Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
Scrum
All Vendors
  2. Home
  3. Exams
  4. PECB
  5. GDPR

Free GDPR Exam Braindumps (page: 4)

Page 3 of 21
PDF with 80 Questions

Scenario: 2

Soyled is a retail company that sells a wide range of electronic products from top European brands. It primarily sells its products in its online platforms (which include customer reviews and ratings), despite using physical stores since 2015. Soyled's website and mobile app are used by millions of customers. Soyled has employed various solutions to create a customer-focused ecosystem and facilitate growth. Soyled uses customer relationship management (CRM) software to analyze user data and administer the interaction with customers. The software allows the company to store customer information, identify sales opportunities, and manage marketing campaigns. It automatically obtains information about each user's IP address and web browser cookies. Soyled also uses the software to collect behavioral data, such as users' repeated actions and mouse movement information. Customers must create an account to buy from Soyled's online platforms. To do so, they fill out a standard sign-up form of three mandatory boxes (name, surname, email address) and a non-mandatory one (phone number).
When the user clicks the email address box, a pop-up message appears as follows: "Soyled needs your email address to grant you access to your account and contact you about any changes related to your account and our website. For further information, please read our privacy policy.' When the user clicks the phone number box, the following message appears: "Soyled may use your phone number to provide text updates on the order status. The phone number may also be used by the shipping courier." Once the personal data is provided, customers create a username and password, which are used to access Soyled's website or app.
When customers want to make a purchase, they are also required to provide their bank account details.
When the user finally creates the account, the following message appears: "Soyled collects only the personal data it needs for the following purposes: processing orders, managing accounts,

and personalizing customers' experience. The collected data is shared with our network and used for marketing purposes." Soyled uses personal data to promote sales and its brand. If a user decides to close the account, the personal data is still used for marketing purposes only. Last month, the company received an email from John, a customer, claiming that his personal data was being used for purposes other than those specified by the company. According to the email, Soyled was using the data for direct marketing purposes. John requested details on how his personal data was collected, stored, and processed. Based on this scenario, answer the following Questio n:

Questio n:

Based on scenario 2, is John's request eligible under GDPR?

  1. No, data subjects can request access to how their data is being collected but not details about its processing or storage.
  2. No, data subjects are not eligible to request details on the collection, storage, or processing of their personal data.
  3. Yes, data subjects have the right to request details on how their personal data is collected, stored, and processed.
  4. No, because John's data was collected based on legitimate interest.

Answer(s): C

Explanation:

Under Article 15 of GDPR, the Right of Access allows data subjects to request detailed information about:

The purpose of data processing

Categories of personal data collected

Data recipients

Storage duration

Rights to rectification and erasure

John's request is valid under GDPR, making Option C correct. Option A is incorrect because GDPR

grants full transparency. Option B is incorrect because data subjects must be informed upon request. Option D is incorrect because lawful basis does not override access rights.


Reference:

GDPR Article 15 (Right of Access)

Recital 63 (Transparency in personal data processing)



Scenario: 2

Soyled is a retail company that sells a wide range of electronic products from top European brands. It primarily sells its products in its online platforms (which include customer reviews and ratings), despite using physical stores since 2015. Soyled's website and mobile app are used by millions of customers. Soyled has employed various solutions to create a customer-focused ecosystem and facilitate growth. Soyled uses customer relationship management (CRM) software to analyze user data and administer the interaction with customers. The software allows the company to store customer information, identify sales opportunities, and manage marketing campaigns. It automatically obtains information about each user's IP address and web browser cookies. Soyled also uses the software to collect behavioral data, such as users' repeated actions and mouse movement information. Customers must create an account to buy from Soyled's online platforms. To do so, they fill out a standard sign-up form of three mandatory boxes (name, surname, email address) and a non-mandatory one (phone number).
When the user clicks the email address box, a pop-up message appears as follows: "Soyled needs your email address to grant you access to your account and contact you about any changes related to your account and our website. For further information, please read our privacy policy.' When the user clicks the phone number box, the following message appears: "Soyled may use your phone number to provide text updates on the order status. The phone number may also be used by the shipping courier." Once the personal data is provided, customers create a username and password, which are used to access Soyled's website or app.
When customers want to make a purchase, they are also required to provide their bank account details.
When the user finally creates the account, the following message appears: "Soyled collects only the personal data it needs for the following purposes: processing orders, managing accounts, and personalizing customers' experience. The collected data is shared with our network and used for marketing purposes." Soyled uses personal data to promote sales and its brand. If a user decides to close the account, the personal data is still used for marketing purposes only. Last month, the company received an email from John, a customer, claiming that his personal data was being used for purposes other than those specified by the company. According to the email, Soyled was using the data for direct marketing purposes. John requested details on how his personal data was collected, stored, and processed. Based on this scenario, answer the following Questio n:

