01. A hospital outsources its printing of patient invoices to a printing company. The printing company also prints invoices for other organizations. Due to an error, names and addresses were mixed up when they were sorted at the printing company, and a number of invoices were sent to the wrong patients.
The hospital had carefully analyzed their own processes. The hospital had a robust verification process in place and has contractual agreements with the printing company.
Why will the hospital be held responsible by the supervisory authority?
a) Because the contract determines this
b) Because the hospital is the controller
c) Because the mix-up is between patients
d) Because the verification has gone wrong
02. Data protection officers (DPOs) are bound by secrecy or confidentiality concerning the performance of their tasks. In relation to which party is the DPO exempted from this secrecy or confidentiality to seek advice?
a) The board of directors of the company
b) The data protection and privacy network members team
c) The information security officer (ISO)
d) The supervisory authority
03. Who has the legal obligation to keep records of processing activities?
a) The chief information officer
b) The chief privacy officer
c) The controller and processor
d) The data protection officer (DPO)
04. In which situation is it required to report a personal data breach to the supervisory authority?
a) If the organization cannot resolve the incident within a timeframe of 72 hours after it has occurred
b) In any situation where there is a security threat to the rights and freedom of natural persons
c) Only if the incident is recognized as a personal data breach within a timeframe of 72 hours
d) When a personal data breach is likely to result in a risk to the rights and freedom of natural persons
05. What is not an outcome of a data protection impact assessment (DPIA)?
a) A log of access to confidential data, with an automated authorization check
b) A record of data subjects’ views on the intended processing operations
c) A systematic description of the intended processing operations
d) An assessment of risks to the rights and freedoms of data subjects
06. According to the GDPR, what information is not a mandatory part of a privacy policy?
a) Information about international transfers of personal data to a third country
b) Information about the identity and contact details of the controller
c) Information relating to data security measures in the organization
d) Information relating to retention periods and data subject's rights
07. It is fundamental to a privacy information management system (PIMS), both in the short and long term, to be able to demonstrate how corporate policies, operating procedures, and work instructions are formulated.
This ensures that actions are traceable to management decisions and policies, and that the results are reproducible. Which requirement of the PIMS is this referring to?
a) Audit
b) Documentation
c) Management review
d) Statement of applicability (SoA)
08. The ISO/IEC 27701 standard contains a chapter dedicated to additional guidance that aligns with the ISO/IEC 27002 standard. What type of recommendations are not included in this chapter?
a) Develop privacy policies separate from or combined with information security policies
b) Ensure at least awareness training for all coworkers that handle or process personal data
c) Label all data clearly to identify where personal data is stored or otherwise processed
d) Plan internal and external audits with a specific interval depending on the audit scope
09. When a controller and a processor sign a contract for the processing of personal data, they both have specific responsibilities. Some of these responsibilities are prescribed by the GDPR and others can be arranged in the contract.
According to the GDPR, when does the processor always need written authorization by the controller?
a) When the processor contracts a company to protect data during transfers
b) When the processor contracts a third party to process personal data
c) When the processor implements a new method to collect personal data
d) When the processor implements a new method to delete personal data
10. Why should top management review the progress of the privacy information management system (PIMS)?
a) To ensure that the PIMS conforms with all relevant legal requirements
b) To ensure that the PIMS has enough privacy controls to mitigate risks
c) To ensure that the PIMS is audited regularly and is producing documents
d) To ensure that the PIMS is effective and meets corporate requirements