CDPO Q13 – AllNet Law

This multiple choice assessment focuses on the General Data Protection Regulation (GDPR).

The purpose of the assessment is to enable you to assess the extent and depth of your knowledge of the Data Protection Law.

Format: Multiple Choice

The result will be provided immediately, with details on all questions.

Full Name

Email

1. What is the purpose of training sessions?

The aim of a training session is to assist participants in acquiring knowledge and skills, and potentially changing behaviors to meet specific requirements. Option B is the purpose of awareness sessions, whereas option C is the purpose of communication.

A. To help participants acquire the knowledge, skills, and behavior needed to meet specific requirements

B. To increase awareness among participants concerning a topic and change their behavior

C. To inform participants on a particular topic

2. Who is responsible for conducting awareness and training sessions for the staff involved in data processing?

The DPO should provide awareness and training sessions on data protection within the organization, particularly to those involved in the processing of personal data.

A. The processor

B. The top management representatives

C. The DPO

3. During the “reaction” level of the Kirkpatrick four-level model, the DPO:

During the “reaction” level, the DPO evaluates the general reaction of the trainees to the training and how engaged the trainees were during the training.

A. Evaluates how engaged the trainees were during the training

B. Evaluates the impact of the training in the behavior of the employees

C. Evaluates if the trainees are applying the new acquired knowledge and skills

4. According to the GDPR, who is the contact point of data subjects?

The DPO acts as a contact point on all issues that data subjects may have regarding the processing of their personal data.

Identify the MOST appropriate lawful basis for processing:

A. The controller

B. The supervisory authority

C. The DPO

5. For as long as the DPO acts as the data subjects’ contact points, they are also the representative of the organization concerning personal data processing.

Being the data subject’s contact point does not imply that the DPO is the representative of the organization.

A. True

B. False

6) Which of the following Article 9 (GDPR) conditions of processing may be used to store health data after the completion of the study?

Legitimate interests.

Public health.

Contract

Profiling.

7) What does Data Minimisation mean?

Only processing data, which is adequate, relevant, and limited to what is necessary.

Compressing digital data files.

Writing people's data down in shorthand.

Using and storing only electronic files.

8) "It's not enough to just follow the Regulation, you also need to PROVE that you're following the Regulation". Which Principle of the GDPR does this apply to?

Accountability

Storage Limitation

Integrity and Confidentiality

Accuracy

10) Based on Article 5(1)(b) of the GDPR, what is the impact of the interpretation of the word 'incompatible'?

Dictates level of security a processor must follow when using and storing personal data for two different purposes B. sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data as you can only further process for compatible reasons to the original reason you give for processing....) C. Indicates the degree of flexibility a controller has in using personal data in ways that vary from the original purpose D. Indicates the authority the Data Protection Authority has over the use of the personal data

Sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data as you can only further process for compatible reasons to the original reason you give for processing....)

Indicates the degree of flexibility a controller has in using personal data in ways that vary from the original purpose

Indicates the authority the Data Protection Authority has over the use of the personal data

9) A research company has an email subscription scheme which allows study subjects to provide their name and email address in order to receive news about a study. Unknown to the subjects the company also sells this data to other organisations who develop medical apps. This is a breach of which Principle of the GDPR?

Storage Limitation

Purpose Limitation

Accuracy

Data Minimisation