PDPF Online Practice Questions and Answers

Important technical requirements set out in the General Data Protection Regulation (GDPR) are about data quality. One is the obligation to ensure appropriate security, including protection against unauthorized or unlawful processing.

What is another important technical requirement?

A. To ascertain that personal data collection is adequate, relevant and limited to what is necessary in relation to the purposes

B. To control that data collected for specified, explicit and legitimate purposes is not further processed for other purposes

C. To keep personal data accurate and up to date, ensuring that inaccurate data are erased or rectified without delay

D. To make sure that personal data is processed lawfully, fairly and in transparent manner in relation to the data subject

A controller can contract out the processing of personal data to another company, provided a written contract between these partners is in place.

Which clause in this contract is a responsibility of the controller?

A. To ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

B. To make available all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections.

C. To process the personal data only on documented instructions, including with regard to transfers of personal data to a third country or an international organization.

D. To provide sufficient guarantees for appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR.

After notifying the supervisory authority, what should be the first action the controller must take when it finds a security breach where unauthorized people have accessed personal data?

A. Contact the DPO for formal notification to the Supervisory Authority.

B. Analyze whether sensitive data has been accessed.

C. Register a Police Report at the cybercrime station.

D. Notify data subjects that have been subject to a security breach.

How does a Supervisory Authority collaborate to the application of GDPR?

A. Assists in the implementation of a data protection management system (at controller request).

B. Monitor and enforce the application of this Regulation.

C. Perform a Data Privacy Impact Analysis (DPI) at the request of the Data Protection Officer ?DPO.

D. Determines technical safety measures to be applied to the controller.

Which condition below allows personal data to be processed legally?

A. A Data Privacy Impact Assessment (DPIA) should be performed prior to data collection.

B. Data processing must be previously authorized by the Supervisory Authority.

C. Holders' rights must be protected by a privacy policy.

D. There must be a legitimate basis for data processing.

The General Data Protection Regulation (GDPR) is related to the protection of personal data. What is the definition of personal data?

A. Preservation of confidentiality, integrity and availability of information

B. Any information regarding an identified or identifiable natural person

C. Any information that European citizens want to protect

D. Data that directly or indirectly reveals racial or ethnic origins, someone's religious views, and their data related to sexual health and habits

A company located in France wishes to enter into a compulsory contract with a processor located in Portugal. This contract aims to process sensitive French personal data. The Portuguese Supervisory Authority is informed about this contract and the type of processing.

How should Portuguese Supervisory Authority proceed, in accordance with the General Data Protection Regulation (GDPR)?

A. Supervise the processing of personal data according to the guidelines of the Supervisory Authority of Portugal.

B. Report the data processing to the French Supervisory Authority, which must take over the supervision.

C. Verify that adequate compulsory contracts have been established and leave supervision to the French Supervisory Authority.

D. Supervise the processing of personal data in accordance with the French Supervisory Authority legislation.

According to the General Data Protection Regulation (GDPR), which category of personal data is considered to be sensitive data?

A. Labor union association

B. Passport number

C. Credit card details

D. Social security number

What is the legal status of the GDPR?

A. The GDPR is functional law in all member states of the EEA. Some Articles allow for member states law to provide for more specific rules.

B. The GDPR sets out minimum conditions and requirements. Member states need to pass national laws to meet these minimum requirements.

C. The GDPR is a recommendation of the European Commission that EEA countries' law authorities improve their laws on the protection of personal data.

According to the GDPR, when is a data protection impact assessment (DPIA) obligatory?

A. When a project includes technologies or processes that use personal data

B. When processing is likely to result in a high risk to the rights of data subjects

C. When similar processing operations with comparable risks are repeated