Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

GDPR Practitioner > Exam Questions > Flashcards

Exam Questions Flashcards

1
Q

Assuming that personal data are processed, which statement about the GDPR/DPA2018 is INCORRECT?

A) The GDPR/DPA2018 aims to protect each data subjects privacy
B) The GDPR/DPA2018 places transfer obligations on controllers and processors whenever such transfers form part of the processing
C) The GDPR/DPA2018 expects data subjects to play their part in protecting personal data
D) The GDPR/DPA2018 requires controllers to impose contractual security obligations upon processors

A

C) The GDPR/DPA2018 expects data subjects to play their part in protecting personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A controller’s staff have poor password protection. The controller could be in breach of…

A) (First) Principle in A.5(1)(a)
B) (Fourth) Principle in A.5(1)(d)
C) (Sixth) Principle in A.5(1)(f)
D) (Second) Principle in A.5(1)(b)

A

C) (Sixth) Principle in A.5(1)(f)

Integrity and Confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A controller does not update personal data. The controller could breach the…

A) (First) Principle in A.5(1)(a)
B) (Fourth) Principle in A.5(1)(d)
C) (Sixth) Principle in A.5(1)(f)
D) (Second) Principle in A.5(1)(b)

A

B) (Fourth) Principle in A.5(1)(d)

Accuracy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A controller that does not have a procedure for getting rid of records could breach the…

A) (First) Principle in A.5(1)(a)
B) (Fifth) Principle in A.5(1)(e)
C) (Sixth) Principle in A.5(1)(f)
D) (Second) Principle in A.5(1)(b)

A

B) (Fifth) Principle in A.5(1)(e)

Storage Limitation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A controller that does not properly explain to data subjects the purpose behind the processing of their personal data could be in breach of…

A) (First) Principle in A.5(1)(a)
B) (Fifth) Principle in A.5(1)(e)
C) (Sixth) Principle in A.5(1)(f)
D) (Second) Principle in A.5(1)(b)

A

A) (First) Principle in A.5(1)(a)

Lawfulness, fairness and transparency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

If a controller does not supervise a supplier’s security arrangements, the controller could breach…

A) (First) Principle in A.5(1)(a)
B) (Fifth) Principle in A.5(1)(e)
C) (Sixth) Principle in A.5(1)(f)
D) (Second) Principle in A.5(1)(b)

A

C) (Sixth) Principle in A.5(1)(f)

Integrity and confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A controller processes personal data in a way that is discriminatory could breach…

A) (First) Principle in A.5(1)(a)
B) (Fifth) Principle in A.5(1)(e)
C) (Sixth) Principle in A.5(1)(f)
D) (Second) Principle in A.5(1)(b)

A

A) (First) Principle in A.5(1)(a)

Lawfulness, fairness and transparency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A controller installs electronic door locks which can be opened by unauthorised personnel. The controller could be in breach of…

A) (First) Principle in A.5(1)(a)
B) (Fifth) Principle in A.5(1)(e)
C) (Sixth) Principle in A.5(1)(f)
D) (Second) Principle in A.5(1)(b)

A

C) (Sixth) Principle in A.5(1)(f)

Integrity and confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A controller does not have a retention policy could breach the…

A) (First) Principle in A.5(1)(a)
B) (Fifth) Principle in A.5(1)(e)
C) (Sixth) Principle in A.5(1)(f)
D) (Second) Principle in A.5(1)(b)

A

B) (Fifth) Principle in A.5(1)(e)

Storage limitation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A controller that does not consider employing encryption could breach the…

A) (First) Principle in A.5(1)(a)
B) (Fifth) Principle in A.5(1)(e)
C) (Sixth) Principle in A.5(1)(f)
D) (Second) Principle in A.5(1)(b)

A

C) (Sixth) Principle in A.5(1)(f)

Integrity and confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A controller thar does not have a working from home policy could be in breach of…