Scenario:

Soyled's customers are required to provide their bank account details to buy a product. According to the GDPR, is this data processing lawful?

  1. Yes, because the processing is necessary for the fulfillment of the purchase agreement.
  2. Yes, because Soyled has a privacy policy in place that ensures the protection of personal data.
  3. No, sensitive data, such as bank account details, should only be processed by official authorities.
  4. No, because financial information cannot be collected without explicit consent.

Answer(s): A

Explanation:

Under Article 6(1)(b) of GDPR, processing is lawful if it is necessary for the performance of a contract with the data subject. Since the customers must provide bank details to complete their purchases, this processing is necessary for fulfilling the agreement.

Option A is correct because payment data is essential for transaction processing, which aligns with GDPR's contract basis.

Option B is incorrect because having a privacy policy does not automatically justify data processing.

Option C is incorrect because financial data can be processed by authorized commercial entities under GDPR.

Option D is incorrect because explicit consent is not required when processing is contractually necessary.


Reference:

GDPR Article 6(1)(b) (Processing necessary for contract performance)

Recital 44 (Necessity of processing for contract fulfillment)



Scenario 3:

COR Bank is an international banking group that operates in 31 countries. It was formed as the merger of two well-known investment banks in Germany. Their two main fields of business are retail and investment banking. COR Bank provides innovative solutions for services such as payments, cash management, savings, protection insurance, and real-estate services. COR Bank has a large number of clients and transactions. Therefore, they process large information, including clients' personal dat

  1. Some of the data from the application processes of COR Bank, including archived data, is operated by Tibko, an IT services company located in Canada. To ensure compliance with the GDPR, COR Bank and Tibko have reached a data processing agreement Based on the agreement, the purpose and conditions of data processing are determined by COR Bank. However, Tibko is allowed to make technical decisions for storing the data based on its own expertise. COR Bank aims to remain a trustworthy bank and a long-term partner for its clients. Therefore, they devote special attention to legal compliance. They started the implementation process of a GDPR compliance program in 2018.
    The first step was to analyze the existing resources and procedures. Lisa was appointed as the data protection officer (DPO). Being the information security manager of COR Bank for many years, Lisa had knowledge of the organization's core activities. She was previously involved in most of the processes related to information systems management and data protection. Lisa played a key role in achieving compliance to the GDPR by advising the company regarding data protection obligations and creating a data protection strategy. After obtaining evidence of the existing data protection policy, Lisa proposed to adapt the policy to specific requirements of GDPR. Then, Lisa implemented the updates of the policy within COR Bank. To ensure consistency between processes of different departments within the organization, Lisa has constantly communicated with all heads of GDPR.
    Then, Lisa implemented the updates of the policy within COR Bank. To ensure consistency between processes of different departments within the organization, Lisa has constantly communicated with all heads of departments. As the DPO, she had access to several departments, including HR and Accounting Department. This assured the organization that there was a continuous cooperation between them. The activities of some departments within COR Bank are closely related to data protection. Therefore, considering their expertise, Lisa was advised from the top management to take orders from the heads of those departments when taking decisions related to their field. Based on this scenario, answer the following Questio n:
    Questio n:
    Considering the GDPR's territorial scope and the data processing agreement between COR Bank and Tibko, which of the following best describes Tibko's obligations under the GDPR?
  2. Tibko's compliance with GDPR is limited to implementing technical safeguards for data storage, as stipulated by the data processing agreement with COR Bank.
  3. Tibko must adhere to all GDPR provisions independently, including determining the purpose of processing personal data, as a processor acting under COR Bank's authority.
  4. Tibko is required to comply with the GDPR because it processes personal data on behalf of COR Bank, and COR Bank determines the purpose of processing under their agreement.
  5. Tibko is not subject to GDPR since it is located outside the EU and only provides IT services.

Answer(s): C

Explanation:

Under Article 3(2) of GDPR, GDPR applies extraterritorially if an entity outside the EU processes personal data of EU residents on behalf of a controller subject to GDPR. Tibko processes COR Bank's client data, making it subject to GDPR as a processor under Article 28.

Option C is correct because Tibko must comply with GDPR since it processes EU data on behalf of COR Bank.

Option A is incorrect because processors must comply with broader GDPR obligations, not just technical safeguards.

Option B is incorrect because processors do not determine the purpose of processing; that is the controller's responsibility.

Option D is incorrect because location outside the EU does not exempt processors from GDPR obligations.


Reference:

GDPR Article 3(2) (Territorial Scope)

GDPR Article 28(1) (Processor obligations)

Recital 81 (Processor responsibilities)



Scenario 3:

COR Bank is an international banking group that operates in 31 countries. It was formed as the merger of two well-known investment banks in Germany. Their two main fields of business are retail and investment banking. COR Bank provides innovative solutions for services such as payments, cash management, savings, protection insurance, and real-estate services. COR Bank has a large number of clients and transactions. Therefore, they process large information, including clients' personal dat

  1. Some of the data from the application processes of COR Bank, including archived data, is operated by Tibko, an IT services company located in Canada. To ensure compliance with the GDPR, COR Bank and Tibko have reached a data processing agreement Based on the agreement, the purpose and conditions of data processing are determined by COR Bank. However, Tibko is allowed to make technical decisions for storing the data based on its own expertise. COR Bank aims to remain a trustworthy bank and a long-term partner for its clients. Therefore, they devote special attention to legal compliance. They started the implementation process of a GDPR compliance program in 2018.
    The first step was to analyze the existing resources and procedures. Lisa was appointed as the data protection officer (DPO). Being the information security manager of COR Bank for many years, Lisa had knowledge of the organization's core activities. She was previously involved in most of the processes related to information systems management and data protection. Lisa played a key role in achieving compliance to the GDPR by advising the company regarding data protection obligations and creating a data protection strategy. After obtaining evidence of the existing data protection policy, Lisa proposed to adapt the policy to specific requirements of GDPR. Then, Lisa implemented the updates of the policy within COR Bank. To ensure consistency between processes of different departments within the organization, Lisa has constantly communicated with all heads of GDPR.
    Then, Lisa implemented the updates of the policy within COR Bank. To ensure consistency between processes of different departments within the organization, Lisa has constantly communicated with all heads of departments. As the DPO, she had access to several departments, including HR and Accounting Department. This assured the organization that there was a continuous cooperation between them. The activities of some departments within COR Bank are closely related to data protection. Therefore, considering their expertise, Lisa was advised from the top management to take orders from the heads of those departments when taking decisions related to their field. Based on this scenario, answer the following Questio n:
    Questio n:
    According to scenario 3, Lisa was appointed as the Data Protection Officer (DPO) of COR Bank. Is this action in compliance with GDPR?
  2. Yes, the DPO may be a staff member of the controller or processor or fulfill the tasks based on a service contract.
  3. Yes, the DPO must be a staff member of the controller or processor in all cases when processing includes special categories of data.
  4. No, an external DPO must be contracted when personal data is collected or processed by an organization that is not established in the European Union.
  5. No, Lisa cannot be appointed as a DPO because she was already an information security officer.

Answer(s): A

Explanation:

Under Article 37(6) of GDPR, the DPO can be an employee of the company or an external contractor. Lisa's appointment complies with GDPR because she is a staff member with data protection expertise.

Option A is correct because GDPR allows organizations to appoint an internal or external DPO.

Option B is incorrect because a DPO does not have to be an internal staff member even for special categories of data.

Option C is incorrect because a company can appoint an internal DPO even if it operates internationally.

Option D is incorrect because having another role does not disqualify someone from being a DPO, as long as there is no conflict of interest.


Reference:

GDPR Article 37(6) (DPO may be an employee or external contractor)

Recital 97 (DPO qualifications and independence)






Post your Comments and Discuss PECB GDPR exam with other Community members: