Master PECB GDPR Exam with Reliable Practice Questions
Upgrade to PremiumQuestio n:
According to the principle of data minimization, data must be:
Correct : C
Under Article 5(1)(c) of GDPR, data minimization requires that personal data must be adequate, relevant, and limited to what is necessary for its intended purpose.
Option C is correct because it directly reflects the GDPR's data minimization principle.
Option A is incorrect because storage limitation is a separate principle under Article 5(1)(e).
Option B is incorrect because purpose limitation (Article 5(1)(b)) is separate from data minimization.
Option D is incorrect because GDPR does not specify a fixed retention period (e.g., five years)---retention should be based on necessity.
GDPR Article 5(1)(c) (Data minimization principle)
Recital 39 (Controllers must collect only necessary data)
Start a Discussions
Scenario:
Bankbio is a financial institution that handles personal data of its customers. Its data processing activities involve processing that is necessary for the legitimate interests pursued by the institution. In such cases, Bankbio processes personal data without obtaining consent from data subjects.
Questio n:
Is the data processing lawful under GDPR?
Correct : A
Under Article 6(1)(f) of GDPR, processing is lawful if it is necessary for the legitimate interests of the controller, unless overridden by the data subject's rights and freedoms.
Option A is correct because legitimate interest is a valid legal basis for processing under GDPR.
Option B is incorrect because explicit consent is not required if another legal basis (such as legitimate interest) applies.
Option C is incorrect because legitimate interest does not apply in all cases---the rights of the data subject may override it.
Option D is incorrect because financial institutions are not required to obtain explicit consent for all processing activities.
GDPR Article 6(1)(f) (Legitimate interest as a lawful basis)
Recital 47 (Legitimate interest includes preventing fraud and ensuring security)
Start a Discussions
Questio n:
According to Article 82 of GDPR, when must a processor be held liable for damage caused by processing?
Correct : B
Under Article 82(2) of GDPR, processors can be held liable for data breaches if they act outside or against the controller's instructions. Processors must comply with the controller's directives or be held accountable.
Option B is correct because processors are liable if they fail to follow the controller's instructions.
Option A is incorrect because processors do not take instructions directly from data subjects.
Option C is incorrect because DPOs do not issue legally binding instructions to processors.
Option D is incorrect because processors share liability under GDPR.
GDPR Article 82(2) (Processor liability for non-compliance)
Recital 146 (Joint liability between controllers and processors)
Start a Discussions
Scenario:
Pinky, a retail company, received a request from a data subject to identify which purchases they had made at different physical store locations. However, Pinky does not link purchase records to customer identities, since purchases do not require account creation.
Questio n:
Should Pinky process additional information from customers in order to identify the data subject as requested?
Correct : C
Under Article 11(1) of GDPR, controllers are not required to process additional data for the sole purpose of identifying data subjects if such identification is not needed for processing.
Option C is correct because Pinky does not store identifiable purchase data, so it is not required to create additional records.
Option A and B are incorrect because GDPR does not obligate controllers to process additional data if identification is unnecessary.
Option D is incorrect because Pinky cannot require additional information when it does not have a basis to process identity-linked data.
GDPR Article 11(1) (Controllers are not required to process extra data for identification)
Recital 57 (Data controllers should avoid collecting unnecessary identity data)
Start a Discussions
Scenario 6:
Bus Spot is one of the largest bus operators in Spain. The company operates in local transport and bus rental since 2009. The success of Bus Spot can be attributed to the digitization of the bus ticketing system, through which clients can easily book tickets and stay up to date on any changes to their arrival or departure time. In recent years, due to the large number of passengers transported daily. Bus Spot has dealt with different incidents including vandalism, assaults on staff, and fraudulent injury claims. Considering the severity of these incidents, the need for having strong security measures had become crucial. Last month, the company decided to install a CCTV system across its network of buses. This security measure was taken to monitor the behavior of the company's employees and passengers, enabling crime prevention and ensuring safety and security. Following this decision, Bus Spot initiated a data protection impact assessment (DPIA). The outcome of each step of the DPIA was documented as follows: Step 1: In all 150 buses, two CCTV cameras will be installed. Only individuals authorized by Bus Spot will have access to the information generated by the CCTV system. CCTV cameras capture images only when the Bus Spot's buses are being used. The CCTV cameras will record images and sound. The information is transmitted to a video recorder and stored for 20 days. In case of incidents, CCTV recordings may be stored for more than 40 days and disclosed to a law enforcement body. Data collected through the CCTV system will be processed bv another organization. The purpose of processing this tvoe of information is to increase the security and safety of individuals and prevent criminal activity. Step 2: All employees of Bus Spot were informed for the installation of a CCTV system. As the data controller, Bus Spot will have the ultimate responsibility to conduct the DPI
Correct : A, A
Under Article 35(7)(b) of GDPR, a DPIA must include an assessment of the necessity and proportionality of processing. This ensures that data processing is lawful, limited, and justified. Bus Spot missed this step, which is essential for verifying the lawful basis for processing CCTV data.
Option A is correct because the necessity and proportionality assessment was required but not completed.
Option B is incorrect because Bus Spot documented data processing activities in the DPIA.
Option C is incorrect because not aligning with GDPR guidelines does not automatically invalidate a DPIA.
Option D is incorrect because prior approval from a supervisory authority is only required if high-risk processing is detected without sufficient mitigation measures (Article 36).
GDPR Article 35(7)(b) (Necessity and proportionality in DPIAs)
Recital 90 (Assessing necessity in a DPIA)
Start a Discussions