"The controller shall implement appropriate technical and organizational measures for ensuring that (...) only personal data which are necessary for each specific purpose of the processing are processed." Which term in the General Data Protection Regulation (GDPR) is defined?
The controller responsible for the UK Child Sexual Abuse Investigation body reported a data breach to the supervisory authority in the UK on 28 February 2019. People who had registered their interest in participating in forums and debates for victims of child sexual abuse received an email that contained the email addresses of everyone else who had also registered. Which category does this data breach fit into?
Correct Answer: A
Here we have a very common catch in EXIN exams. In this matter, the personal data that was breached included the email addresses. Although the group is a subject considered sensitive by the GDPR, only other participants who had registered took notice. As it does not present a high risk to data subjects, there is no need to notify the data subject as well. Only the Supervisory Authority is enough. However, after notifying the Supervisory Authority, it may decide that the data subject should also be notified, but for that matter this is not considered. Article 33 of the GDPR legislates on the topic "Notification of a personal data breach to the supervisory authority". 1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. Important The deadline for notification of data breaches to the Supervisory Authority is generally charged in the EXIN exam. This period is 72 hours.
PDPF Exam Question 8
Which situation is considered a data breach according to the GDRP?
Correct Answer: D
PDPF Exam Question 9
The GDPR contains several items. Which of these contains mandatory requirements?
Correct Answer: B
The GDPR has 173 recitals. The Recitals introduce a better understanding of the law and its articles. The Articles, which are 99 in total, contain the mandatory requirements of the law.
PDPF Exam Question 10
Which of these options is an example of a data breach?
Correct Answer: B
Here is a catch between the options "Loss of personal data" and "Transfer of personal data outside the EU". A data breach is whenever something happens that has not been planned with the personal data, be it improper processing, improper sharing, loss of data, deletion, etc. That is, personal data must be used for a specific purpose, respecting the life cycle (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach. The transfer of personal data outside the EU can also be considered a violation if there is no authorization from the data subject and if the destination country does not offer legislation like the GDPR. Although there is no specific legislation, the Supervisory Authority can authorize the transfer of data provided that the company in the destination country accepts standard contractual clauses for the processing of this data. Article 46 of GDPR 1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Article 58 of GDPR 3. Each supervisory authority shall have all of the following authorisation and advisory powers: to authorise contractual clauses referred to in point (a) of Article 46(3).