A) (First) Principle in A.5(1)(a)
B) (Fifth) Principle in A.5(1)(e)
C) (Sixth) Principle in A.5(1)(f)
D) (Second) Principle in A.5(1)(b)

A

C) (Sixth) Principle in A.5(1)(f)

Integrity and confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A controller that holds personal data indefinitely could be in breach of…

A) (First) Principle in A.5(1)(a)
B) (Fifth) Principle in A.5(1)(e)
C) (Sixth) Principle in A.5(1)(f)
D) (Second) Principle in A.5(1)(b)

A

B) (Fifth) Principle in A.5(1)(e)

Storage limitation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is NOT a function of the DPO?

A) Develop data protection policies/procedures
B) Provide advice on data protection act and related legislation
C) Analyse breaches and take corrective actions
D) Accept data protection risks on behalf of the controller

A

D) Accept data protection risks on behalf of the controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is NOT a function of a DPO?

A) Liaise with the ICO
B) Draft processor contracts for the controller
C) Undertake audits and investigations whenever needed
D) Ensure records of all data protection activity are kept

A

B) Draft processor contracts for the controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Where should the data protection function sit in a controller’s structure?

A) In a compliance unit
B) As part of information assurance/governance/IT
C) As part of the legal team
D) It depends on the culture of the organisation

A

D) It depends on the culture of the organisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the most likely justification for a disclosure of personal data concerning Ebola?

A) Necessary I’m the vital interests of the data subject
B) with the data subject’s consent
C) Necessary contractual obligation in relation to the data subject
D) Necessary for the administration of justice

A

A) Necessary I’m the vital interests of the data subject

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the most likely justification for a VOLUNTARY disclosure of personal data to the police (eg reporting a crime)?

A) With data subject consent
B) Necessary for a contractual obligation with the data subject
C) Necessary for legal obligation
D) Necessary for public functions of public bodies

A

D) Necessary for public functions of public bodies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the likely justification for the use of CCTV by a small shopkeeper?

A) With data subject consent
B) Necessary for a contractual obligation
C) Necessary for a legal obligation
D) Necessary for the legitimate interest of the controller, taking into account of whether this is an overriding legitimate interest of the part of the data subject

A

D) Necessary for the legitimate interest of the controller, taking into account of whether this is an overriding legitimate interest of the part of the data subject

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the most likely justification for the use of personal data for marketing?

A) With data subject consent
B) Contractual Obligation
C) Vital interests
D) Legitimate interests

A

A) With data subject consent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the most likely justification for an employer using an employee’s personal data?

A) Employee consent
B) Contractual obligation
C) Legal obligation
D) Legitimate interests

A

B) Contractual obligation

21
Q

What is the most likely justification for a MANDATORY disclosure of personal data to HMRC?

A) With data subject consent
B) Contractual Obligation
C) Legal Obligation
D) Public functions of public bodies

A

C) Legal Obligation

22
Q

What is an invalid Article 6 & 9 pairing when processing health personal data?

A) Necessary for any contract so long as the processing is explicitly described in the contract
B) Necessary for functions of a public body providing health services
C) Necessary for the vital interests of the data subject
D) Necessary for legal obligation in employment law

A

A) Necessary for any contract so long as the processing is explicitly described in the contract

23
Q

What is an invalid Article 6 & 9 pairing when processing health records?

A) Necessary for the functions of a public authority under an enactment such as NHS Trust
B) With fully information knowledge of the data subject
C) Necessary for the vital interests of the data subject
D) Necessary for legal obligation in employment law

A

B) With fully information knowledge of the data subject

24
Q

What is an invalid Article 6 & 9 pairing if a bank processed special category personal data for its own purposes?

A) Necessary for a function of a public authority under an enactment
B) Necessary for the vital interests of the data subject
C) Consent and explicit consent of the data subject
D) Necessary for a legal obligation in banking law

A

A) Necessary for a function of a public authority under an enactment

25
Q

What is an unlikely Article 6 lawful basis when a controller discloses criminal records?

