PDPF Privacy and Data Protection Foundation Questions and Answers

Implement technical and organizational measures to ensure compliance. Incorrect. This is the task of the controller.

Investigate security breaches of corporate information. Incorrect. Only breaches of personal data are a concern of the supervisory authority.

Monitor and enforce the application of the GDPR. Correct. This is the main task of any supervisory authority. (Literature: A, Chapter 7)

It aims to manage the flow of data throughout the life cycle, from collection, processing, sharing, storage and deletion.

Having the knowledge where the data travels, who is responsible, who has access, helps and a lot to implement security measures.

Article 83 of GDPR

5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher...

Article 51 of GDPR

2. Each supervisory authority shall contribute to the consistent application of this Regulation throughout the

Union.

It is the duty of the processor to guarantee security in the treatment of the data entrusted to it by the controller.

An offense to privacy, as any illegal processing of personal data is considered an offense.

Section: (none)

Explanation

Controller. Correct. The controller is responsible for adequate data security measures and must be able to demonstrate compliance with the GDPR. (Literature:A, Chapter 2)

Data protection officer (DPO). Incorrect. The DPO has expert knowledge and assists the controller or processor to monitor internal compliance.

Processor. Incorrect. The processor is the one who processes personal data according to the instructions of the controller. The controller remains ultimately responsible though.

Supervisory authority. Incorrect. The controller needs to demonstrate compliance with the GDPR if requested by the supervisory authority.

Whenever a new technology is applied, a DPIA must be performed. In addition, a DPIA must be performed before starting the processing of personal data. This is important to check for risks to data subjects since data collection.

In its Article 35 the GDPR legislates on the Impact assessment on data protection.

1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

It is up to a supervisory authority to inspect and take measures to compel companies to conform to the GDPR.

According to paragraph 1 of Article 51.

1. Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’).

Chapter VI of the GDPR talks about laws on independent supervisory authorities.

Companies have tax obligations to be fulfilled, so financial data cannot be deleted.

The data subject has several rights under the GDPR, however there are limitations. These rights cannot run counter to other specific legislation. In this case, the holder can exercise the right of Opposition instead of Exclusion. In the Right of Opposition, he requests the Controller to cease the processing of his data for non- consented purposes. An example of Opposition: in Brazil there was the website naomeperturbe.com.br, where millions of Brazilians could oppose the inconvenient calls made by the telecommunication service providers.

The fundamental right to protection of personal data, regardless of how it was obtained. Incorrect. This is a definition of data protection.

The right not to be disturbed by uninvited people, nor being followed, spied on or monitored. Incorrect. This is a definition of physical privacy. However, the GDPR does not concern itself with physical privacy.

The right to respect for one’s private and family life, home and personal correspondence. Correct. This is the definition as implicitly used throughout the GDPR. (Literature: A, Chapter 1)

The right to freedom of opinion and expression and to seeking, receiving and imparting information. Incorrect. This is a short version of Universal Declaration of Human Rights Article 19: freedom of opinion and expression.

There are some types of cookies, each with its own purpose.

Cookies are considered personal data, as they can identify a person.

In the case of the issue we are talking about the Tracking Cookies. These monitor our browsing activities and bombard us with advertisements and advertisements.

You may have already encountered the situation of searching for a particular product on the internet and then seeing ads for that product or similar on various websites.

When we have a Regulation, such as the GDPR, all EU Member States are obliged to follow it and have a fixed date to entry into force. The regulation is a law and Member States cannot create laws that oppose it. Unlike the Directives that set objectives to be achieved, however, each Member State is free to decide how to apply them in their countries.

Important

Prior to the GDPR, there was a Directive “95/46 / EC First Data Protection Directive. Approved in 1995, it was already aimed at protecting personal data. This directive was replaced by GDPR.

“Article 94: 1. Directive 95/46 / EC is repealed with effect from 25 May 2018."

In the EXIN PDPF exam this is an issue that is routinely asked. “Which directive has been replaced by GDPR?” Answer: 95/46 / EC.

When we are talking about protection by design, we are considering a data protection throughout the data lifecycle, from the collection, processing, sharing, storage and deletion.

When we focus on protecting the data on all the phases risk of not fulfilling any legal obligations decreases significantly.

Direct personal data. Incorrect. Both direct and indirect data are described.

Indirect personal data. Incorrect. Both direct and indirect data are described.

Pseudonymized data. Incorrect. Pseudonymized data cannot directly reveal information.

Special category personal data. Correct. This is a definition of special category personal data. (Literature: A, Chapter 1; GDPR Article 4)

Section: (none)

Explanation

The organization minimizes the risk of costly adjustments in processes or the redesign of systems in a later stage. Incorrect. This aspect may strengthen the confidence of management, but not of customers or citizens.

The organization prevents non-compliance with the GDPR and minimizes the risk of fines. Incorrect. Preventing fines may strengthen the confidence of management, but not of customers or citizens.

The organization proves that it takes privacy seriously and aims for compliance with the GDPR. Correct. Doing a DPIA shows customers or citizens that the company is serious about data protection. (Literature: A, Chapter 8)

Compulsory Corporate Rules are rules used internally by multinational companies to transfer personal data. Thus, it is possible to transfer data between them, even if the destination company is in a country that does not have an adequate level of data protection. These rules are like an internal corporate code of conduct and do not cover transfers of personal data outside the corporate group.

Do not confuse "Compulsory Corporate Rules" with "Standard Contractual Clauses". The last are clauses in contracts for international data transfer between companies (customer and supplier relationship) where the destination country does not have an adequate level of data protection, and depends on authorization from the Supervisory Authority.

Article 58 of GDPR

3. supervisory authority shall have all of the following authorisation and advisory powers:

a) to advise the controller in accordance with the prior consultation procedure referred to in Article 36.