GDPR Practitioner

Which of the following are mandatory reasons to appoint a DPO?

1. An organisation is a public authority (except for courts acting in their judicial capacity)

2. An organisation carries out large scale processing of special categories of data or data relating to criminal convictions and offences

3. An organisation performs large scale systematic monitoring of individuals

4. It is convenient to have a specific focus to handle breaches inPII

A UK-based website, which provides a chat and social networking feature, has the following as part of its Privacy Notice: “This website contains material not suitable for children – you will not be allowed to access the chat rooms unless you are at least 16 years of age“.

From the following statements, select the one that most correctly provides the GDPR perspective on the above:

Which of the following are described in the GDPR as reasons for lawfully processing special information?

1. Explicit consent of the Data Subject, unless reliance on consent is prohibited by EU or Member State law

2. Processing is necessary for carrying out obligations under employment, social security, social protection law, or a collective agreement

3. Processing is necessary to protect the vital interests of the Data Subject or another individual where the Data Subject is physically or legally incapable of giving consent

4. Processing is necessary for the purposes of legitimate interests pursued by the Controller or a third party

A gym club keeps records about their members using a paper-based filing system, which they retain for 1 year after the termination of the contract. One day they receive a request from a member who cancels their contract and requests that their personal data be sent to them in “machine readable format” so that they can transfer their membership details to another business.

Which of the following responses would be compliant with the GDPR and take the least effort?

From the perspective of the GDPR, which of the following must be performed when designing a new process that has a high risk to the freedom and rights of a Data Subject?

1. Inform the relevant Supervisory Authority

2. Conduct a DPIA

3. Inform and involve the DPO (or person responsible for this area)

4. Conduct a technical risk assessment

When updating your website you accidently overwrite the code that enforces parental consent. You inadvertently allow 10 children to provide their PII. Your systems pick up the breach and you fix the problem within 15 minutes.

Which one of the following actions is the SA most likely to take?

Which one of the following is subject to a national derogation

You administer a car park for a hospital located near the centre of your town. A visitor, from outside your area, parked in an ambulance bay and then walked into town to do some shopping. The visitor has refused to pay the civil penalty issued by your parking partners, claiming a misunderstanding. Your parking partners are pursuing a civil claim through the courts, and pictures of the offence are held on a secure server on your premises. The visitor contacts you exercising their right to be forgotten.

Using the above and your knowledge of the GDPR, which of the following is the most appropriate response?

Which ONE of the following would a UK-based Medical Practice be most likely to need explicit consent from their patients for?

A hospital holds patient details and the schedule for operations in encrypted files on a server. One day a group of hackers introduce a virus that locks out the data on that server making it unavailable. While the hackers could not obtain the personal information as they could not break the encryption, the attack resulted in several cancelled operations while the response team corrected the problem. No lives were lost but people were inconvenienced.

Which one of the following BEST describes how the hospital should handle their obligations under the GDPR?