QUESTION: 9

Of the following options which is NOT a purpose of carrying out a Data Protection Impact Assessment (DPIA)?

It is necessary to fulfil the requirement that all DPIAs are submitted to the ICO
It is key to the accountability element of the GDPR.
It fulfils a requirement that data protection is carried out by design and default.
It assists in identifying the main risks that may exist in any use of data, so that they can be mitigated

Answer(s): A

Explanation:

A DPIA is not required to fulfil the requirement that all DPIAs are submitted to the ICO, because this is not a requirement under the GDPR. The GDPR only requires that the controller consults the ICO before carrying out processing that is likely to result in a high risk to individuals, if the controller cannot mitigate that risk. This means that not all DPIAs need to be submitted to the ICO, only those that identify a high residual risk that cannot be reduced. The other options are valid purposes of carrying out a DPIA, as they help the controller to comply with the GDPR, ensure data protection by design and by default, and identify and mitigate the main risks to individuals' rights and freedoms.

Reference:

Article 35 and 36 of the GDPR
ICO guidance on DPIAs

Reveal Solution Next Question

QUESTION: 10

You are a consulting Data Protection Officer (DPO) for a holiday resort You have been asked to conduct a Data Protection Impact Assessment (DPIA) for them in advance of adopting a new HR management database.
While working through the DPIA, which of the following is NOT a requirement?

Describe the processing
Sign off and record outcomes.
Identify measures to mitigate the risks
Publish any potential risks in your information notice.

Answer(s): D

Explanation:

A DPIA is a process to help identify and minimise the data protection risks of a project that is likely to result in a high risk to individuals. A DPIA must include the following elements, according to Article 35(7) of the UK GDPR1:
a description of the processing, including its purposes and legal basis; an assessment of the necessity and proportionality of the processing in relation to its purposes; an assessment of the risks to the rights and freedoms of individuals; and the measures envisaged to address the risks and demonstrate compliance with the UK GDPR. There is no requirement to publish any potential risks in the information notice, which is a document that provides individuals with information about how their personal data is processed, as required by Article 13 and 14 of the UK GDPR2. However, it may be good practice to do so, as well as to consult with individuals or their representatives, where appropriate, as part of the DPIA process. This can help to enhance transparency, trust and accountability, and to identify any additional risks or concerns from the perspective of the data subjects.

Reference:

Article 35(7) of the UK GDPR

Article 13 and 14 of the UK GDPR

Reveal Solution Next Question

QUESTION: 11

Which of the following statements are CORRECT about records of processing'?
A, It must contain contact details for the Data Protection Officer where applicable.
B, It must be submitted to the Information Commissioner's Office following every Data Protection Impact Assessment
C, It is mandatory for all data processors
D, The controller or the processor a must makes the record available to the supervisory authority on request
E, It must contain contact details for the supervisory authority

B, C. and D
A, C, and E
A. C, D, and E
A, C, and D

Answer(s): D

Explanation:

Article 30 of the UK GDPR3 requires both controllers and processors to maintain records of their processing activities, unless they are exempted under certain conditions. The records must contain the following information, among others:
the name and contact details of the controller or the processor, and of any joint controller, representative or data protection officer;
the purposes of the processing;
the categories of data subjects and personal data;
the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations; where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;
where possible, the envisaged time limits for erasure of the different categories of data; where possible, a general description of the technical and organisational security measures. The records must be in writing, including in electronic form, and must be made available to the ICO on request. The records do not need to contain contact details of the supervisory authority, as this is not specified in Article 30. Nor do they need to be submitted to the ICO following every DPIA, as this is not required by Article 35, which only obliges the controller to consult the ICO prior to the processing if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

Reference:

Article 30 of the UK GDPR
Article 35 of the UK GDPR

Reveal Solution Next Question

QUESTION: 12

A privacy notice MUST NOT contain

The contact details of the controller
The purpose of the processing
Details of the processor's staff
Details of the right to lodge a complaint with the supervisory authority

Answer(s): C

Explanation:

A privacy notice is a document that provides individuals with information about how their personal data is processed, as required by Article 13 and 14 of the UK GDPR5. A privacy notice must include the following information, among others:
the identity and contact details of the controller and, where applicable, the controller's representative and the data protection officer;
the purposes and legal basis of the processing;
the categories of personal data concerned;
the recipients or categories of recipients of the personal data, including any third parties or international organisations;
where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;
the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; the existence of the rights of the data subject, such as the right to access, rectify, erase, restrict, object or port the data, and the conditions or limitations on those rights; the existence of the right to withdraw consent at any time, where the processing is based on consent;
the right to lodge a complaint with a supervisory authority; whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
A privacy notice does not need to contain details of the processor's staff, as this is not relevant or necessary for the data subject to understand how their personal data is processed. However, the controller may need to inform the data subject if their personal data is shared with a processor, and provide the identity and contact details of the processor, as part of the information on the recipients or categories of recipients of the personal data.

Reference:

Article 13 and 14 of the UK GDPR

Reveal Solution Next Question

Free PDP9 Exam Braindumps (page: 4)

QUESTION: 9

Explanation:

Reference:

QUESTION: 10

Explanation:

Reference:

QUESTION: 11

Explanation:

Reference:

QUESTION: 12

Explanation:

Reference:

PDP9 Discussions & Posts