CDPO-Q7 – AllNet Law

This multiple choice assessment focuses on the General Data Protection Regulation (GDPR).

The purpose of the assessment is to enable you to assess the extent and depth of your knowledge of the Data Protection Law.

Format: Multiple Choice

The result will be provided immediately, with details on all questions.

Full Name

Email

1. The requirement to maintain records of processing is obligatory for organizations that have 250 employees or more.

Records of processing activities should be maintained by the processor. Those requirements are not applicable for organizations with fewer than 250 employees.

A. True

B. False

2. Which of the following factors influences the maintenance of processing records for organizations of all sizes?

The factors that influence the maintenance of processing records for organizations of all sizes are the possibility of the processing to result in a high risk to the rights and freedoms of data subjects, if the processing is not occasional, or the processing includes special categories of data, or data related to criminal convictions.

A. The processing is likely to result in a high risk to the rights and freedoms of data subjects

B. The processing is occasional

C. High volumes of data are processed

3. Why is the identification of processing activities important?

The identification of processing activities enables the controller and processor to obtain a clear view of the data that circulates in the organization.

A. Because it demonstrates that the language used is appropriate

B. Because it enables the controller and processor to obtain a clear view of the data that circulates in the organization

C. Because it demonstrates to data subjects that the organization complies with GDPR principles

4. What is the first step in creating and maintaining records of processing activities?

Creating and maintaining records of processing activities has three steps: collect relevant information, create a list of the processing activities, and review and update the records.

Identify the MOST appropriate lawful basis for processing:

A. The identification of gaps between the current and desired state

B. The determination of who owns and has access to data

C. The collection of relevant information

5. The DPO should not evaluate whether the requirements of records of processing activities that deal with personal data transfers to international organizations are being met while transferring the data.

The DPO should evaluate whether the requirements of records of processing activities of organizations that deal with personal data transfers to international organizations are being met, along with the appropriate measures while transferring the data.

A. True

B. False

6. Which statement is true?

The data protection officer should monitor if the controller or the processor is continually maintaining data processing records, focusing on the type of personal data are processed, the purpose of processing personal data, etc.

A. The DPO should monitor if the controller or the processor is continually maintaining data processing records

B. The controller should monitor if the DPO or the processor is continually maintaining data processing records

C. The processor should monitor if the DPO is continually maintaining data processing records

7) What does Data Minimisation mean?

Only processing data, which is adequate, relevant, and limited to what is necessary.

Compressing digital data files.

Writing people's data down in shorthand.

Using and storing only electronic files.

8) "It's not enough to just follow the Regulation, you also need to PROVE that you're following the Regulation". Which Principle of the GDPR does this apply to?

Accountability

Storage Limitation

Integrity and Confidentiality

Accuracy

10) Based on Article 5(1)(b) of the GDPR, what is the impact of the interpretation of the word 'incompatible'?

Dictates level of security a processor must follow when using and storing personal data for two different purposes B. sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data as you can only further process for compatible reasons to the original reason you give for processing....) C. Indicates the degree of flexibility a controller has in using personal data in ways that vary from the original purpose D. Indicates the authority the Data Protection Authority has over the use of the personal data

Sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data as you can only further process for compatible reasons to the original reason you give for processing....)

Indicates the degree of flexibility a controller has in using personal data in ways that vary from the original purpose

Indicates the authority the Data Protection Authority has over the use of the personal data

9) A research company has an email subscription scheme which allows study subjects to provide their name and email address in order to receive news about a study. Unknown to the subjects the company also sells this data to other organisations who develop medical apps. This is a breach of which Principle of the GDPR?

Storage Limitation

Purpose Limitation

Accuracy

Data Minimisation