Weekend Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Privacy And Data Protection GDPR Exam Questions and Answers PDF

Page: 6 / 6
Total 80 questions

PECB Certified Data Protection Officer Questions and Answers

Question 21

Scenario5:

Recpond is a German employment recruiting company. Their services are delivered globally and include consulting and staffing solutions. In the beginning. Recpond provided its services through an office in Germany. Today, they have grown to become one of the largest recruiting agencies,providing employment to more than 500,000 people around the world. Recpond receives most applications through its website. Job searchers are required to provide the job title and location. Then, a list of job opportunities is provided. When a job position is selected, candidates are required to provide their contact details and professional work experience records. During the process, they are informed that the information will be used only for the purposes and period determined by Recpond. Recpond's experts analyze candidates' profiles and applications and choose the candidates that are suitable for the job position. The list of the selected candidates is then delivered to Recpond's clients, who proceed with the recruitment process. Files of candidates that are not selected are stored in Recpond's databases, including the personal data of candidates who withdraw the consent on which the processing was based. When the GDPR came into force, the company was unprepared. The top management appointed a DPO and consulted him for all data protection issues. The DPO, on the other hand, reported the progress of all data protection activities to the top management. Considering the level of sensitivity of the personal data processed by Recpond, the DPO did not have direct access to the personal data of all clients, unless the top management deemed it necessary. The DPO planned the GDPR implementation by initially analyzing the applicable GDPR requirements. Recpond, on the other hand, initiated a risk assessment to understand the risks associated with processing operations. The risk assessment was conducted based on common risks that employment recruiting companies face. After analyzing different risk scenarios, the level of risk was determined and evaluated. The results were presented to the DPO, who then decided to analyze only the risks that have a greater impact on the company. The DPO concluded that the cost required for treating most of the identified risks was higher than simply accepting them. Based on this analysis, the DPO decided to accept the actual level of the identified risks. After reviewing policies and procedures of the company. Recpond established a new data protection policy. As proposed by the DPO, the information security policy was also updated. These changes were then communicated to all employees of Recpond.Based on this scenario, answer the following question:

Question:

Recpondstores files of candidates who are not selectedin its databases,even if they withdraw consent. Is this acceptable under GDPR?

Options:

A.

No, the GDPR requires the controller to erase personal data if the data subject withdraws their consent for data processing.

B.

Yes, the GDPR only requires the controller tostop processing the datawhen consent is withdrawn but does not require its deletion.

C.

Yes, the GDPR allows personal data to be processedeven after consent is withdrawnso organizations can use the data for future recruitment opportunities.

D.

No, Recpond must retain candidate data for statistical analysis but must anonymize it.

Question 22

Scenario1:

MED is a healthcare provider located in Norway. It provides high-quality and affordable healthcare services, including disease prevention, diagnosis, and treatment. Founded in 1995, MED is one of the largest health organizations in the private sector. The company has constantly evolved in response to patients' needs.

Patients that schedule an appointment in MED's medical centers initially need to provide their personal information, including name, surname, address, phone number, and date of birth. Further checkups or admission require additional information, including previous medical history and genetic data. When providing their personal data, patients are informed that the data is used for personalizing treatments and improving communication with MED's doctors. Medical data of patients, including children, are stored in the database of MED's health information system. MED allows patients who are at least 16 years old to use the system and provide their personal information independently. For children below the age of 16, MED requires consent from the holder of parental responsibility before processing their data.

MED uses a cloud-based application that allows patients and doctors to upload and access information. Patients can save all personal medical data, including test results, doctor visits, diagnosis history, and medicine prescriptions, as well as review and track them at any time. Doctors, on the other hand, can access their patients' data through the application and can add information as needed.

Patients who decide to continue their treatment at another health institution can request MED to transfer their data. However, even if patients decide to continue their treatment elsewhere, their personal data is still used by MED. Patients’ requests to stop data processing are rejected. This decision was made by MED’s top management to retain the information of everyone registered in their databases.

