Free Practice Questions for Exin PDPF Exam

Ascertain whether the breach may have resulted in loss or unlawful processing of personal data: Correct. The very first thing that needs to be done is ascertain that the security incident is in fact a personal data breach. (Literature: A, Chapter 5)

Assess the risk of adverse effects to the data subjects using a data protection impact assessment (DPIA): Incorrect. A DPIA is conducted when designing personal data processing operations. It is not a part of the procedure for a data breach.

Assess whether personal data of a sensitive nature has or may have been unlawfully processed. Incorrect. This is the next step if the incident proves to be a personal data breach - ascertain what type of data breach.

Report the breach immediately to all data subjects and the relevant supervisory authority. Incorrect. Whether the data breach needs to be reported and to whom depends on whether it is a data breach and if so, the type of data breach.

When we have a Regulation, such as the GDPR, all EU member states are obliged to follow it and have a fixed date for entry into force. The regulation is a law and Member States cannot create laws that oppose it. Unlike the Directives that set objectives to be achieved, however, each Member State is free to decide how to apply them in its country.

Important

Prior to the GDPR, there was the “95/46 / EC First Data Protection Directive (European DP)”. Approved in 1995, it was already aimed to protect personal data. This directive was replaced by the GDPR.

“Article 94: 1. Directive 95/46 / EC is repealed with effect from 25 May 2018.”

In the EXIN PDPF exam this is a question that is routinely asked. “What directive has been replaced by GDPR?” Answer: 95/46 / EC.

A record of all intended processing together with the processing purpose(s) and legal justifications.

Incorrect. A record of all intended processing with the purpose(s) and legal justifications must be kept.

A record of data breaches with all relevant characteristics, including notifications. Incorrect. A record of data breaches must be kept.

A record of notifications sent to the supervisory authority regarding processing of personal data. Correct. Prior consultation of high-risk processing is obligatory, but there is no need for a separate record of notifications sent. (Literature: A, Chapter 6;GDPR Article 36(1))

A record of processors including personal data provided and the period this data can be retained. Incorrect. A record of processors and data provided must be kept.

Implement technical and organizational measures to ensure compliance. Incorrect. This is the task of the controller.

Investigate security breaches of corporate information. Incorrect. Only breaches of personal data are a concern of the supervisory authority.

Monitor and enforce the application of the GDPR. Correct. This is the main task of any supervisory authority. (Literature: A, Chapter 7)

Another option says: “A server is attacked and exploited by a hacker”, however, here it does not provide information if that server contained personal data.

The other wrong option is: "Strategic company data is mistakenly shared". Strategic data is not personal data.

For these reasons, the correct option is “Personal data processed without the consent of the controller”. Note: even if the processor has a contract that authorizes the processing of personal data on behalf of the controller, it cannot perform any treatment to which it was not previously authorized, nor can it sub-process without the knowledge and consent of the controller.

This is sensitive data, so the loss must be reported to both the responsible authority and the data subjects.