PDPF EXIN Privacy and Data Protection Foundation - Practice Questions

Question 4 (Mixed Questions)

A gentleman has a loan denied by the bank’s system that he has been a customer for many years. He is disgusted, because the loan would make it possible to hold the wedding of his only granddaughter.

He contacts the bank and asks for explanations. He wants to know exactly why his loan was denied and based on what information.

What right is required by the data subject according to the GDPR?

Select an option, then click Submit answer.

○
Right to limitation of treatment
○
Right to rectification
○
Data subject’s right of access
○
Right to object and automated individual decision-making

Question 5 (Mixed Questions)

When is a Data Protection Impact Assessment (DPIA) under the General Data Protection Regulation (GDPR) mandatory?

Select an option, then click Submit answer.

○
Application of new technologies that may imply a high risk to the rights and freedoms of data subjects.
○
There is no security policy and information security risk analysis.
○
In all types of personal data processing.

Question 6 (Mixed Questions)

One of the basic principles of the General Data Protection Regulation (GDPR) is subsidiarity.

What is subsidiarity to GDPR?

Select an option, then click Submit answer.

○
Personal data can only be collected for explicit, legitimate and specific purposes and cannot be processed for any other purpose.
○
Only the personal data needed to achieve a specific purpose should be collected.
○
The least privacy-violating means should be used when processing personal data.
○
Personal data must be kept for a period not longer than necessary.

Reference / correct answer:

The least privacy-violating means should be used when processing personal data.

Whereas Recital 170 mentions: “Since the objective of this Regulation, namely to ensure an equivalent level of protection of natural persons and the free flow of personal data throughout the Union, cannot be sufficiently achieved by the Member States and can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective”.

Subsidiarity is a principle that says that personal data can only be processed if there are no other means to achieve the objective. Therefore, the less personal data used, the less the chances of violating privacy.

Note that in the quotation in Recital 170 above, the principle of proportionality was highlighted in bold. Equally important to subsidiarity. Proportionality says that personal data must be collected according to the purpose of processing, that is proportional, and data that will not be used for the purpose should not be collected.

These two principles Subsidiarity and Proportionality are constantly charged in the EXIN exam.

PDPF – EXIN Privacy and Data Protection Foundation