PDPF Questions and Answers

Section: (none)

Explanation

Controller. Correct. The controller is responsible for adequate data security measures and must be able to demonstrate compliance with the GDPR. (Literature:A, Chapter 2)

Data protection officer (DPO). Incorrect. The DPO has expert knowledge and assists the controller or processor to monitor internal compliance.

Processor. Incorrect. The processor is the one who processes personal data according to the instructions of the controller. The controller remains ultimately responsible though.

Supervisory authority. Incorrect. The controller needs to demonstrate compliance with the GDPR if requested by the supervisory authority.

When we have a Regulation, such as the GDPR, all EU member states are obliged to follow it. The regulation is a law and Member States cannot create laws that oppose it. Unlike the Directives that set objectives to be achieved, however, each Member State is free to decide how to apply them in its country.

Another option says: “A server is attacked and exploited by a hacker”, however, here it does not provide information if that server contained personal data.

The other wrong option is: "Strategic company data is mistakenly shared". Strategic data is not personal data.

For these reasons, the correct option is “Personal data processed without the consent of the controller”. Note: even if the processor has a contract that authorizes the processing of personal data on behalf of the controller, it cannot perform any treatment to which it was not previously authorized, nor can it sub-process without the knowledge and consent of the controller.

Article 83 of GDPR

5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher...

Article 51 of GDPR

2. Each supervisory authority shall contribute to the consistent application of this Regulation throughout the

Union.

When we have a Regulation, such as the GDPR, all EU member states are obliged to follow it and have a fixed date for entry into force. The regulation is a law and Member States cannot create laws that oppose it. Unlike the Directives that set objectives to be achieved, however, each Member State is free to decide how to apply them in its country.

Important

Prior to the GDPR, there was the “95/46 / EC First Data Protection Directive (European DP)”. Approved in 1995, it was already aimed to protect personal data. This directive was replaced by the GDPR.

“Article 94: 1. Directive 95/46 / EC is repealed with effect from 25 May 2018.”

In the EXIN PDPF exam this is a question that is routinely asked. “What directive has been replaced by GDPR?” Answer: 95/46 / EC.

Anonymized data is not under the scope of the GDPR, nor are data from deceased persons. Organizations that handle only this type of data do not need to conform to the GDPR.

Anonymized data reads data that is not possible to reverse in order to identify the data subject. There is also pseudonymized data, in which case it is possible to perform the reversal and identify the data holder.

Information of local and national authorities that were informed about the data breach. Incorrect. The supervisory authority must be made aware of reports to supervisory authorities in other EEA countries. Reports to local authorities, for instance the police, do not need to be reported.

Name and contact details of the data subjects whose data may have been breached. Incorrect. The supervisory authority requires an estimate of the number of data subjects involved, not their personal data.

Suggested measures to mitigate the adverse consequences of the data breach. Correct. The controller should add suggested measures to mitigate the adverse consequences of the data breach. (Literature: A, Chapter 7; GDPR Article 33(q))

The information needed to access the personal data that have been breached. Incorrect. The supervisory authority needs to know the type of personal data involved, but does not need access to the data themselves.

There are some types of cookies, each with its own purpose.

Cookies are considered personal data, as they can identify a person.

In the case of the issue we are talking about the Tracking Cookies. These monitor our browsing activities and bombard us with advertisements and advertisements.

You may have already encountered the situation of searching for a particular product on the internet and then seeing ads for that product or similar on various websites.

Article 4 dealing with the GDPR Definitions says in its paragraph 8:

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

The purpose of GDPR is to protect personal data. In the case of this issue there was no loss of personal data, so it is not a data breach.

Important

A data breach is whenever something happens that has not been planned with the personal data, be it improper processing, improper sharing, loss of data, deletion, etc. That is, personal data must be used for a specific purpose, respecting the life cycle (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach.

GDPR does not apply to the use of personal data for domestic purposes, however in this example the controller is the Social Network, as it performs the processing of the photos. Therefore, the owner has the right to delete this photo.

For domestic purposes, data collection is not intended for professional or commercial purposes. Examples are the get-togethers of friends and family where we can collect names, phone numbers, e-mails to facilitate the organization, as well as taking pictures to record the moment. Now if you have a blog where you can record several moments with your friends and you monetize it in some way – watch out! – you are under the scope of GDPR.

Whereas Recital 18: “This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.”

Applied security standards must assure the confidentiality, integrity and availability of personal data throughout their lifecycle. Incorrect. This is an aspect of End-to-End Security - Lifecycle Protection, one of the other six basic principles.

If different types of legitimate objectives are contradictory, the privacy objectives must be given priority over other security objectives. Incorrect. Data protection by design rejects the idea that privacy competes with other interests, design objectives, and technical capabilities.

When embedding privacy into a given technology, process, or system, it should be done in such a way that full functionality is not impaired. Correct. This is the essence. (Literature: A, Chapter 8; GDPR Article 25)

Wherever possible, detailed privacy impact and risk assessments should be carried out and published, clearly documenting the privacy risks. Incorrect. This is an aspect of Privacy Embedded into Design, one of the other six basic principles.