Pass the Exin Privacy & Data Protection PDPF Questions and answers with CertsForce

It aims to manage the flow of data throughout the life cycle, from collection, processing, sharing, storage and deletion.

Having the knowledge where the data travels, who is responsible, who has access, helps and a lot to implement security measures.

Ascertain whether the breach may have resulted in loss or unlawful processing of personal data: Correct. The very first thing that needs to be done is ascertain that the security incident is in fact a personal data breach. (Literature: A, Chapter 5)

Assess the risk of adverse effects to the data subjects using a data protection impact assessment (DPIA): Incorrect. A DPIA is conducted when designing personal data processing operations. It is not a part of the procedure for a data breach.

Assess whether personal data of a sensitive nature has or may have been unlawfully processed. Incorrect. This is the next step if the incident proves to be a personal data breach - ascertain what type of data breach.

Report the breach immediately to all data subjects and the relevant supervisory authority. Incorrect. Whether the data breach needs to be reported and to whom depends on whether it is a data breach and if so, the type of data breach.

When we talk about protection by design, we are considering data protection throughout the data lifecycle, from collection, processing, sharing, storage and deletion.

As stated in the statement, Article 9 concerns the treatment of special categories of personal data, also called sensitive data.

This is a type of question that is often asked by EXIN. Important to remember which types of data are categorized as sensitive.

Article 9: Processing of special categories of personal data

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

Examples of sensitive data: Race, skin color, family tree, political party, political party affiliation, religious beliefs, illness, test results, digital, facial recognition and sexual preference. These are just a few examples.

In its Article 5, which deals with the Principles concerning the processing of personal data, paragraph 1, the GDPR describes:

1. Personal data shall be:

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed («data minimisation»);

In the Article 5 all the principles of GDPR for processing personal data are quoted.

The data minimization principle refers to the purpose of the law that only the data that is required for processing should be collected.

This is also favorable to businesses. The less data is collected, the less likely violations are to occur and consequently the impacts also decrease.

The right to compensation. Incorrect. It is unlikely that all data subjects will suffer harm that must be compensated in this scenario.

The right to object to profiling. Correct. All data subjects have a right to object to the processing of personal data for direct marketing, including profiling. This is clearly profiling. (Literature: A, Chapter 4)

The right to rectification. Incorrect. It is unlikely that the company has incorrect data on all data subjects, so the right to rectification does not apply.

Recital 124 tells us:

“Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union and the controller or processor is established in more than one Member State, or where processing taking place in the context of the activities of a single establishment of a controller or processor in the Union substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the controller or processor should act as lead authority...”

But what is Main Establishment?

Article 4, paragraph 16, gives us the definitions:

16) «Main establishment»:

a)as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;

b)as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations

under this Regulation.

An approach that implements data protection from the start. Correct. This is a correct description. (Literature: A, Chapter 8; GDPR Article 25(1))

An indication of timeframes if processing relates to erasure. Incorrect. This is a description of a data protection impact assessment (DPIA).

Data may only be collected for explicit and legitimate purposes. Incorrect. This is a description of measures taken to comply with the principle of purpose limitation.

Not holding more data than is strictly required for processing. Incorrect. This is a description of procedures to comply with the principle of data minimization.