Pass4Future also provide interactive practice exam software for preparing Exin Privacy and Data Protection Foundation (PDPF) Exam effectively. You are welcome to explore sample free Exin PDPF Exam questions below and also try Exin PDPF Exam practice test software.
Do you know that you can access more real Exin PDPF exam questions via Premium Access? ()
A person is moving from city A to city B, within an EEA member state. In city A he was a patient of the local hospital
Answer : C
The hospital in A can send the data directly to hospital B, as requested by the patient. Correct. The right to portability allows this. (Literature: A, Chapter 3)
The hospital in A can send the file to hospital B, before the patient has requested it. Incorrect. The hospital in B can only acquire the file from A with consent or if it is in the vital interest of the data subject and consent cannot be obtained.
The hospital in A can send the medical file to the data subject, but not to another hospital. Incorrect. The data subject can ask for the data to be sent directly.
The hospital in A cannot send the file, because there is no legitimate ground for processing. Incorrect. A request, which implies consent, of the data subject is a sufficient legitimate ground.
A controller wants to outsource processing of personal data to a processor. What must be done before outsourcing?
Answer : B
The controller must ask the supervisory authority for permission to outsource the processing of the data. Incorrect. The controller does not have to ask the supervisory authority for permission for each instance of outsourcing.
The controller must ask the supervisory authority if the agreed written contract is compliant with the regulations. Incorrect. The supervisory authority is not a legal counsel and will not check contracts for compliance.
The controller and processor must draft and sign a written contract guaranteeing the confidentiality of the data. Correct. There must be a written contract guaranteeing the confidentiality of the data, listing the purposes and means of processing as defined by the controller and specifying that processor will only process on instruction of the controller. Both parties must sign this contract. (Literature: A, Chapter 8; GDPR Article 28 (3))
The processor must show the controller that all demands agreed in the service level agreement (SLA) are met. Incorrect. An SLA is not enough as it will focus on operations, not necessarily on purposes.
To plan the amount of parking space needed, a local government monitors and saves the license plate number of every car that enters and leaves the city center. They have obtained permission to collect data on the number of cars present in the city center. By comparing the license plate time of entry and exit the number of cars present every moment of each day is calculated. Each month a report is created detailing the average number of cars in the city center at specific moments for every day of the week. At every entrance to the city center, a billboard clearly states what data is collected by whom, the purpose of the processing and the fact that the license plate numbers are saved securely for up to two years, because the measurements will be repeated next year. Which of the basic principles for legitimate processing of personal data is violated in this scenario?
Answer : C
Personal data are collected for specified, explicit and legitimate purposes and not further processed. Incorrect. The local government is entitled to collect data on the number of cars present.
Personal data are kept in a form permitting identification of data subjects for no longer than is necessary. Correct. In the given scenario, there is no need to retain the data of a specific car identifying the owner once it has left the area (Literature: A, Chapter 2; GDPR Article 5)
Personal data are processed in a manner that ensures appropriate security of the personal data. Incorrect. The scenario does not suggest inappropriate security.
Personal data are processed in a transparent manner in relation to the data subject. Incorrect. The processing is taking place transparently, since it is communicated properly to the data subjects.
A Belgian company has their headquarters in France for tax purposes. They enter into a legally binding contract with a processor in the Netherlands for the processing of personal data of data subjects with various nationalities. A personal data breach occurs. The supervisory authorities start an investigation. Why is the French supervisory authority seen as the lead supervisory authority?
Answer : A
Because France is located in the middle of Europe. Incorrect. The geographical position of the countries is irrelevant.
Because France is the largest of the three EEA countries. Incorrect. The size of the countries is irrelevant.
Because the company has their headquarters in France. Correct. The country of the main establishment determines the lead supervisory authority. The 'main establishment' is the place of the central administration of that organization, or in other words: headquarters. (Literature: A, Chapter 7)
The GDPR describes the principle of data minimization. How can organizations comply with this principle?
Answer : C
By applying the concept of least privilege to the personal data collected, stored or otherwise
processed. Incorrect. Data minimization does not address least privilege.
By limiting access rights to staff who need the personal data for the intended processing operations. Incorrect. This describes the concept of limiting authorization for instance to comply with the principle of integrity and confidentiality.
By limiting file sizes, through saving all personal data that is processed in the smallest possible format. Incorrect. Data minimization according to the GDPR is not about storage size, but about minimalizing the use of personal data.
By limiting the personal data to what is adequate, relevant and necessary for the processing purposes.
Correct. This is the essence of the description in the GDPR. (Literature: A, Chapter 2; GDPR Article 5(1)(c))