(a) Necessary for the functions of the HMRC under an enactment
(b) Necessary for the functions of the police under an enactment
(c) Necessary for legal obligation in employment law
(d) Necessary for vital interests of the data subject

A

(d) Necessary for vital interests of the data subject

26
Q

Which ending to the following statement would be correct (or True)?

A separate Article 6 lawful basis for the following disclosure is not needed by a controller who wants to….

a) disclose personal data to a local authority
b) disclose personal data to the data subject’s doctor in an emergency
c) disclose personal data to a processor based outside the UK
d) disclose personal data to the police

A

c) disclose personal data to a processor based outside the UK

27
Q

Assuming personal data are processed, three statements below are correct: Which
statement is incorrect (or False)?

The security obligations in the Act…

(a) require a controller to have a contract with any Processor which governs the security of the processing
(b) require the controller to have evidence from any Processors concerning appropriate levels of security
(c) require the controller to ensure that any Processor has staff committed to confidentiality of personal data
(d) If security is breached, then the Information Commissioner cannot take action against any Processor responsible for the breach

A

(d) If security is breached, then the Information Commissioner cannot take action against any Processor responsible for the breach

28
Q

Which is definitely not an example of unlawful processing of personal data

(a) copying contact details from a reference book into a marketing database
(b) disclosing medical details about a particular patient to a journalist
(c) stealing a disk which contains lists of those who fought Napoleon
(d) the use of deception by a private investigator in order to obtain information from database containing personal data

A

(c) stealing a disk which contains lists of those who fought Napoleon

29
Q

Which ending to the following statement would be incorrect (or False)?

If special category personal data are transferred to another company in the same group in South Africa:

(a) An exemption from the Transfer outside the EA rules must be found in order to legitimise the transfer
(b) An Article 6 condition must be found in order to legitimise the transfer
(c) A special category personal data condition (e.g. in Article 9) must be found in order to legitimise the transfer
(d) The transfer to South Africa will have to be described to the data subject in the transparency notice

A

(a) An exemption from the Transfer outside the EA rules must be found in order to legitimise the transfer

30
Q

Following a DPIA, a controller cannot:

(a) Accept the risk to data subjects (and pay up if get caught out)
(b) Transfer the data protection risk to insurers
(c) Avoid the risk by not processing personal data
(d) Minimise the risk to data subjects in some procedural way

A

(b) Transfer the data protection risk to insurers

31
Q

In relation to using a processor outside the EU which action is the least relevant?

(a) Having regard for the accuracy of the personal data prior to transfer.
(b) Having regard for processor’s security measures in place in the country to which personal data are to be transferred
(c) Having regard for the laws and codes of practice in the country to which apply to the personal data when they are transferred
(d) Having regard for the international obligations of the country to which personal data are to be transferred and its approach to human rights (e.g. A.8 of the ECHR)

A

(a) Having regard for the accuracy of the personal data prior to transfer

32
Q

Three of the following statements in relation to the A.5(1)(d) (Fourth) Principle;
(accuracy and up to date) are incorrect. Which statement is the true/correct one?

(a) The controller has to demonstrate all reasonable steps have been taken to ensure the accuracy of personal data
(b) Factually correct personal data can sometimes be inaccurate
(c) Personal data which are out-of-date must always be updated
(d) The processing will always be fair if the personal data are accurate.

A

(a) The controller has to demonstrate all reasonable steps have been taken to ensure the accuracy of personal data

33
Q

What is usually the MOST effective time to conduct a DPIA?

(a) Before a project has been designed or in the early stages of design
(b) Once the project has been implemented.
(c) One to two years after the project is underway when privacy issues have become clearer.
(d) It makes no difference.

