Pass the Exin Privacy & Data Protection PDPF Questions and answers with CertsForce

The front line with the data holder is the Controller, see image. So, it is he who has to show compliance, who must be concerned with the legality of processing, who must implement security measures.

Privacy is a right that must be protected, and Data Protection are the measures that will be used to achieve this protection.

Data protection and privacy complement each other, but they are not the same.

A well-known phrase is: “You can have security without privacy, but you cannot have privacy without security”.

Recital 4 of the GDPR says:

The processing of personal data should be designed to serve individuals. The right to protection of personal data is not absolute; it must be considered in relation to its role in society and balanced with other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedom and principles recognized in the Charter, enshrined in the Treaties, namely respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom of business, the right to action and an impartial tribunal, and cultural, religious and linguistic diversity.

Article 6 legislates on the lawfulness of treatment and in it cites the 6 legal bases provided:

1 - the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

2- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering a contract

3 - processing is necessary for compliance with a legal obligation to which the controller is subject;

4- processing is necessary in order to protect the vital interests of the data subject or of another natural person;

5- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

6- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which requires protection of personal data, in particular where the data subject is a child.

Article 4 dealing with the GDPR Definitions says in its paragraph 8:

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

When we talk about protection by design, we are considering data protection throughout the data lifecycle, from collection, processing, sharing, storage and deletion.

When we focus on protecting data at all of these stages, the risk of not meeting any legal obligations is significantly reduced.

Data Life Cycle Management (DLM)

It aims to manage data flow throughout the lifecycle, from collection, processing, sharing, storage and deletion. Having the knowledge where the data travels, who is responsible, who has access, helps a lot to implement

security measures.

The controller is responsible for performing the DPIA. However, after executing it, it is necessary to have the opinion of the DPO – in charge of Data Protection, so that it can give its opinion, favorable or not for the continuity of processing.

Article 35 of GDPR

2.The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.

A decision on the safety of transferring personal data to a non-EEA country. Incorrect. This refers to adequacy decisions.

A measure to compensate for the lack of personal data protection in a third country. Incorrect. This refers to appropriate safeguards.

A set of agreements covering personal data transfers between non-EEA countries. Incorrect. The GDPR does not cover agreements between non-EEA countries.

A set of approved rules on personal data protection used by a group of enterprises. Correct. BCR are a set of rules approved by the supervisory authorities. (Literature: A, Chapter 3; GDPR Article 47)

Personal data are collected for specified, explicit and legitimate purposes and not further processed. Incorrect. The local government is entitled to collect data on the number of cars present.

Personal data are kept in a form permitting identification of data subjects for no longer than is necessary. Correct. In the given scenario, there is no need to retain the data of a specific car identifying the owner once it has left the area (Literature: A, Chapter 2; GDPR Article 5)

Personal data are processed in a manner that ensures appropriate security of the personal data. Incorrect. The scenario does not suggest inappropriate security.

Personal data are processed in a transparent manner in relation to the data subject. Incorrect. The processing is taking place transparently, since it is communicated properly to the data subjects.