GDPR Practitioner Quiz

1.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Which of the following are mandatory reasons to appoint a DPO?

1. An organisation is a public authority (except for courts acting in their judicial capacity)

2. An organisation carries out large scale processing of special categories of data or data relating to criminal convictions and offences

3. An organisation performs large scale systematic monitoring of individuals

4. It is convenient to have a specific focus to handle breaches inPII

1 and 2 only

1, 2, and 4 only

1, 2, and 3 only

All of the above

2.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A UK-based website, which provides a chat and social networking feature, has the following as part of its Privacy Notice: “This website contains material not suitable for children – you will not be allowed to access the chat rooms unless you are at least 16 years of age“.

From the following statements, select the one that most correctly provides the GDPR perspective on the above:

“16” should be changed to “15”

This can be removed, as the age of consent varies throughout theworld

“16” should be set to “13”

The website will need to take into account the derogation actioned by EU memberstates

This can be used with no changes

Answer explanation

This is not a “GDPR age of consent” question. The website is within its rights to insist on a minimum age (in this case 16). What it cannot do is insist that 16-year olds have their parents sign consent for them. Also, it can’t say something like “if you are under 16 your parents must give consent for you” as in the UK the age of GDPR consent has be fixed at 13 so anyone 13 or more MUST give consent in their own right. The age is fixed by the location of the Data Controller (in this case the UK), not the location of the Data Subject

3.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Which of the following are described in the GDPR as reasons for lawfully processing special information?

1. Explicit consent of the Data Subject, unless reliance on consent is prohibited by EU or Member State law

2. Processing is necessary for carrying out obligations under employment, social security, social protection law, or a collective agreement

3. Processing is necessary to protect the vital interests of the Data Subject or another individual where the Data Subject is physically or legally incapable of giving consent

4. Processing is necessary for the purposes of legitimate interests pursued by the Controller or a third party

1 and 2 only

3 and 4 only

1, 2, and 3 only

All of the above

4.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A gym club keeps records about their members using a paper-based filing system, which they retain for 1 year after the termination of the contract. One day they receive a request from a member who cancels their contract and requests that their personal data be sent to them in “machine readable format” so that they can transfer their membership details to another business.

Which of the following responses would be compliant with the GDPR and take the least effort?

They can safely ignore the request

They can contact the member within a month and refuse

They could scan in the paper-based records and email them to themember

They could contact the Data Subject within 1 month advising that they can only send it in paper format and that it would be sent in a secure manner, and would impose an admin fee to cover the cost of postage

They can tell the member that they hold no personal information on them

Answer explanation

This is a request for “Data Portability”. The business does not have to transfer physical documents onto electronic format so they can refuse if they wish – this is the “least effort” but they must respond within a month either way

5.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

From the perspective of the GDPR, which of the following must be performed when designing a new process that has a high risk to the freedom and rights of a Data Subject?

1. Inform the relevant Supervisory Authority

2. Conduct a DPIA

3. Inform and involve the DPO (or person responsible for this area)

4. Conduct a technical risk assessment

1 only

2 only

2 and 3 only

None of the above

6.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

When updating your website you accidently overwrite the code that enforces parental consent. You inadvertently allow 10 children to provide their PII. Your systems pick up the breach and you fix the problem within 15 minutes.

Which one of the following actions is the SA most likely to take?

Issue you an order to stop processing PII

Insist that you change your IT systems

Fine you €20M or 4% of your previous year’s global turnover, whichever isgreater

Fine you €10M or 2% of your previous year’s global turnover, whichever isgreater

No fine as you detected the breach in a short timescale and reported it accordingly, but ask you to show how you are going to stop this occurring in the future

Answer explanation

E is the most likely of the options, a is a blanket ban and there is no justification for this in the question. In b we are not told that the problem was in the IT systems, there could have been a business process fault for example. We think it is very unlikely that the maximum fine would be levied, especially in this relatively minor breach, so c & d are poor choices

7.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Which one of the following is subject to a national derogation

How the articles are to be interpreted

Which articles can be completely discarded

What principles should be used

The notification period for a Data Breach

The level of administrative fine for a Public Authority

8.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

You administer a car park for a hospital located near the centre of your town. A visitor, from outside your area, parked in an ambulance bay and then walked into town to do some shopping. The visitor has refused to pay the civil penalty issued by your parking partners, claiming a misunderstanding. Your parking partners are pursuing a civil claim through the courts, and pictures of the offence are held on a secure server on your premises. The visitor contacts you exercising their right to be forgotten.

Using the above and your knowledge of the GDPR, which of the following is the most appropriate response?

Inform your partners that they need to get the case expedited as you will have to remove the visitor’s PII within 30 days

Ignore the request as we are not dealing with personal information

Inform your partners that they need to get the case expedited as you will have to remove the visitor’s PII within 40 days

Contact the visitor within 30 days and inform them that you cannot remove their personal data until the legal action is settled

Contact the visitor within 30 days and tell them that you are rejecting their request, citing “business needs” as the basis for processing

9.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Which ONE of the following would a UK-based Medical Practice be most likely to need explicit consent from their patients for?

Membership of a Trade Union

Blood Group

Home telephone number

To hold patients’ personal data on servers in Germany

Next of kin

Answer explanation

A (the other information can probably be lawfully processed without explicit consent)

10.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A hospital holds patient details and the schedule for operations in encrypted files on a server. One day a group of hackers introduce a virus that locks out the data on that server making it unavailable. While the hackers could not obtain the personal information as they could not break the encryption, the attack resulted in several cancelled operations while the response team corrected the problem. No lives were lost but people were inconvenienced.

Which one of the following BEST describes how the hospital should handle their obligations under the GDPR?

Report direct to the Supervisory Authority within 72 hours of detecting the attack

Report direct to the patients affected by the attack

Report this to nobody as it is not a GDPR reportable offence

Both b and c above

Report direct to the Health Service

Answer explanation

This exam is only concerned with the GDPR, not other regulations or the necessity to let patients know their operations have been cancelled. From the question answers we would expect a practitioner candidate to be able to reach the conclusion that this was about Data Breach reporting (tip: always have a look at the answers to a question - they can tell you a lot about what the question writer is fishing for). We would then expect you to understand that there has been no Data Breach as defined by the GDPR, so this is not a reportable offence

Create a free account and access millions of resources

Similar Resources on Wayground

Popular Resources on Wayground

Discover more resources for Education