A

(a) Before a project has been designed or in the early stages of design

34
Q

Making staff reliable when following a data protection procedure does not involve:

(a) Training staff to understand procedures
(b) Apportioning blame to certain staff when there is a data breach
(c) Taking up references, vetting, validating qualifications
(d) Monitoring performance of procedures

A

(b) Apportioning blame to certain staff when there is a data breach

35
Q

Which statement about a transfers of personal data outside the EU is clearly in error?

(a) relying on the European Commission’s determination that Switzerland is adequate
(b) adopting the European Commission’s standard contract when transferring to the USA
(c) assessing the security of personal data before transfer to France
(d) using the consent of the data subject to allow the transfer personal data

A

(c) assessing the security of personal data before transfer to France

This statement is incorrect because France is a part of the European Union (EU), and when transferring personal data within the EU, there is no need to assess the security of personal data before the transfer to another EU member state. Transfers within the EU are generally considered to be within the scope of the EU data protection framework.

36
Q

Assume the personal data only relate to a new-born baby; which statement is correct?

(a) The baby is the data subject
(b) The mother is the data subject
(c) The father is the data subject
(d) The baby, father and mother are all data subjects

A

(a) The baby is the data subject

37
Q

A valid request for the correction of personal data definitely does not involve…

(a) A fee to cover the cost of correction
() A written or oral request for personal data from the Data Subject for correction.
(c) Information that verifies the identity of the Data Subject (if needed).
(d) Information that explains any inaccuracy in the personal data.

A

(a) A fee to cover the cost of correction

38
Q

Which statement concerning subject access is incorrect?

On subject access, if the personal data contains information that relates to another individual the controller can….

(a) seek consent of that other individual to the release of the identifying information,
(b) decide that it is reasonable to disclose details of the other individual without consent
(c) withhold details that could lead to the other individual being identified
(d) always release the details of the other information if the other individual is dead.

A

(d) always release the details of the other information if the other individual is dead

This statement is incorrect because even if the other individual is deceased, it does not automatically mean that the details of the other information can always be released. Data protection laws and regulations still apply to personal data, even after an individual’s death. Depending on the specific circumstances and applicable laws, there may be restrictions or requirements in place regarding the release of personal information related to deceased individuals. The controller should assess and consider these factors before disclosing such information.

39
Q

On subject access, what must be provided to a data subject:

(a) Information which is not “personal data” of the Data Subject
(b) Personal data which are subject to an exemption found in the Data Protection Act
(c) Personal data that the data subject could use to claim damages against the controller.
(d) personal data that can identify another individual

A

(c) Personal data that the data subject could use to claim damages against the controller.

40
Q

The right to object applies…

(a) When a public body is processing personal data for an employment purpose
(b) When a bank is required to retain personal data for money laundering purpose
(c) When there is an emergency disclosure to protect life of a data subject
(d) When a tax authority (e.g.HMRC) is processing personal data for income tax purposes

A

(d) When a tax authority (e.g.HMRC) is processing personal data for income tax purposes

41
Q

A controller unthinkingly uses the services of a Cloud provider based in the USA. The controller would be in breach of:

a) The provisions that relate to the security of personal data
b) The provisions that relate to the rights of data subject
c) The provisions that relate to transparency of processing
d) All of the above

A

d) All of the above

42
Q

A controller obtains personal data unlawfully. The controller could breach the:

a) (First) Principle in A.5(1)(a)
b) (Second) Principle in A.5(1)(b)
c) (Sixth) Principle in A.5(1)(f)
d) Both the (First) Principle in A.5(1)(a) and the (Sixth) Principle in A.5(1)(f)

A

d) Both the (First) Principle in A.5(1)(a) and the (Sixth) Principle in A.5(1)(f).

Obtaining personal data unlawfully would breach both the First Principle, which relates to the lawfulness, fairness, and transparency of processing (A.5(1)(a)), and the Sixth Principle, which pertains to the integrity and confidentiality of personal data (A.5(1)(f)). Unlawful acquisition of personal data goes against the fundamental principles of data protection and violates the requirements of both these principles.

