Free Practice Questions for Exin PDPF Exam

The principle of limitation of purposes says that personal data must be collected for specific, explicit and legitimate purposes and cannot be further processed in a way incompatible with those purposes.

When the data is sold to another company, we can conclude that it was acquired by a controller for a specific purpose and that it subsequently sold it without the owner’s knowledge and consent.

As stated in the statement, Article 9 concerns the treatment of special categories of personal data, also called sensitive data.

This is a type of question that is often asked by EXIN. Important to remember which types of data are categorized as sensitive.

Article 9: Processing of special categories of personal data

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

Examples of sensitive data: Race, skin color, family tree, political party, political party affiliation, religious beliefs, illness, test results, digital, facial recognition and sexual preference. These are just a few examples.

Accuracy. Incorrect. Accuracy is the principle that personal data shall be accurate and kept up to date.

Data minimization. Correct. Data minimization means that personal data shall be adequate, relevant and limited to what is necessary. (Literature: A, Chapter 2; GDPR Article 5(1))

Fairness and transparency. Incorrect. Fairness and transparency mean that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Purpose limitation. Incorrect. Purpose limitation means that personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with GDPR Article 89(1), not be considered to be incompatible with the initial purposes.

Article 9 of the GDPR legislation on “Treatment of special categories of personal data”.

Also called sensitive data.

In its first paragraph it quotes:

“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”

To advise the controller on the mitigation of privacy risks to protect the controller from liability claims for non-compliance. Incorrect. The supervisory authority has the task to monitor compliance and to advise on enhancements, but its purpose is not to protect the controller.

To fulfill the obligation in the GDPR to implement appropriate technical and organizational measures for data protection. Incorrect. The audit is not the implementation of the measures, but an assessment of the effectiveness of them.

To monitor and enforce the application of the GDPR by assessing that processing is performed in compliance with the GDPR. Correct. According to the GDPR this is an important task of a supervisory authority. (Literature: A, Chapter 7; GDPR Article 57 (1)(a))

Here we have a very common catch in EXIN exams.

As stated “monthly a report is issued”. Therefore, the report issued and with the average number of cars for each day is known, there is no longer a need to keep the license plate records. The information on the average number of cars per day is already sufficient for the planning of rotating parking as well as sufficient for a future comparison. So, there is no need to keep personal data stored for 5 years.

You may be wondering if a license plate is personal data. The answer is yes. Any information that makes it possible to identify a person is considered personal data.

A real and interesting example was a wife who identified her husband’s car at a friend’s house through Google Maps. The license plates on Google Maps are erased for security, but the car had a specific sticker. See that the wife gathered two pieces of information: car model and sticker, to identify her husband. In isolation neither of these two is a personal data, but together they become, because it was possible to identify it.

Luckily for his wife, who discovered his affair with her friend.

GDPR uses the term data breach.

Article 4 paragraph 12

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

The controller must ask the supervisory authority for permission to outsource the processing of the data. Incorrect. The controller does not have to ask the supervisory authority for permission for each instance of outsourcing.

The controller must ask the supervisory authority if the agreed written contract is compliant with the regulations. Incorrect. The supervisory authority is not a legal counsel and will not check contracts for compliance.

The controller and processor must draft and sign a written contract guaranteeing the confidentiality of the data. Correct. There must be a written contract guaranteeing the confidentiality of the data, listing the purposes and means of processing as defined by the controller and specifying that processor will only process on instruction of the controller. Both parties must sign this contract. (Literature: A, Chapter 8; GDPR Article 28 (3))

The processor must show the controller that all demands agreed in the service level agreement (SLA) are met. Incorrect. An SLA is not enough as it will focus on operations, not necessarily on purposes.