PDPF Exin Privacy and Data Protection Foundation Free Practice Exam Questions (2025 Updated)

Article 83 of GDPR

5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher...

Article 51 of GDPR

2. Each supervisory authority shall contribute to the consistent application of this Regulation throughout the

Union.

Implement technical and organizational measures to ensure compliance. Incorrect. This is the task of the controller.

Investigate security breaches of corporate information. Incorrect. Only breaches of personal data are a concern of the supervisory authority.

Monitor and enforce the application of the GDPR. Correct. This is the main task of any supervisory authority. (Literature: A, Chapter 7)

Article 20 Right to data portability:

1.The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

Data protection and privacy are complementary, but not the same thing.

A very repeated phrase is: “It is possible to have security without privacy, but it is not possible to have privacy without security”.

Privacy is a right that must be protected, and Data Protection are the measures that will be used to achieve this protection.

Verify that the processor has sufficient security guarantees that are essential for the Controller to remain in

compliance with the GDPR. Remember that the responsibility is always of the controller who must take care of the data of the data subjects that have been entrusted to him.

Recital 81 mentions the following:

(81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organizational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.

Compliance. Incorrect. Compliance means meeting rules or standards.

Data protection by design and by default. Correct. By default, the minimum of personal data is to be processed for the shortest possible period, using the best possible security measures to prevent unauthorized access. Data protection by design refers to processing that includes appropriate measures to implement data protection principles. (Literature: A, Chapter 8; GDPR Article 25)

Embedded data protect. Incorrect. Embedded data protection is the result of data protection by design.

It aims to manage the flow of data throughout the life cycle, from collection, processing, sharing, storage and deletion.

Having the knowledge where the data travels, who is responsible, who has access, helps and a lot to implement security measures.

It is not necessary to inform the Supervisory Authority of any violation that occurs. But every violation must be analyzed with caution and attention. It is not necessary to notify the Supervisory Authority only if it does not present risks to the data subjects.

The DPO must always be involved to guide the best strategy and action for each violation that occurs. Article 38 legislates on the position of the data protection officer:

1. The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

It is clear that the DPO – Data Protection Officer, must be involved in the entire data processing life cycle. From its collection to its exclusion.

The GDPR has 173 recitals. The Recitals introduce a better understanding of the law and its articles. The Articles, which are 99 in total, contain the mandatory requirements of the law.

The principle of limitation of purposes says that personal data must be collected for specific, explicit and legitimate purposes and cannot be further processed in a way incompatible with those purposes.

When the data is sold to another company, we can conclude that it was acquired by a controller for a specific purpose and that it subsequently sold it without the owner’s knowledge and consent.

Whenever a new technology is applied, a DPIA must be performed. In addition, a DPIA must be performed before starting the processing of personal data. This is important to check for risks to data subjects since data collection.

In its Article 35 the GDPR legislates on the Impact assessment on data protection.

1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

Personal data are collected for specified, explicit and legitimate purposes and not further processed. Incorrect. The local government is entitled to collect data on the number of cars present.

Personal data are kept in a form permitting identification of data subjects for no longer than is necessary. Correct. In the given scenario, there is no need to retain the data of a specific car identifying the owner once it has left the area (Literature: A, Chapter 2; GDPR Article 5)

Personal data are processed in a manner that ensures appropriate security of the personal data. Incorrect. The scenario does not suggest inappropriate security.

Personal data are processed in a transparent manner in relation to the data subject. Incorrect. The processing is taking place transparently, since it is communicated properly to the data subjects.

The front line with the data holder is the Controller, see image. So, it is he who has to show compliance, who must be concerned with the legality of processing, who must implement security measures.

Article 6 legislates on the lawfulness of treatment and in it cites the 6 legal bases provided:

1 - the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

2- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering a contract

3 - processing is necessary for compliance with a legal obligation to which the controller is subject;

4- processing is necessary in order to protect the vital interests of the data subject or of another natural person;

5- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

6- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which requires protection of personal data, in particular where the data subject is a child.

To ensure that the user’s personal data are stored securely on the server. Incorrect. Cookies are not used to store data on the server.

To personalize the user’s experience of the website during the next visit. Correct. This is the main purpose of a persistent cookie. (Literature: A, Chapter 8)

To record every keystroke made by a computer user to find out passwords. Incorrect. Cookies are not malicious by nature, but the mechanism can be exploited maliciously.

To save the pages a user has bookmarked in the user’s browser history. Incorrect. The bookmarks and browser history are saved, but not in a cookie.

Article 30 in its first paragraph legislates:

1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.

Recital 82 mentions:

In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.