Free GDPR Exam Braindumps (page: 3)

Page 2 of 21

Scenario 1:

MED is a healthcare provider located in Norway. It provides high-quality and affordable healthcare services, including disease prevention, diagnosis, and treatment. Founded in 1995, MED is one of the largest health organizations in the private sector. The company has constantly evolved in response to patients' needs.

Patients that schedule an appointment in MED's medical centers initially need to provide their personal information, including name, surname, address, phone number, and date of birth. Further checkups or admission require additional information, including previous medical history and genetic dat

  1. When providing their personal data, patients are informed that the data is used for personalizing treatments and improving communication with MED's doctors. Medical data of patients, including children, are stored in the database of MED's health information system. MED allows patients who are at least 16 years old to use the system and provide their personal information independently. For children below the age of 16, MED requires consent from the holder of parental responsibility before processing their data.
    MED uses a cloud-based application that allows patients and doctors to upload and access information. Patients can save all personal medical data, including test results, doctor visits, diagnosis history, and medicine prescriptions, as well as review and track them at any time. Doctors, on the other hand, can access their patients' data through the application and can add information as needed.
    Patients who decide to continue their treatment at another health institution can request MED to transfer their data. However, even if patients decide to continue their treatment elsewhere, their personal data is still used by MED. Patients' requests to stop data processing are rejected. This decision was made by MED's top management to retain the information of everyone registered in their databases.
    The company also shares medical data with InsHealth, a health insurance company. MED's data helps InsHealth create health insurance plans that meet the needs of individuals and families.
    MED believes that it is its responsibility to ensure the security and accuracy of patients' personal data. Based on the identified risks associated with data processing activities, MED has implemented appropriate security measures to ensure that data is securely stored and processed.
    Since personal data of patients is stored and transmitted over the internet, MED uses encryption to avoid unauthorized processing, accidental loss, or destruction of data. The company has established a security policy to define the levels of protection required for each type of information and processing activity. MED has communicated the policy and other procedures to personnel and provided customized training to ensure proper handling of data processing.

    Questio n:
    Based on scenario 1, which data subject right is NOT guaranteed by MED?
  2. Right to be informed
  3. Right to restriction of processing
  4. Right to data portability
  5. Right to rectification

Answer(s): B

Explanation:

Under Article 18 of GDPR, the right to restriction of processing allows data subjects to request that processing of their personal data be limited under certain conditions, such as when accuracy is contested or processing is unlawful but the data subject opposes erasure.

From the scenario, MED does not provide the option to restrict processing, as patients who request to stop processing are denied. This makes Option B correct. Option A is incorrect because MED does inform patients about data collection purposes. Option C is incorrect because medical data could be transferred to other institutions. Option D is incorrect because rectification of inaccurate data is a standard obligation.


Reference:

GDPR Article 18 (Right to restriction of processing)

GDPR Article 12 (Transparent communication with data subjects)



Scenario: 2

Soyled is a retail company that sells a wide range of electronic products from top European brands. It primarily sells its products in its online platforms (which include customer reviews and ratings), despite using physical stores since 2015. Soyled's website and mobile app are used by millions of customers. Soyled has employed various solutions to create a customer-focused ecosystem and facilitate growth. Soyled uses customer relationship management (CRM) software to analyze user data and administer the interaction with customers. The software allows the company to store customer information, identify sales opportunities, and manage marketing campaigns. It automatically obtains information about each user's IP address and web browser cookies. Soyled also uses the software to collect behavioral data, such as users' repeated actions and mouse movement information. Customers must create an account to buy from Soyled's online platforms. To do so, they fill out a standard sign-up form of three mandatory boxes (name, surname, email address) and a non-mandatory one (phone number).
When the user clicks the email address box, a pop-up message appears as follows: "Soyled needs your email address to grant you access to your account and contact you about any changes related to your account and our website. For further information, please read our privacy policy.' When the user clicks the phone number box, the following message appears: "Soyled may use your phone number to provide text updates on the order status. The phone number may also be used by the shipping courier." Once the personal data is provided, customers create a username and password, which are used to access Soyled's website or app.
When customers want to make a purchase, they are also required to provide their bank account details.
When the user finally creates the account, the following message appears: "Soyled collects only the personal data it needs for the following purposes: processing orders, managing accounts, and personalizing customers' experience. The collected data is shared with our network and used for marketing purposes." Soyled uses personal data to promote sales and its brand. If a user decides to close the account, the personal data is still used for marketing purposes only. Last month, the company received an email from John, a customer, claiming that his personal data was being used for purposes other than those specified by the company. According to the email, Soyled was using the data for direct marketing purposes. John requested details on how his personal data was collected, stored, and processed. Based on this scenario, answer the following Questio n:

Questio n:

When completing the sign-up form, the user gets a notification about the purpose for which Soyled collects their email address. Is Soyled required by the GDPR to do so?

  1. Yes, users must be informed of the purpose of collecting their personal data.
  2. No, Soyled should provide this information only when requested by users.
  3. No, Soyled only needs to inform users about how their data is collected, stored, or processed.
  4. Yes, but only if the email is used for communication purposes beyond account creation.

Answer(s): A

Explanation:

Under Article 13 of GDPR, controllers must inform data subjects at the time of data collection about the purpose of processing their personal data. This ensures transparency and accountability.

Soyled provides a pop-up message explaining why the email is collected, which aligns with GDPR's transparency principles. Option A is correct. Option B is incorrect because GDPR requires notification at collection, not upon request. Option C is incorrect as GDPR mandates disclosure of purpose, not just storage and processing methods. Option D is misleading because the purpose must be disclosed regardless of communication intent.


