PDPF 시험 - EXIN실제시험문제와 답 - 149문항

Question No : 1

Which of the following types of transfers of personal data outside the European Economic Area (EEA) is allowed?

A.Transfer between country governments.
B.Transfers subject to the law of the countries involved.
C.Transfers conducted through Standard Contractual Clauses.
D.Transfers conducted under Compulsory Corporate Rules.

정답:
Explanation:
Compulsory Corporate Rules are rules used internally by multinational companies to transfer personal data. Thus, it is possible to transfer data between them, even if the destination company is in a country that does not have an adequate level of data protection. These rules are like an internal corporate code of conduct and do not cover transfers of personal data outside the corporate group.
Do not confuse "Compulsory Corporate Rules" with "Standard Contractual Clauses". The last are clauses in contracts for international data transfer between companies (customer and supplier relationship) where the destination country does not have an adequate level of data protection, and depends on authorization from the Supervisory Authority.
Article 58 of GDPR

Question No : 2

Which of the following options describes the concept of data minimization?

A.It is the minimization of data storage locations.
B.It is the decrease in the space allocated for data storage.
C.It is the limitation of data to the purposes for which it is treated.
D.It is the use of data for the shortest possible time.

정답:
Explanation:
In its Article 5, which deals with the Principles relating to the processing of personal data, paragraph 1, the GDPR describes:

Question No : 3

What is the main objective of the “Lifecycle Protection” principle?

A.All appropriate measures shall be taken to ensure that inaccurate data, taking into account the purposes for which they are processed, are erased or rectified without a delay.
B.The processing of data must take place in a manner that ensures its security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage.
C.Security measures should be in place from the moment data are collected until they are deleted.
D.Data must be collected for specified, explicit and legitimate purposes and may not be further processed in a manner incompatible with those purposes.

정답:
Explanation:
Data Life Cycle Management (DLM)
It aims to manage data flow throughout the lifecycle, from collection, processing, sharing, storage and deletion.
Having the knowledge where the data travels, who is responsible, who has access, helps a lot to implement security measures.

Question No : 4

After appearing in a photo posted by a friend on a social network, a person felt embarrassed and decided that he wants the photo to be deleted.
According to the General Data Protection Regulation (GDPR), does that person have the right to delete this photo?

A.False
B.True

정답:
Explanation:
GDPR does not apply to the use of personal data for domestic purposes, however in this example the controller is the Social Network, as it performs the processing of the photos. Therefore, the owner has the right to delete this photo.
For domestic purposes, data collection is not intended for professional or commercial purposes. Examples are the get-togethers of friends and family where we can collect names, phone numbers, e-mails to facilitate the organization, as well as taking pictures to record the moment. Now if you have a blog where you can record several moments with your friends and you monetize it in some way C watch out! C you are under the scope of GDPR.
Whereas Recital 18: “This Regulation does not apply to the processing of personal data by a naturalperson in the course of a purely personal or household activity and thus with no connection to aprofessional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities.
However, this Regulation applies to controllers or processors which provide the means for processingpersonal data for such personal or household activities.”

Question No : 5

Which of the parts below can implement data protection by design (from conception)?

A.The data subject.
B.The Data Protection Officer (DPO).
C.The processor.
D.The supervisory authority.

정답:
Explanation:
It is the duty of the processor to guarantee security in the treatment of the data entrusted to it by the controller.

Question No : 6

In the contract between the controller and processor for the processing of personal data, which of the options below represents the sole responsibility of the Controller?

A.Erase all personal data after the completion of treatment-related services, deleting existing copies.
B.Treat personal data only through documented instructions, including with regard to data transfers to third countries or international organizations.
C.Ensure that the persons authorized to process personal data have made a commitment to confidentiality.
D.Apply technical and organizational measures to ensure that only personal data that are necessary for each specific purpose of processing are processed.

정답:
Explanation:
The correct option is exclusively for the Controller, the others are for the Processor in accordance with Articles 25 and 28 of the GDPR.

Question No : 7

Which organizations need to comply with the General Data Protection Regulation (GDPR)?

A.Only organizations that have employees in the European Union (EU).
B.Only organizations that have their headquarters in the European Union (EU).
C.All organizations anywhere in the world.
D.All organizations located in the European Union and also organizations outside the European Union that offer goods or services to data subjects in the E

정답:
Explanation:
This is a question that has the most doubts: “Who needs to adapt?". For example: 1 - If you have a company in Brazil and sell products or services and process personal data from residents in the EU, in this case your company must conform to the GDPR. 2- If you have a company located in the EU and handle personal data.
Transcribing here part of Article 3 of the GDPR:

Question No : 8

A company is planning to process personal data. The recently appointed data protection officer (DPO) executes a data protection impact assessment (DPIA). The DPO finds that all computers have a setting causing monitors to show a screen saver after five seconds of inaction.
However, the computers are not locked automatically. When employees leave their desk, they usually do not lock their computers either.
What is this an example of?

