Exin Updated PDPF Exam Questions and Answers by seb

The numerous powers of the Supervisory Authority are divided into:

-Investigative powers;

-Correcting powers;

-Advisory and authorization powers.

The investigative powers provided for in Article 58, Paragraph 1 are:

a) To order the controller and the processor, and, where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of its tasks;

b)To carry out investigations in the form of data protection audits;

c)To carry out a review on certifications issued pursuant to Article 42(7);

d)To notify the controller or the processor of an alleged infringement of this Regulation;

e)To obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;

f)To obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.

Applied security standards must assure the confidentiality, integrity and availability of personal data throughout their lifecycle. Incorrect. This is an aspect of End-to-End Security - Lifecycle Protection, one of the other six basic principles.

If different types of legitimate objectives are contradictory, the privacy objectives must be given priority over other security objectives. Incorrect. Data protection by design rejects the idea that privacy competes with other interests, design objectives, and technical capabilities.

When embedding privacy into a given technology, process, or system, it should be done in such a way that full functionality is not impaired. Correct. This is the essence. (Literature: A, Chapter 8; GDPR Article 25)

Wherever possible, detailed privacy impact and risk assessments should be carried out and published, clearly documenting the privacy risks. Incorrect. This is an aspect of Privacy Embedded into Design, one of the other six basic principles.

Confidentiality violation. Incorrect. GDPR uses the term personal data breach. Not every data breach is a confidentiality violation.

Personal data breach. Correct. This is the definition of a personal data breach. (Literature: A, Chapter 5; GDPR Article 4(12))

Security breach. Incorrect. GDPR uses the term personal data breach. Not every security breach is a data breach. Not every data breach is a personal data breach.

Security incident. Incorrect. GDPR uses the term personal data breach. Not every security incident is a data breach.

The right to compensation. Incorrect. It is unlikely that all data subjects will suffer harm that must be compensated in this scenario.

The right to object to profiling. Correct. All data subjects have a right to object to the processing of personal data for direct marketing, including profiling. This is clearly profiling. (Literature: A, Chapter 4)

The right to rectification. Incorrect. It is unlikely that the company has incorrect data on all data subjects, so the right to rectification does not apply.