Under what EU legislation is data transfer between the EEA and the U.S.A. allowed?
A. An adequacy decision based on the Privacy Shield program
B. An adequacy decision by reason of US domestic legislation
C. The Transatlantic Trade an Investment Partnership (TTIP)
D. The U.S.A.'s commitment to join the European Economic Area
"The controller shall implement appropriate technical and organizational measures for ensuring that (...) only personal data which are necessary for each specific purpose of the processing are processed."
Which term in the GDPR is defined here?
A. Compliance
B. Data protection by default and by design
C. Embedded data protection
What should be done by the EU member states and is not a responsibility of the supervisory authorities?
A. Impose administrative fines to controllers
B. Make rules for penalizing other GDPR infringements
C. Order the controller to notify the data subject about a breach
D. Receive and process data breach notifications from controllers
GDPR quotes in one of its principles that personal data should be adequate, relevant and limited to what is necessary in relation to its purpose. What principle is this?
A. integrity and confidentiality
B. purpose limitation
C. data minimization
D. lawfulness, loyalty and transparency
According to the principle of purpose limitation, data should not be processed beyond the legitimate purpose defined. However, further processing is allowed in a few specific cases, provided that appropriate safeguards for the rights and freedoms of the data subjects are taken. For which purpose is further processing not allowed?
A. For archiving purposes in the public interest
B. For generalized statistical purposes
C. For scientific or historical research purposes
D. For direct marketing and commercial purposes
Regarding the Supervisory Authority's "Investigative Powers", it is correct to state:
A. it has the power to order the suspension of sending data to recipients in third countries or to international organizations
B. you have the power to order the controller to report a personal data breach to the data subject
C. it has the power to notify the controller or processor of alleged GDPR violations
D. it has the power to conduct impact assessments on data privacy
A person buys a product at a store located in the European Economic Area (EEA). At the time of purchase, you are asked to fill out a registration form and he informs his personal email.
As is usual in many stores, in the next few days this person will start receiving several marketing emails. He considers the frequency of these emails to be very high. Demanding his rights, he asks the store to delete all his personal data.
What is the right required by the data subject?
A. Right to erasure
B. Data subject's right of access
C. Right to limitation of treatment
D. Right to rectification
When is a Data Protection Impact Assessment (DPIA) under the General Data Protection Regulation (GDPR) mandatory?
A. Application of new technologies that may imply a high risk to the rights and freedoms of data subjects.
B. There is no security policy and information security risk analysis.
C. In all types of personal data processing.
What is the main use of a persistent cookie?
A. To save the pages a user has bookmarked in the user's browser history
B. To record every keystroke made by a computer user to find out passwords
C. To ensure that the user's personal data are stored securely on the server
D. To personalize the user's experience of the website during the next visit
A Belgian company has their headquarters in France for tax purposes. They enter into a legally binding contract with a processor in the Netherlands for the processing of personal data of data subjects with various nationalities. A personal data breach occurs. The supervisory authorities start an investigation. Why is the French supervisory authority seen as the lead supervisory authority?
A. Because the company has their headquarters in France
B. Because France is located in the middle of Europe
C. Because France is the largest of the three EEA countries