Pass the Exin Privacy & Data Protection PDPF Questions and answers with CertsForce

By applying the concept of least privilege to the personal data collected, stored or otherwise

processed. Incorrect. Data minimization does not address least privilege.

By limiting access rights to staff who need the personal data for the intended processing operations. Incorrect. This describes the concept of limiting authorization for instance to comply with the principle of integrity and confidentiality.

By limiting file sizes, through saving all personal data that is processed in the smallest possible format. Incorrect. Data minimization according to the GDPR is not about storage size, but about minimalizing the use of personal data.

By limiting the personal data to what is adequate, relevant and necessary for the processing purposes.

Correct. This is the essence of the description in the GDPR. (Literature: A, Chapter 2; GDPR Article 5(1)(c))

Here is a catch between the options “Loss of personal data” and “Transfer of personal data outside the EU”.

A data breach is whenever something happens that has not been planned with the personal data, be it improper processing, improper sharing, loss of data, deletion, etc. That is, personal data must be used for a specific purpose, respecting the life cycle (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach.

The transfer of personal data outside the EU can also be considered a violation if there is no authorization from the data subject and if the destination country does not offer legislation like the GDPR. Although there is no specific legislation, the Supervisory Authority can authorize the transfer of data provided that the company in the destination country accepts standard contractual clauses for the processing of this data.

Article 46 of GDPR

1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

Article 58 of GDPR

3. Each supervisory authority shall have all of the following authorisation and advisory powers: to authorise contractual clauses referred to in point (a) of Article 46(3).

Article 4 dealing with the GDPR Definitions says in its paragraph 21:

‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51.

Companies have tax obligations to be fulfilled, so financial data cannot be deleted.

The data subject has several rights under the GDPR, however there are limitations. These rights cannot run counter to other specific legislation. In this case, the holder can exercise the right of Opposition instead of Exclusion. In the Right of Opposition, he requests the Controller to cease the processing of his data for non- consented purposes. An example of Opposition: in Brazil there was the website naomeperturbe.com.br, where millions of Brazilians could oppose the inconvenient calls made by the telecommunication service providers.

It is up to a supervisory authority to inspect and take measures to compel companies to conform to the GDPR.

According to paragraph 1 of Article 51.

1. Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’).

Chapter VI of the GDPR talks about laws on independent supervisory authorities.

When personal data is processed at a facility of the processor that is not located within the borders of the EEA. Incorrect. The location where the data is processed is of no significance to the obligation to notify data subjects of personal data breaches.

When personal data is processed by a party that agreed to the draft processing contract but has not yet sign it. Incorrect. Personal data processed by another party than the controller without a valid written contract is considered a personal data breach. In the given situation however, negative consequences for the data subjects are unlikely. Notifying the data subject is not obligatory in that case.

When the system on which the personal data is processed is attacked causing damage to its storage devices. Incorrect. Damage to storage devices will make access to the data difficult or even impossible but does not imply illegal processing.

When there is a significant probability that the breach will lead to a high risk for the privacy of the data subjects. Correct. If there is a significant probability of negative impact on the data subjects, the controller is obliged to notify them of the breach. (Literature: A, Chapter 5)

Verify that the processor has sufficient security guarantees that are essential for the Controller to remain in

compliance with the GDPR. Remember that the responsibility is always of the controller who must take care of the data of the data subjects that have been entrusted to him.

Recital 81 mentions the following:

(81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organizational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.

This is a question that has the most doubts: “Who needs to adapt?". For example: 1 - If you have a company in Brazil and sell products or services and process personal data from residents in the EU, in this case your company must conform to the GDPR. 2- If you have a company located in the EU and handle personal data.

Transcribing here part of Article 3 of the GDPR:

1.This Regulation applies to the processing of personal data carried out in the context of the activities of an establishment of a controller or a subcontractor located in the territory of the Union, regardless of whether the processing takes place inside or outside the Union.

2.This Regulation applies to the processing of personal data of holders residing in the territory of the Union, carried out by a controller or processor not established in the Union, when the processing activities are related to:

a)The provision of goods or services to such data subjects in the Union, regardless of the requirement for data subjects to make a payment;

b)Control of their behavior, provided that such behavior takes place in the Union.