A.Security incident
B.Personal data breach
C.Security vulnerability
D.Data access

정답:
Explanation:
Data access. Incorrect. The data have not been accessed.
Personal data breach. Incorrect. No personal data has been processed unauthorized yet, so it is not a breach.
Security incident. Incorrect. Processing has yet to begin, there is no reason to assume an incident has taken place.
Security vulnerability. Correct. Confidentiality of the data cannot be guaranteed if employees leave their workstation without locking the computer. (Literature: A, Chapter 2; GDPR Article 5(1)(f))

Question No : 9

GDPR quotes in one of its principles that personal data should be adequate, relevant and limited to what is necessary in relation to its purpose.
What principle is this?

A.integrity and confidentiality
B.purpose limitation
C.data minimization
D.lawfulness, loyalty and transparency

정답:
Explanation:
In its Article 5, which deals with the Principles concerning the processing of personal data, paragraph 1, the GDPR describes:

Question No : 10

The General Data Protection Regulation (GDPR) came into effect on May 25, 2018, what is the legal status of this regulation?

A.The GDPR is a functional law in all EU member states and Member States cannot rectify it.
B.The GDPR is only a recommendation. Member States should create laws to suit
C.Some articles in the GDPR provide guidance and allow Member States to draft more specific laws to suit.

정답:
Explanation:
When we have a Regulation, such as the GDPR, all EU member states are obliged to follow it. The regulation is a law and Member States cannot create laws that oppose it. Unlike the Directives that set objectives to be achieved, however, each Member State is free to decide how to apply them in its country.

Question No : 11

A written contract between a controller and a processor is called a data processing agreement.
According to the GDPR, what does not have to be covered in the written contract?

A.The contractor code of business ethics and conduct that is used.
B.Which data are covered by the data processing agreement
C.The information security and personal data breach procedures
D.The technical and organizational measures implemented

정답:
Explanation:
The contractor code of business ethics and conduct that is used. Correct. Although the GDPR endorses the use of codes of conduct and certification, it is not an obligation to have this clause to demonstrate compliance with the GDPR. (Literature: A, Chapter 8; GDPR Article 28(3))
The information security and personal data breach procedures. Incorrect. This is mandatory because it describes the obligations of the processor regarding the notification of a personal data breach (by the controller) to the supervisory authority.
The technical and organizational measures implemented. Incorrect. This is mandatory because it describes technical and organizational measures the processor must take.
Which data are covered by the data processing agreement. Incorrect. This is mandatory because it describes the personal data, including special category personal data, covered by the contract.

Question No : 12

What does the GDPR concept of ‘binding corporate rules’ (BCR) imply?

A.A commission decision on the safety of data transfer to a third country
B.A set of rules used by a group of enterprises concerning personal data protection in international transfers
C.Measures to compensate for the lack of data protection in a third country
D.Rules covering data transfers between third countries

정답:

Question No : 13

The General Data Protection Regulation (GDPR) allows processing of personal data only for purposes explicitly permitted by law. A tax advisor wants to file income tax returns for a neighbor.
Which of the legitimate grounds in the GDPR applies?

A.Processing of the personal data is permitted in this case with explicit consent of the data subject.
B.Processing of the personal data is permitted because this is necessary for compliance with a legal obligation to which the controller is subject.
C.Processing of personal data is permitted in the course of a purely personal or household activity.

정답:

Question No : 14

Personal data can be transferred outside of the EEA. According to the GDPR, which transfers outside the EEA are always lawful?
A. Transfers based on the laws of the non-EEA country concerns
B. Transfers falling under World Trade Organization rules
C. Transfers governed by approved binding corporate rules (BCR)
D. Transfers within a global corporation or organization

정답: C
Explanation:
Transfers based on the laws of the non-EEA country concerned. Incorrect. This would also require an adequacy decision confirming that those laws are sufficient.
Transfers falling under World Trade Organization rules. Incorrect. WTO only covers free trade of goods and services.
Transfers governed by approved binding corporate rules (BCR). Correct. Binding corporate rules approved by a supervisory authority involved make the transfer lawful. (Literature: A, Chapter 7; GDPR Article 47)
Transfers within a global corporation or organization. Incorrect. This would also require that they adopt official binding corporate rules.
Reference: https://edps.europa.eu/data-protection/data-protection/reference-library/international-transfers_en

Question No : 15

What should be done by the EU member states and is not a responsibility of the supervisory authorities?

A.Impose administrative fines to controllers
B.Make rules for penalizing other GDPR infringements
C.Order the controller to notify the data subject about a breach
D.Receive and process data breach notifications from controllers

정답:

EXIN PDPF 시험