PDPF Exin Privacy and Data Protection Foundation Free Practice Exam Questions (2025 Updated)

The deadline for companies to adapt and comply with GDPR was May 25, 2018. This is an important date and should be memorized. It is common to have this question in this exam.

Article 99 of GDPR

1.This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

2.It shall apply from 25 May 2018.

There are some types of cookies, each with its own purpose.

Cookies are considered personal data, as they can identify a person. They are stored on our computers.

You may have come across the situation of searching for a particular product on the internet and then seeing ads for that product or similar on various websites.

Cookies are used to provide this information.

Data Life Cycle Management (DLM)

It aims to manage data flow throughout the lifecycle, from collection, processing, sharing, storage and deletion. Having the knowledge where the data travels, who is responsible, who has access, helps a lot to implement

security measures.

The GDPR is functional law in all member states of the EEA. Some Articles allow for member states law to provide for more specific rules. Correct. The GDPR is European law but the Regulation does not exclude Member state law that sets out the circumstances for specific processing situations. (Literature: A, Chapter 1; GDPR Recital 10)

The GDPR is a recommendation of the European Commission that EEA countries’ law authorities improve their laws on the protection of personal data. Incorrect. An EU recommendation is not binding. The GDPR is a functional European law in all member states.

The GDPR sets out minimum conditions and requirements. Member states need to pass national laws to meet these minimum requirements. Incorrect. This is the description of an EU Directive.

Here we have a very common catch in EXIN exams.

In this matter, the personal data that was breached included the email addresses. Although the group is a subject considered sensitive by the GDPR, only other participants who had registered took notice. As it does not present a high risk to data subjects, there is no need to notify the data subject as well. Only the

Supervisory Authority is enough. However, after notifying the Supervisory Authority, it may decide that the data subject should also be notified, but for that matter this is not considered.

Article 33 of the GDPR legislates on the topic “Notification of a personal data breach to the supervisory

authority”.

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Important

The deadline for notification of data breaches to the Supervisory Authority is generally charged in the EXIN exam. This period is 72 hours.

Whereas Recital 170 mentions: “Since the objective of this Regulation, namely to ensure an equivalent level of protection of natural persons and the free flow of personal data throughout the Union, cannot be sufficiently

achieved by the Member States and can rather, by reason of the scale or effects of the action, be better

achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective”.

Subsidiarity is a principle that says that personal data can only be processed if there are no other means to achieve the objective. Therefore, the less personal data used, the less the chances of violating privacy.

Note that in the quotation in Recital 170 above, the principle of proportionality was highlighted in bold. Equally important to subsidiarity. Proportionality says that personal data must be collected according to the purpose of processing, that is proportional, and data that will not be used for the purpose should not be collected.

These two principles Subsidiarity and Proportionality are constantly charged in the EXIN exam.

The correct option is exclusively for the Controller, the others are for the Processor in accordance with Articles 25 and 28 of the GDPR.

Section: (none)

Explanation

Controller. Correct. The controller is responsible for adequate data security measures and must be able to demonstrate compliance with the GDPR. (Literature:A, Chapter 2)

Data protection officer (DPO). Incorrect. The DPO has expert knowledge and assists the controller or processor to monitor internal compliance.

Processor. Incorrect. The processor is the one who processes personal data according to the instructions of the controller. The controller remains ultimately responsible though.

Supervisory authority. Incorrect. The controller needs to demonstrate compliance with the GDPR if requested by the supervisory authority.

Section: (none)

Explanation

Article 33 which deals with “Notification of a personal data breach to the supervisory authority” in its paragraph 1 legislates:

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

It aims to manage the flow of data throughout the life cycle, from collection, processing, sharing, storage and deletion.

Having the knowledge where the data travels, who is responsible, who has access, helps and a lot to implement security measures.

The purpose of GDPR is to protect personal data. In the case of this issue there was no loss of personal data, so it is not a data breach.

Important

A data breach is whenever something happens that has not been planned with the personal data, be it improper processing, improper sharing, loss of data, deletion, etc. That is, personal data must be used for a specific purpose, respecting the life cycle (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach.

A record of all intended processing together with the processing purpose(s) and legal justifications.

Incorrect. A record of all intended processing with the purpose(s) and legal justifications must be kept.

A record of data breaches with all relevant characteristics, including notifications. Incorrect. A record of data breaches must be kept.

A record of notifications sent to the supervisory authority regarding processing of personal data. Correct. Prior consultation of high-risk processing is obligatory, but there is no need for a separate record of notifications sent. (Literature: A, Chapter 6;GDPR Article 36(1))

A record of processors including personal data provided and the period this data can be retained. Incorrect. A record of processors and data provided must be kept.

Article 28 of the GDPR in its paragraph 3 mentions:

This contract or other normative act stipulates, inter alia, that the subcontractor:

a)processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

b)ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

c)takes all measures required pursuant to Article 32;

d)respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;

e)taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;

f)assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;

g)at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

h)makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Transfers based on the laws of the non-EEA country concerned. Incorrect. This would also require an adequacy decision confirming that those laws are sufficient.

Transfers falling under World Trade Organization rules. Incorrect. WTO only covers free trade of goods and services.

Transfers governed by approved binding corporate rules (BCR). Correct. Binding corporate rules approved by a supervisory authority involved make the transfer lawful. (Literature: A, Chapter 7; GDPR Article 47)

Transfers within a global corporation or organization. Incorrect. This would also require that they adopt official binding corporate rules.