43
Q

A controller has collected personal data for one purpose and then uses the personal data for a marketing purpose unknown to the data subject. That controller could breach:

a) The provisions in the Act that relate to processing for an incompatible purpose
b) The provisions in the Act that relate to the rights of data subject
c) The provisions in the Act that relate to transparency of processing of personal data
d) All of the above

A

d) All of the above

44
Q

Assuming personal data are processed which statement is incorrect?
With respect to a contractor to an organisation processing personal data:

a) The contractor is obliged to assess security of the personal data he processes
b) The contractor has to ensure that personal data are relevant to the processing purpose.
c) The contractor can subcontract when it has the authority of the organisation.
d) The contractor has to report every data breach to the organisation

A

b) The contractor has to ensure that personal data are relevant to the processing purpose.

While the contractor is responsible for adhering to security measures and reporting data breaches, ensuring the relevance of personal data to the processing purpose is primarily the responsibility of the organisation, the data controller. The contractor processes the personal data based on the instructions given by the organization and is expected to follow those instructions diligently. The organisation, as the data controller, is responsible for determining the purpose and relevance of the processing.

45
Q

Why should a controller report a loss of personal data to the ICO?

a) In order to be punished in some way.
b) To alert the press to an interesting story.
c) To protect data subjects.
d) To enhance the controller’s reputation for honesty.

A

c) To protect data subjects

46
Q

Three of these statements are correct. Which is the incorrect one?

(a) A Processor must keep a register of the processing undertaken for all its controller clients
(b) A Processor must only disclose personal data with the authority of the controller
(c) A Processor can be an individual
(d) A Processor can be in the USA.

A

(b) A Processor must only disclose personal data with the authority of the controller

47
Q

Assume personal data are processed, which statement does not concern a main security related obligation in the UK_GDPR or the EU_GDPR?
a) The GDPR requires encryption and pseudonymisation techniques to be considered.
b) The GDPR requires “Data Protection by Design and by Default techniques to be adopted if appropriate.
c) The GDPR requires data protection officer to be appointed for public body controllers
d) The GDPR requires all technical and organisational procedures used to safeguard the processing of personal data to be reviewed for effectiveness.

A

c) The GDPR requires data protection officer to be appointed for public body controllers

48
Q

Which ending to the following statement is incorrect (or False)?

“The transfer of personal data outside the EU does not breach the transfer provisions…

(a) if a contract with the Data Subject necessarily requires such personal data to be transferred.
(b) By reference to any justifiable reason which requires such personal data to be transferred.
(c) If explicit consent of the Data Subject for the transfer has been obtained.
(d) If there is a need to counter life threatening situations involving the Data Subject.

A

(b) By reference to any justifiable reason which requires such personal data to be transferred.

The transfer of personal data outside the EU should generally comply with the transfer provisions and legal mechanisms established by data protection regulations. Simply having a “justifiable reason” is not sufficient to bypass the transfer provisions. Adequate safeguards, such as adequacy decisions, appropriate contractual clauses, or other authorized mechanisms, must be in place to ensure lawful and compliant transfers.

49
Q

What information the controller is not obliged to provide the Data Subject in order to process personal data transparently?

(a)Identification of the controller and the purpose of the processing of personal data.
(b)The lawful basis which makes the processing of personal data legitimate.
(c)Identification of each processor involved in the processing.
(d)Which recipients or categories of recipients obtain the personal data.

A

(c) Identification of each processor involved in the processing.

While the controller is required to provide information about the identification of the controller, the purpose of processing, and the lawful basis, there is no specific obligation to provide the identification of each processor involved in the processing to the data subject. This information may be important for ensuring appropriate data processing, but it is not explicitly required as part of the transparency obligations.

GDPR Practitioner (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions