Curious about Actual Exin EXIN Privacy & Data Protection Foundation (PDPF) Exam Questions?

Correct : A

The GDPR is functional law in all member states of the EEA. Some Articles allow for member states law to provide for more specific rules. Correct. The GDPR is European law but the Regulation does not exclude Member state law that sets out the circumstances for specific processing situations. (Literature: A, Chapter 1; GDPR Recital 10)

The GDPR is a recommendation of the European Commission that EEA countries' law authorities improve their laws on the protection of personal data. Incorrect. An EU recommendation is not binding. The GDPR is a functional European law in all member states.

The GDPR sets out minimum conditions and requirements. Member states need to pass national laws to meet these minimum requirements. Incorrect. This is the description of an EU Directive.

Correct : D

Adequacy decision. Correct. The ruling is an adequacy decision regarding processing in third countries. (Literature: A, Chapter 7; GDPR Article 45 and Recitals (104) and (106)

Derogation. Incorrect. A derogation is for specific situations where a transfer is necessary, but there is no ruling permitting it. (Literature: GDPR Article 49(1)(q))

Legally binding contract. Incorrect. The ruling is an adequacy decision. A legally binding contract is between a processor and a controller.

Treaty superseding the GDPR. Incorrect. The ruling is an adequacy decision. It does not supersede the GDPR.

Correct : B

Accuracy. Incorrect. Accuracy is the principle that personal data shall be accurate and kept up to date.

Data minimization. Correct. Data minimization means that personal data shall be adequate, relevant and limited to what is necessary. (Literature: A, Chapter 2; GDPR Article 5(1))

Fairness and transparency. Incorrect. Fairness and transparency mean that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Purpose limitation. Incorrect. Purpose limitation means that personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with GDPR Article 89(1), not be considered to be incompatible with the initial purposes.

Correct : B

When a project includes technologies or processes that use personal data. Incorrect. Only for technologies and processes that are likely to result in a high risk to the rights of data subjects is the DPIA mandatory.

When processing is likely to result in a high risk to the rights of data subjects. Correct. For processing operations which are likely to result in a high risk, a DPIA is obligatory to assess those risks and to design mitigation measures. (Literature: A, Chapter 6; GDPR Article 35)

When similar processing operations with comparable risks are repeated. Incorrect. This is a case in which a DPIA does not need to be repeated.

Correct : D

Data protection and privacy are complementary, but not the same thing.

A very repeated phrase is: ''It is possible to have security without privacy, but it is not possible to have privacy without security''.

Privacy is a right that must be protected, and Data Protection are the measures that will be used to achieve this protection.