01. A security breach has occurred in an information system that also holds personal data. According to the GDPR, what is the very first thing the controller must do?
a) Ascertain whether the breach may have resulted in loss or unlawful processing of personal data
b) Assess the risk of adverse effects to the data subjects using a data protection impact assessment (DPIA)
c) Assess whether personal data of a sensitive nature has or may have been unlawfully processed
d) Report the breach immediately to all data subjects and the relevant supervisory authority
02. The GDPR does not define privacy as a term but uses the concept implicitly throughout the text. What is a correct definition of privacy as implicitly used throughout the GDPR?
a) The fundamental right to protection of personal data, regardless of how it was obtained
b) The right not to be disturbed by uninvited people, nor being followed, spied on or monitored
c) The right to respect for one's private and family life, home and personal correspondence
d) The right to freedom of opinion and expression and to seeking, receiving and imparting information
03. A breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. What is the exact term that is associated with this definition in the GDPR?
a) Confidentiality violation
b) Personal data breach
c) Security breach
d) Security incident
04. Which data subject right is explicitly defined by the GDPR?
a) Personal data must always be erased if the data subject requests this.
b) A copy of personal data must be provided in the format requested by the data subject
c) Personal data must always be changed at the request of the data subject.
d) Access to personal data must be provided free of charge for the data subject.
05. A shopkeeper wants to register how many visitors enter his shop every day. A system detects the MAC- address of each visitor's smartphone. It is impossible for the shopkeeper to identify the owner of the phone from this signal, but telephone providers can link the MAC-address to the owner of the phone.
According to the GDPR, is the shopkeeper allowed to use this method?
a) No, because the telephone's MAC-address must be regarded as personal data.
b) No, because the telephone providers are the owners of the MAC-addresses.
c) Yes, because the shopkeeper cannot identify the owner of the telephone
d) Yes, because the visitor has automatically consented by connecting to the Wi-Fi
06. When personal data are processed, who is ultimately responsible for demonstrating compliance with the GDPR?
a) Supervisory authority
b) Processor
c) Data protection officer (DPO)
d) Controller
07. According to the principle of purpose limitation, data should not be processed beyond the legitimate purpose defined. However, further processing is allowed in a few specific cases, provided that appropriate safeguards for the rights and freedoms of the data subjects are taken.
For which purpose is further processing not allowed?
a) For archiving purposes in the public interest
b) For direct marketing and commercial purposes
c) For generalized statistical purposes
d) For scientific or historical research purposes
08. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Which data processing principle is described here?
a) Purpose limitation
b) Fairness and transparency
c) Accuracy
d) Data minimization
09. A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Which role in data protection is defined here?
a) Controller
b) Processor
c) Supervisory authority
d) Third party
10. Organizations are obliged to keep a number of records to demonstrate compliance with the GDPR. Which record is not obligatory according to the GDPR?
a) A record of all intended processing together with the processing purpose(s) and legal justifications
b) A record of data breaches with all relevant characteristics, including notifications
c) A record of notifications sent to the supervisory authority regarding processing of personal data
d) A record of processors including personal data provided and the period this data can be retained
The purpose of this Sample Question Set is to provide you with information about the EXIN Privacy and Data Protection Foundation (PDPF) exam. These sample questions will make you very familiar with both the type and the difficulty level of the questions on the PDPF certification test. To get familiar with real exam environment, we suggest you try our Sample EXIN Privacy and Data Protection Certification Practice Exam. This sample practice exam gives you the feeling of reality and is a clue to the questions asked in the actual EXIN Privacy and Data Protection Foundation certification exam.