPIA must be performed. In addition, a DPIA must be performed before starting the processing of personal data. This is important to check for risks to data subjects since data collection.

In its Article 35 the GDPR legislates on the Impact assessment on data protection.

1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

Article 28 of the GDPR in its paragraph 3 mentions:

This contract or other normative act stipulates, inter alia, that the subcontractor:

a)processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

b)ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

c)takes all measures required pursuant to Article 32;

d)respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;

e)taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;

f)assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;

g)at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

h)makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Data protection and privacy are synonyms and have the same meaning. Incorrect. Data protection helps to protect a person’s privacy, but the terms are not synonyms.

Data protection is the part of privacy that protects a person’s physical integrity. Incorrect. Data protection is not related to physical integrity or physical privacy.

Data protection refers to the measures needed to protect a person’s privacy. Correct. Data protection are some of the measures needed to protect a person’s privacy. (Literature: A, Chapter 1)

Data protection and privacy are complementary, but not the same thing.

A very repeated phrase is: “It is possible to have security without privacy, but it is not possible to have privacy without security”.

Privacy is a right that must be protected, and Data Protection are the measures that will be used to achieve this protection.

Article 57 legislates on the Responsibilities of the Supervisory Authority. In paragraph 1, item “a” says: “monitor and enforce the application of this Regulation”.

When we have a Regulation, such as the GDPR, all EU Member States are obliged to follow it and have a fixed date to entry into force. The regulation is a law and Member States cannot create laws that oppose it. Unlike the Directives that set objectives to be achieved, however, each Member State is free to decide how to apply them in their countries.

Important

Prior to the GDPR, there was a Directive “95/46 / EC First Data Protection Directive. Approved in 1995, it was already aimed at protecting personal data. This directive was replaced by GDPR.

“Article 94: 1. Directive 95/46 / EC is repealed with effect from 25 May 2018."

In the EXIN PDPF exam this is an issue that is routinely asked. “Which directive has been replaced by GDPR?” Answer: 95/46 / EC.

Besides to what many persons think, the GDPR does not apply only to the EU, but to all member countries of the European Economic Area (EEA) that includes, in addition to the EU member countries, Iceland, Liechtenstein and Norway.

Collecting name and address information for a gymnastics club. Incorrect. Collecting is also considered processing data.

Creating a back-up of biometric data for data security purposes. Incorrect. Storage is also considered processing data.

Editing personal photographs before printing them at home. Correct. The GDPR is not applicable to home-use of your own photographs. (Literature: A, Chapter 1; GDPR Article 4)

Yes, because the personal data on the disk were unlawfully processed. Correct. Personal data irretrievably lost is regarded as ‘a breach of security leading to unlawful destruction of personal data, which also makes it a personal data breach. (Literature: A, Chapter 5; GDPR Article 4(12))

Yes, because there were no special category personal data stored on the disk. Incorrect. Accidental loss of data is a security incident (data is no longer available). According to the GDPR it is also unlawful processing of personal data, hence a personal data breach. Data do not have to belong to the category of special

personal data to fall under the category personal data breach.

No, because no personal data on the disk were processed, only destroyed. Incorrect. A technical malfunction causing data to be no longer available is a security incident. The GDPR sees accidental loss of personal data as unlawful processing (not on instruction of the controller or processor) hence as a personal data breach.

No, because this is only a security incident and not a data breach. Incorrect. Personal data that are irretrievably lost, is regarded as unauthorized processing by the GDPR, hence a personal data breach. The fact that data was accidentally destroyed also makes the event a security incident.

The numerous powers of the Supervisory Authority are divided into:

-Investigative powers;

-Correcting powers;

-Advisory and authorization powers.

The investigative powers provided for in Article 58, Paragraph 1 are:

a) To order the controller and the processor, and, where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of its tasks;

b)To carry out investigations in the form of data protection audits;

c)To carry out a review on certifications issued pursuant to Article 42(7);

d)To notify the controller or the processor of an alleged infringement of this Regulation;

e)To obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;

f)To obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.

Section: (none)

Explanation

The organization minimizes the risk of costly adjustments in processes or the redesign of systems in a later stage. Incorrect. This aspect may strengthen the confidence of management, but not of customers or citizens.

The organization prevents non-compliance with the GDPR and minimizes the risk of fines. Incorrect. Preventing fines may strengthen the confidence of management, but not of customers or citizens.

The organization proves that it takes privacy seriously and aims for compliance with the GDPR. Correct. Doing a DPIA shows customers or citizens that the company is serious about data protection. (Literature: A, Chapter 8)

The correct option is the responsibility of the Supervisory Authority, the others are the responsibility of the processor.

GDPR Article 3 decrees:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

a)the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or;

b)the monitoring of their behaviour as far as their behaviour takes place within the Union.

In its first paragraph of Article 4, the GDPR defines:

‘personal data’ means any information relating to an identified or identifiable natural person…

Here is a catch between the options “Loss of personal data” and “Transfer of personal data outside the EU”.

A data breach is whenever something happens that has not been planned with the personal data, be it improper processing, improper sharing, loss of data, deletion, etc. That is, personal data must be used for a specific purpose, respecting the life cycle (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach.

The transfer of personal data outside the EU can also be considered a violation if there is no authorization from the data subject and if the destination country does not offer legislation like the GDPR. Although there is no specific legislation, the Supervisory Authority can authorize the transfer of data provided that the company in the destination country accepts standard contractual clauses for the processing of this data.

Article 46 of GDPR

1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

Article 58 of GDPR

3. Each supervisory authority shall have all of the following authorisation and advisory powers: to authorise contractual clauses referred to in point (a) of Article 46(3).

When we have a Regulation, such as the GDPR, all EU member states are obliged to follow it and have a fixed date for entry into force. The regulation is a law and Member States cannot create laws that oppose it. Unlike the Directives that set objectives to be achieved, however, each Member State is free to decide how to apply them in its country.

Important

Prior to the GDPR, there was the “95/46 / EC First Data Protection Directive (European DP)”. Approved in 1995, it was already aimed to protect personal data. This directive was replaced by the GDPR.

“Article 94: 1. Directive 95/46 / EC is repealed with effect from 25 May 2018.”

In the EXIN PDPF exam this is a question that is routinely asked. “What directive has been replaced by GDPR?” Answer: 95/46 / EC.