CDPO-Q2 – AllNet Law

This multiple choice assessment focuses on the General Data Protection Regulation (GDPR).

The purpose of the assessment is to enable you to assess the extent and depth of your knowledge of the Data Protection Law.

Format: Multiple Choice

The result will be provided immediately, with details on all questions.

Full Name

Email

1. What is data processing?

Option A is the definition of “filing system,” whereas option B is the definition of “restriction of processing.”

A. A structured set of personal data which are accessible according to specific criteria

B. An operation performed on personal data or on sets of personal data (i.e., collection, recording, organization, structuring, etc.)

C. Stored personal data with the aim of limiting their processing

2. In which category of personal data does bank information fall under?

Data on biography includes date of birth, marital status, social security number, criminal records, email address, phone number, residence address, and bank information.

A. Data on private life

B. Data on health

C. Data on biography

3. Which data protection principle is breached if the collected data is used for purposes not communicated to the data subject?

The principle of purpose limitation promotes the processing of personal data for the purposes communicated to the data subject. Purpose limitation means that personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

A. Storage limitation

B. Purpose limitation

C. Integrity and confidentiality

4. Certification against _______________ is the closest an organization can get to prove that it has set up the processes, procedures, and policies for compliance with the GDPR requirements.

The certification against ISO/IEC 27701, which specifies requirements and provides guidance for a privacy information management system (PIMS), is regarded as the closest an organization can get to prove that it has engaged in efforts to ensure compliance with the GDPR requirements.

A. ISO/IEC 27701

B. ISO/IEC 27001

C. ISO 22301

5. What should an organization conduct to determine whether it has a legitimate interest in processing personal data?

The organization needs to conduct a Legitimate Interests Assessment (LIA) before the processing of personal data so as to prove that legitimate interests basis applies; thus, processing and collecting personal data without asking the data subject for consent.

A. Legitimate Interests Test

B. Legitimate Interests Balancing Test

C. Legitimate Interests Assessment

6. A person has asked to transmit their personal data from one university to another. This means that they exercised the right to:

Data subjects have the right to transfer, copy, or move personal data from one controller to another in a secure and safe way and in a frequently used and machine-readable format. When it is technically possible, data subjects also have the right to have their data transferred directly from a controller to another without having to handle the data.

A. Data portability

B. Consent

C. Erasure

7. The subject’s right to object the processing of their personal data can be limited if the processing is conducted:

Data subjects have the right to object the processing of their personal data. However, this right cannot be exercised if personal data processing is conducted for the common public interest.

A. For direct marketing purposes

B. On automated decision-making

C. For the common public interest

8. What is data minimization?

Data minimization refers to the principle of processing personal data that shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

A. Personal data that are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed

B. Personal data that are processed beyond the legitimate purpose defined

C. Personal data whose confidentiality, integrity, and availability are ensured throughout their lifecycle

Scenario-based quiz 1: Sections 2-3

Rudi is an event planning company operating in Germany, specializing in corporate events, dinner galas, conferences, and private events. As part of its operations, it has collected, stored, and processed large amounts of personal data.

They want to introduce a personalized marketing campaign for a discount aimed at businesses owned by women. To do so, they need to use clients’ personal information. In the past, the company has shared their clients’ personal data with a PR company based in the US, who has used the data to implement promotional product campaigns for companies operating in Germany.

In one of the events organized recently, it was decided that Rudi would be compensated based on the number of participants that attend the event. One employee registered all participants that attended the event, using their names and email addresses. Two months following the event, the list of emails was added to the list of Rudi’s monthly recipients of newsletters.

Being aware of the GDPR and the rights granted to data subjects, a number of clients have requested from Rudi to have their personal data erased, maintaining that this is an absolute right that can be exercised regardless of any circumstance.

Based on the scenario above, answer the following questions:

Rudi used personal information of clients to send all female customers a discount offer. Which right could data subjects exercise to stop this from happening?

This case refers to the right to object to processing of personal data, including profiling. Data subjects have the right to object processing of their personal data without their explicit consent. Furthermore, data subjects have the right to stop personal data from being incorporated into direct marketing databases.

A. The right to data portability

B. The right to object

C. The right to correction

2. Which data protection principle was compromised when Rudi shared clients’ data to the PR company based in the US?

Sharing data to another party without the subjects’ consent and beyond the scope of data collection purpose breaches the principle of purpose limitation.

A. Purpose limitation

B. Accuracy

C. Data minimization

3. Rudi used the list of emails collected for the purpose of the event to send them monthly newsletters. According to the GDPR, data should not be processed to serve purposes other the one it was collected. Under which circumstances is further processing allowed?

According to Article 5 of GDPR, further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes is not considered to be incompatible with the initial purposes (purpose limitation). Therefore, it is regarded as lawful if data is further processed for these purposes.

A. Scientific and statistical purposes

B. Direct marketing

C. Commercial purposes

4. Two months following the event, the list of emails that were obtained were added to the list of Rudi’s monthly recipients of newsletters. Which data protection principle was breached in this case?

The principle of storage limitation is breached if the company does not dispose of such data after they have served their purpose.

A. Accuracy

B. Confidentiality

C. Storage limitation

5. Upon request, Rudi should erase the clients’ personal data, as the right to be forgotten is an absolute right that can be exercised regardless of circumstances.

The right to be forgotten is not an absolute right. For instance, the right to be forgotten cannot be exercised if the processing is necessary for achieving purposes in the public interest, for the establishment, exercise, or defense of legal claims, etc.

A. True

B. False