CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. BCS
  5. PDP9

Free PDP9 Exam Braindumps (page: 5)

Page 4 of 11
PDF with 40 Questions

What factors should be considered when looking at security of processing under Article 32 of the GDPR?
Select the INCORRECT answer

  1. Lawfulness of processing
  2. The most secure option available
  3. The likelihood of a risk to the rights of the data subjects
  4. Adherence to an approved code of conduct

Answer(s): A

Explanation:

Lawfulness of processing is not a factor that should be considered when looking at security of processing under Article 32 of the GDPR. Lawfulness of processing is a separate requirement that applies to all processing of personal data, regardless of the level of security. Security of processing under Article 32 of the GDPR should be based on the following factors:
The state of the art and the costs of implementation of the security measures; The nature, scope, context and purposes of the processing; The risk of varying likelihood and severity for the rights and freedoms of natural persons; Adherence to an approved code of conduct or an approved certification mechanism (as an element to demonstrate compliance).


Reference:

Article 32 of the GDPR
Guidelines 07/2020 on the concepts of controller and processor in the GDPR2, p. 36



Which of the following is NOT a processor obligation?

  1. To follow the instructions of the controller in processing personal data
  2. To consult the controller prior to appointing any processor.
  3. To provide the controller with corporate information relating to its board members.
  4. To inform the controller of any intended changes of other processors so they can object

Answer(s): C

Explanation:

Providing the controller with corporate information relating to its board members is not a processor obligation under the GDPR. The processor obligations under the GDPR are mainly the following:
To process the personal data only on documented instructions from the controller, unless required by law;
To ensure that persons authorised to process the personal data are bound by confidentiality; To implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
To not engage another processor without the prior authorisation of the controller; To assist the controller in fulfilling its obligations regarding data subject rights, data protection impact assessments, prior consultations, and data breach notifications; To delete or return the personal data to the controller at the end of the service, unless required by law to store the data;
To make available to the controller all information necessary to demonstrate compliance and allow for audits and inspections.


Reference:

Article 28 of the GDPR
Guidelines 07/2020 on the concepts of controller and processor in the GDPR2, pp. 37-41



Two businesses decide to work together to sell their products by mail order Orders are made via a single online website and they each use their existing employees to administer and update each other's orders on a single order system regardless of product.
Which of the below is CORRECT of the roles of the two businesses in relation to the single order system'?

  1. They are controllers of their own information contained in the single order system only
  2. They are controllers of their own information in the single order system and processors of the information they process on behalf of the other business.
  3. The businesses are controllers of their respective information, and the staff are processors of this information
  4. They are both joint controllers of the information contained in the single order system

Answer(s): D

Explanation:

The two businesses are both joint controllers of the information contained in the single order system, because they jointly determine the purposes and means of the processing. They have a shared purpose of selling their products by mail order and they agree on the means of processing by using a single online website and a single order system. Their decisions complement each other and are necessary for the processing to take place. The processing by each party is inseparable and inextricably linked. Therefore, they meet the criteria for joint controllership under the GDPR.


Reference:

Article 26 of the GDPR1
Guidelines 07/2020 on the concepts of controller and processor in the GDPR2, pp. 16-24



Describe the act of processing under the authority of a controller or processor as stipulated in UK GDPR Article 29.

  1. The processor shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
  2. A processor shall not process those data except on instructions from the controller, unless required to do so by domestic law
  3. Each processor and, where applicable, the processors representative shall maintain a record of all categories of processing activities earned out on behalf of a controller.
  4. The processor shall consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the processor to mitigate the risk.

Answer(s): B

Explanation:

Article 29 of UK GDPR states that the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by domestic law. This means that the processor must follow the controller's directions on how to handle the personal data, and cannot use it for its own purposes or deviate from the agreed terms. The only exception is when the processor is obliged by law to process the data in a different way, for example, to comply with a court order or a legal obligation. The other options are not related to Article 29, but to other articles of UK GDPR, such as Article 25 (data protection by design and by default), Article 30 (records of processing activities), and Article 36 (prior consultation).


Reference:

Article 29 of UK GDPR
ICO guidance on controllers and processors






Post your Comments and Discuss BCS PDP9 exam with other Community members:

PDP9 Discussions & Posts