The company also shares medical data with InsHealth, a health insurance company. MED's data helps InsHealth create health insurance plans that meet the needs of individuals and families.

MED believes that it is its responsibility to ensure the security and accuracy of patients’ personal data. Based on the identified risks associated with data processing activities, MED has implemented appropriate security measures to ensure that data is securely stored and processed.

Since personal data of patients is stored and transmitted over the internet, MED uses encryption to avoid unauthorized processing, accidental loss, or destruction of data. The company has established a security policy to define the levels of protection required for each type of information andprocessing activity. MED has communicated the policy and other procedures to personnel and provided customized training to ensure proper handling of data processing.

Question:

Based on scenario 1, is the processing of children's personal data performed by MED in compliance with GDPR?

Options:

A.

No, the processing of personal data of children below the age of 16 years is not in compliance with the GDPR, even if parental consent is provided.

B.

Yes, the processing of children’s personal data below the age of 16 years with parental consent is in compliance with GDPR.

C.

No, MED must obtain explicit consent from the child, regardless of parental consent, for the processing to be in compliance with GDPR.

D.

Yes, as long as the processing is conducted with industry-standard encryption.

Question 23

Scenario4:

Berc is a pharmaceutical company headquartered in Paris, France, known for developing inexpensive improved healthcare products. They want to expand to developing life-saving treatments. Berc has been engaged in many medical researches and clinical trials over the years. These projects required the processing of large amounts of data, including personal information. Since 2019, Berc has pursued GDPR compliance to regulate data processing activities and ensure data protection. Berc aims to positively impact human health through the use of technology and the power of collaboration. They recently have created an innovative solution in participation with Unty, a pharmaceutical company located in Switzerland. They want to enable patients to identify signs of strokes or other health-related issues themselves. They wanted to create a medical wrist device that continuously monitors patients' heart rate and notifies them about irregular heartbeats. The first step of the project was to collect information from individuals aged between 50 and 65. The purpose and means of processing were determined by both companies. The information collected included age, sex, ethnicity, medical history, and current medical status. Other information included names, dates of birth, and contact details. However, the individuals, who were mostly Berc's and Unty's customers, were not aware that there was an arrangement between Berc and Unty and that both companies have access to their personal data and share it between them. Berc outsourced the marketing of their new product to an international marketing company located in a country that had not adopted the adequacy decision from the EU commission. However, since they offered a good marketing campaign, following the DPO's advice, Berc contracted it. The marketing campaign included advertisement through telephone, emails, and social media. Berc requested that Berc’s and Unty's clients be first informed about the product. They shared the contact details of clients with the marketing company.Based on this scenario, answer the following question:

Question:

Is the transfer of data fromBerc to Untyin compliance with GDPR?

Options:

A.

Yes, Berc can transfer data to Unty because Switzerland provides a level of data protection that is "essentially equivalent” to that of the EU.

B.

Yes, Berc can transfer data to Unty because they collected data for the same purpose.

C.

No, Berc cannot transfer data to a company in Switzerland unless authorization from the supervisory authority in France is obtained.

D.

No, Berc must conduct a new DPIA before transferring data to Switzerland.

Question 24

Scenario:

ChatBubbleis a software company that stores personal data, includingusernames, emails, and passwords. Last month, an attacker gained access to ChatBubble’s system, but the personal datawas encrypted, preventing unauthorized access.

Question:

Should thedata subjects be notifiedin this case?

Options:

A.

Yes, the company shall communicateall incidentsregarding personal data to the data subjects.

B.

No, the company isnot required to notify data subjectsabout a data breach that affects alarge number of individuals.

C.

No, the company isnot required to notify data subjects when the personal data is protected with appropriate technical and organizational measures.

D.

Yes, but only if the supervisory authority explicitly requests notification.

Page: 6 / 6
Total 80 questions