Sanple Questions Book Flashcards
Which treaty established the European Economic Community
The treaty of Rome
Which European institution audits the European Union
The European court of Auditors
What is the executive body of the European Union?
The European Commission
What directive or law is the most likely document referred to by a data protection officer for marketing via email
The e-Privacy directive
When is consent most likely not required?
When it involves public data
What are third parties required to do when collecting personal data on behalf of a controller ?
The third parties are required to identify the controller for which the personal data are collected
Example of a data breach
Wrongly addressed email
Is processing personal data without the required processing agreement a data breach
No it is illegal processing but it is no breach of a security measure and hence no data breach in the context of GDPR
Do you need to re-perform DPIAs for similar processing?
No
What is the best description of standard contractual clauses?
Model clauses for personal data exchanges with countries outside the European Union
What is Binding corporate rule ?
BCD are a set of rules between a groups members that describe their data protection policies in a way that indicates full compliance with GDPR
Name a country Not considered adequate
Australia
Who determines whether a country has an adequate level of protection?
The European Commission
At the moment of drafting GDPR, what new possibility did it provide?
Codes of conduct for international data transfer
What is NOT a role of the data protection agency ?
Provide tools and templates for GDPR implementation
What is not one of the supervisory authority’s investigative powers
To find individuals for not cooperating with an investigation
When are sensitive personal data about employees allowed to be processed without consent
When it is necessary for carrying out obligations in the field of employment law
Why do binding corporate rules (BCRs) prohibit the transfer of employee names to telecom providers within the same country in order to provide them with mobile phone services?
Because BCRs only deal with intra-organisational transfers and not with transfers to third parties.
GDPR Article 12(3)
requires that the controller or employer responds without undue delay or within a month.
What is NOT and what is a compatible purpose for processing data beyond the purpose originally specified at the time of collection?
Performance of a contract is not a compatible purpose for processing data beyond the purpose originally specified at the time of collection. The GDPR does allow for further processing of data for ‘archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89(1)’ as compatible with initial purposes. S
According to the GDPR, the right to data portability applies when …
Right to data portability applies when the data processing is based on the user’s consent or on a contract and the data processing is carried out by automated means.
It does not apply to ‘processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’
do organisations have to notify about data processing activities?
The GDPR has abolished the need to notify the DPAs of processing of personal data activities given the shift to an accountability framework that includes appointment of DPOs and maintains a register of data processing activities.
According to the GDPR, what is NOT one of the considerations that should be taken into account to determine the appropriate technical and organisational measures to ensure a level of data security appropriate to the risk?
The size of the organisation is not one of the considerations to be taken into account in determining the appropriate technical and organisational measures to ensure a level of data security appropriate to the risk. Article 32 of the GDPR, which focuses on the security of processing, provides that ‘the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons’ be taken into account so that ‘the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
Under the GDPR, organizations that are not established in the EU that monitor behaviour will be subject to the Regulation when
Under the GDPR, non-EU organizations that monitor behaviour of EU individuals will also be subject to the Regulation provided that the behaviour being monitored occurs within the EU.