Reference:

GDPR Article 13(1)(c) (Obligation to inform data subjects about processing purposes)

Recital 60 (Transparency and accountability in data collection)



Scenario: 2

Soyled is a retail company that sells a wide range of electronic products from top European brands. It primarily sells its products in its online platforms (which include customer reviews and ratings),

despite using physical stores since 2015. Soyled's website and mobile app are used by millions of customers. Soyled has employed various solutions to create a customer-focused ecosystem and facilitate growth. Soyled uses customer relationship management (CRM) software to analyze user data and administer the interaction with customers. The software allows the company to store customer information, identify sales opportunities, and manage marketing campaigns. It automatically obtains information about each user's IP address and web browser cookies. Soyled also uses the software to collect behavioral data, such as users' repeated actions and mouse movement information. Customers must create an account to buy from Soyled's online platforms. To do so, they fill out a standard sign-up form of three mandatory boxes (name, surname, email address) and a non-mandatory one (phone number).
When the user clicks the email address box, a pop-up message appears as follows: "Soyled needs your email address to grant you access to your account and contact you about any changes related to your account and our website. For further information, please read our privacy policy.' When the user clicks the phone number box, the following message appears: "Soyled may use your phone number to provide text updates on the order status. The phone number may also be used by the shipping courier." Once the personal data is provided, customers create a username and password, which are used to access Soyled's website or app.
When customers want to make a purchase, they are also required to provide their bank account details.
When the user finally creates the account, the following message appears: "Soyled collects only the personal data it needs for the following purposes: processing orders, managing accounts, and personalizing customers' experience. The collected data is shared with our network and used for marketing purposes." Soyled uses personal data to promote sales and its brand. If a user decides to close the account, the personal data is still used for marketing purposes only. Last month, the company received an email from John, a customer, claiming that his personal data was being used for purposes other than those specified by the company. According to the email, Soyled was using the data for direct marketing purposes. John requested details on how his personal data was collected, stored, and processed. Based on this scenario, answer the following Questio n:

Questio n:

The GDPR indicates that the processing of personal data should be based on a legal contract with the data subject. Based on scenario 6, has Soyled fulfilled this requirement?

  1. Yes, data subjects are informed about the purpose of collecting the email address and phone number before the data is collected.
  2. Yes, once the account is created, Soyled informs its customers that their personal data will be shared with the network.
  3. No, data subjects are informed that the personal data will be shared with Soyled's network only after the personal data is collected.
  4. No, because Soyled did not obtain explicit consent for data processing.

Answer(s): C

Explanation:

Under Article 6(1) of GDPR, processing personal data must have a lawful basis, such as consent,

contract, legal obligation, or legitimate interest. Additionally, under Article 13, controllers must inform users before collecting their data.

Soyled failed to disclose that personal data would be shared with the network before collection, which violates GDPR transparency requirements. Option C is correct. Option A is incorrect because informing about email collection does not mean lawful processing. Option B is incorrect because the information was not disclosed at the right time. Option D is incorrect because explicit consent is not necessarily required if another lawful basis applies.


Reference:

GDPR Article 6(1) (Lawfulness of processing)

GDPR Article 13(1) (Transparency in data processing)



Scenario: 2

Soyled is a retail company that sells a wide range of electronic products from top European brands. It primarily sells its products in its online platforms (which include customer reviews and ratings), despite using physical stores since 2015. Soyled's website and mobile app are used by millions of customers. Soyled has employed various solutions to create a customer-focused ecosystem and facilitate growth. Soyled uses customer relationship management (CRM) software to analyze user data and administer the interaction with customers. The software allows the company to store customer information, identify sales opportunities, and manage marketing campaigns. It automatically obtains information about each user's IP address and web browser cookies. Soyled also uses the software to collect behavioral data, such as users' repeated actions and mouse movement information. Customers must create an account to buy from Soyled's online platforms. To do so, they fill out a standard sign-up form of three mandatory boxes (name, surname, email address) and a non-mandatory one (phone number).
When the user clicks the email address box, a pop-up message appears as follows: "Soyled needs your email address to grant you access to your account and contact you about any changes related to your account and our website. For further information, please read our privacy policy.' When the user clicks the phone number box, the following message appears: "Soyled may use your phone number to provide text updates on the order status. The phone number may also be used by the shipping courier." Once the personal data is provided, customers create a username and password, which are used to access Soyled's website or app.
When customers want to make a purchase, they are also required to provide their bank account details.
When the user finally creates the account, the following message appears: "Soyled collects only the personal data it needs for the following purposes: processing orders, managing accounts, and personalizing customers' experience. The collected data is shared with our network and used for marketing purposes." Soyled uses personal data to promote sales and its brand. If a user decides to close the account, the personal data is still used for marketing purposes only. Last month, the company received an email from John, a customer, claiming that his personal data was being used for purposes other than those specified by the company. According to the email, Soyled was using the data for direct marketing purposes. John requested details on how his personal data was collected, stored, and processed. Based on this scenario, answer the following Questio n:

Questio n:

Based on scenario 2, Soyled only has three mandatory fields in its sign-up form. On which GDPR principle is this decision based?

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Storage limitation

Answer(s): C

Explanation:

Under Article 5(1)(c) of GDPR, the data minimization principle states that personal data must be adequate, relevant, and limited to what is necessary for processing. Soyled's decision to have only three mandatory fields (name, surname, and email) aligns with data minimization since it only collects the minimum data needed for account creation. Option C is correct. Option A is incorrect as transparency relates to informing users. Option B is incorrect because purpose limitation focuses on using data only for specific purposes. Option D is incorrect because storage limitation concerns data retention periods.


Reference:

GDPR Article 5(1)(c) (Data minimization principle)

Recital 39 (Limiting data collection to necessity)






Post your Comments and Discuss PECB GDPR exam with other Community members: