Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
Scrum
All Vendors
  2. Home
  3. Exams
  4. PECB
  5. GDPR

Free GDPR Exam Braindumps (page: 2)

Page 1 of 21
PDF with 80 Questions

Scenario 1:

MED is a healthcare provider located in Norway. It provides high-quality and affordable healthcare services, including disease prevention, diagnosis, and treatment. Founded in 1995, MED is one of the largest health organizations in the private sector. The company has constantly evolved in response to patients' needs.

Patients that schedule an appointment in MED's medical centers initially need to provide their personal information, including name, surname, address, phone number, and date of birth. Further checkups or admission require additional information, including previous medical history and genetic dat

  1. When providing their personal data, patients are informed that the data is used for personalizing treatments and improving communication with MED's doctors. Medical data of patients, including children, are stored in the database of MED's health information system. MED allows patients who are at least 16 years old to use the system and provide their personal information independently. For children below the age of 16, MED requires consent from the holder of parental responsibility before processing their data.
    MED uses a cloud-based application that allows patients and doctors to upload and access information. Patients can save all personal medical data, including test results, doctor visits, diagnosis history, and medicine prescriptions, as well as review and track them at any time. Doctors, on the other hand, can access their patients' data through the application and can add information as needed.
    Patients who decide to continue their treatment at another health institution can request MED to transfer their data. However, even if patients decide to continue their treatment elsewhere, their personal data is still used by MED. Patients' requests to stop data processing are rejected. This decision was made by MED's top management to retain the information of everyone registered in their databases.
    The company also shares medical data with InsHealth, a health insurance company. MED's data helps InsHealth create health insurance plans that meet the needs of individuals and families.
    MED believes that it is its responsibility to ensure the security and accuracy of patients' personal data. Based on the identified risks associated with data processing activities, MED has implemented appropriate security measures to ensure that data is securely stored and processed.
    Since personal data of patients is stored and transmitted over the internet, MED uses encryption to avoid unauthorized processing, accidental loss, or destruction of data. The company has established a security policy to define the levels of protection required for each type of information and processing activity. MED has communicated the policy and other procedures to personnel and provided customized training to ensure proper handling of data processing.
    Questio n:
    If a patient requests MED to permanently erase their data, MED should:
  2. Reject the request since the medical history of patients cannot be permanently erased.
  3. Erase the personal data if it is no longer needed for its original purpose.
  4. Erase the personal data only if required to comply with a legal obligation.
  5. Refuse the request because medical data must be retained indefinitely for future reference.

Answer(s): B

Explanation:

Under Article 17 of the General Data Protection Regulation (GDPR), also known as the "Right to be Forgotten," data subjects have the right to request the erasure of their personal data when:

The data is no longer necessary for the purpose for which it was collected.

The data subject withdraws consent (where processing was based on consent).

The data was processed unlawfully.

In this scenario, if the data is no longer necessary for the original purpose (e.g., if the patient has completed their treatment and there are no legal retention obligations), MED should erase the data. However, there are exceptions under GDPR, such as legal retention requirements for medical records under national healthcare regulations.

Rejecting the request outright (Option A) is incorrect because GDPR requires controllers to assess whether retention is still necessary. Similarly, Option C is too restrictive because GDPR allows deletion even if no legal obligation mandates it. Option D is incorrect because indefinite retention is not permitted unless a valid justification exists.


Reference:

GDPR Article 17 (Right to Erasure)

Recital 65 (Clarification on when personal data can be erased)

Article 5(1)(e) (Storage limitation principle)



Scenario 1:

MED is a healthcare provider located in Norway. It provides high-quality and affordable healthcare services, including disease prevention, diagnosis, and treatment. Founded in 1995, MED is one of the largest health organizations in the private sector. The company has constantly evolved in response to patients' needs.
Patients that schedule an appointment in MED's medical centers initially need to provide their personal information, including name, surname, address, phone number, and date of birth. Further checkups or admission require additional information, including previous medical history and genetic dat

  1. When providing their personal data, patients are informed that the data is used for personalizing treatments and improving communication with MED's doctors. Medical data of patients, including children, are stored in the database of MED's health information system. MED allows patients who are at least 16 years old to use the system and provide their personal information independently. For children below the age of 16, MED requires consent from the holder of parental responsibility before processing their data.
    MED uses a cloud-based application that allows patients and doctors to upload and access information. Patients can save all personal medical data, including test results, doctor visits, diagnosis history, and medicine prescriptions, as well as review and track them at any time. Doctors, on the other hand, can access their patients' data through the application and can add information as needed.
    Patients who decide to continue their treatment at another health institution can request MED to transfer their data. However, even if patients decide to continue their treatment elsewhere, their personal data is still used by MED. Patients' requests to stop data processing are rejected. This decision was made by MED's top management to retain the information of everyone registered in their databases.
    The company also shares medical data with InsHealth, a health insurance company. MED's data helps InsHealth create health insurance plans that meet the needs of individuals and families.
    MED believes that it is its responsibility to ensure the security and accuracy of patients' personal data. Based on the identified risks associated with data processing activities, MED has implemented appropriate security measures to ensure that data is securely stored and processed.
    Since personal data of patients is stored and transmitted over the internet, MED uses encryption to avoid unauthorized processing, accidental loss, or destruction of data. The company has established a security policy to define the levels of protection required for each type of information and processing activity. MED has communicated the policy and other procedures to personnel and provided customized training to ensure proper handling of data processing.
    Questio n:
    Based on scenario 1, is the processing of children's personal data performed by MED in compliance with GDPR?
  2. No, the processing of personal data of children below the age of 16 years is not in compliance with the GDPR, even if parental consent is provided.
  3. Yes, the processing of children's personal data below the age of 16 years with parental consent is in compliance with GDPR.
  4. No, MED must obtain explicit consent from the child, regardless of parental consent, for the processing to be in compliance with GDPR.
  5. Yes, as long as the processing is conducted with industry-standard encryption.

Answer(s): B

Explanation:

Under Article 8 of the GDPR, the processing of personal data of children under 16 years is only lawful if parental or guardian consent is obtained. However, Member States can lower the age limit to 13 years if they choose.

In this scenario, MED requires parental consent for children below 16 years, which aligns with GDPR requirements. Therefore, Option B is correct. Option A is incorrect because GDPR allows parental consent. Option C is incorrect because GDPR does not require explicit consent from the child when parental consent is given. Option D is incorrect because encryption alone does not determine compliance.


Reference:

GDPR Article 8 (Conditions for children's consent)

Recital 38 (Protection of children's data)



Scenario 1:

MED is a healthcare provider located in Norway. It provides high-quality and affordable healthcare services, including disease prevention, diagnosis, and treatment. Founded in 1995, MED is one of the largest health organizations in the private sector. The company has constantly evolved in response to patients' needs.

Patients that schedule an appointment in MED's medical centers initially need to provide their personal information, including name, surname, address, phone number, and date of birth. Further checkups or admission require additional information, including previous medical history and genetic dat

  1. When providing their personal data, patients are informed that the data is used for personalizing treatments and improving communication with MED's doctors. Medical data of patients, including children, are stored in the database of MED's health information system. MED allows patients who are at least 16 years old to use the system and provide their personal information independently. For children below the age of 16, MED requires consent from the holder of parental responsibility before processing their data.
    MED uses a cloud-based application that allows patients and doctors to upload and access information. Patients can save all personal medical data, including test results, doctor visits, diagnosis history, and medicine prescriptions, as well as review and track them at any time. Doctors, on the other hand, can access their patients' data through the application and can add information as needed.
    Patients who decide to continue their treatment at another health institution can request MED to transfer their data. However, even if patients decide to continue their treatment elsewhere, their personal data is still used by MED. Patients' requests to stop data processing are rejected. This decision was made by MED's top management to retain the information of everyone registered in their databases.
    The company also shares medical data with InsHealth, a health insurance company. MED's data helps InsHealth create health insurance plans that meet the needs of individuals and families.
    MED believes that it is its responsibility to ensure the security and accuracy of patients' personal data. Based on the identified risks associated with data processing activities, MED has implemented appropriate security measures to ensure that data is securely stored and processed.
    Since personal data of patients is stored and transmitted over the internet, MED uses encryption to avoid unauthorized processing, accidental loss, or destruction of data. The company has established a security policy to define the levels of protection required for each type of information and processing activity. MED has communicated the policy and other procedures to personnel and provided customized training to ensure proper handling of data processing.
    Questio n:
    Considering the nature of data processing activities described in scenario 1, is GDPR applicable to MED?
  2. Yes, GDPR is applicable to MED due to its processing activities involving personal information.
  3. Yes, MED's use of cloud-based software to store and process health-related information necessitates compliance with GDPR's data protection requirements.
  4. No, MED's activities include healthcare services within one of the four EFTA states, which do not fall under the scope of GDPR.
  5. No, because MED operates only in Norway, and GDPR does not apply to domestic processing.

Answer(s): A

Explanation:

GDPR applies to any organization that processes personal data of individuals within the European Economic Area (EEA), regardless of the organization's location. Since MED is based in Norway, which is an EEA country, and processes personal health data, it must comply with GDPR.

Option A is correct because GDPR applies to all controllers and processors within the EEA. Option B is misleading because while cloud-based software is relevant, the primary reason GDPR applies is MED's processing of personal data. Option C is incorrect because EFTA states (including Norway) are subject to GDPR. Option D is incorrect because GDPR applies to all personal data processing in the EEA.


Reference:

GDPR Article 3 (Territorial Scope)

Recital 22 (GDPR applies to EEA countries)



Scenario 1:

MED is a healthcare provider located in Norway. It provides high-quality and affordable healthcare services, including disease prevention, diagnosis, and treatment. Founded in 1995, MED is one of the largest health organizations in the private sector. The company has constantly evolved in response to patients' needs.

Patients that schedule an appointment in MED's medical centers initially need to provide their personal information, including name, surname, address, phone number, and date of birth. Further checkups or admission require additional information, including previous medical history and genetic dat

  1. When providing their personal data, patients are informed that the data is used for personalizing treatments and improving communication with MED's doctors. Medical data of patients, including children, are stored in the database of MED's health information system. MED allows patients who are at least 16 years old to use the system and provide their personal information independently. For children below the age of 16, MED requires consent from the holder of parental responsibility before processing their data.
    MED uses a cloud-based application that allows patients and doctors to upload and access information. Patients can save all personal medical data, including test results, doctor visits, diagnosis history, and medicine prescriptions, as well as review and track them at any time. Doctors, on the other hand, can access their patients' data through the application and can add information as needed.
    Patients who decide to continue their treatment at another health institution can request MED to transfer their data. However, even if patients decide to continue their treatment elsewhere, their personal data is still used by MED. Patients' requests to stop data processing are rejected. This decision was made by MED's top management to retain the information of everyone registered in their databases.
    The company also shares medical data with InsHealth, a health insurance company. MED's data helps InsHealth create health insurance plans that meet the needs of individuals and families.
    MED believes that it is its responsibility to ensure the security and accuracy of patients' personal data. Based on the identified risks associated with data processing activities, MED has implemented appropriate security measures to ensure that data is securely stored and processed.
    Since personal data of patients is stored and transmitted over the internet, MED uses encryption to avoid unauthorized processing, accidental loss, or destruction of data. The company has established a security policy to define the levels of protection required for each type of information and processing activity. MED has communicated the policy and other procedures to personnel and provided customized training to ensure proper handling of data processing.

    Questio n:
    Based on scenario 1, MED shares patients' personal data with a health insurance company. Does MED comply with the purpose limitation principle?
  2. Yes, personal data may be used for purposes in the public interest or statistical purposes in accordance with Article 89 of GDPR.
  3. Yes, using personal data for creating health insurance plans is within the scope of the data collection purpose.
  4. No, personal data should be collected for specified, explicit, and legitimate purposes in accordance with Article 5 of GDPR.
  5. Yes, as long as the data is encrypted before sharing.

Answer(s): C

Explanation:

Under Article 5(1)(b) of GDPR, personal data must be collected for specific, explicit, and legitimate purposes and cannot be further processed in a manner incompatible with those purposes. Sharing medical data with an insurance company is a separate purpose and requires explicit consent or another lawful basis.


Reference:

GDPR Article 5(1)(b) (Purpose limitation)






Post your Comments and Discuss PECB GDPR exam with other Community members: