GDPR by admin | Jan 20, 2021 | 0 comments Welcome to the GDPR questionnaire: (click next to go to the questions) Lawful processing [Lawful processing] Before you use somebody’s data, do you need to get their approval (consent)? Yes, always, without the agreement of the individual it is illegal to use their data No, only if you want to use financial data (e.g. Credit card number) Depends on what you want to use the data for and what type of relation you have with the person whose data you want to use [Lawful processing] When you are using your employees' social security number in an HR context, you are doing so based on which of the following legal grounds? Consent Legitmate interest Contract performance [Lawful processing] Which of the below 2 options is correct? "..by continuing to use this website you agree for us to use advertising cookies" is OK, because you have informed the website visitors about the use of such cookies not lawful [Lawful processing] Which of the following is true? A. Personal data retrieved from a public source can be used for direct marketing purposes, if that public source is the social media. B. Personal data made public by a person can without any condition be used for direct marketing purposes. Public information is for everyone to use. only A only B A and B none of these is true [Lawful processing] Is direct marketing permitted under GDPR? Yes, without condition Yes, with condition No [Lawful processing] Can I make it mandatory for someone to share their name and e-mail address with my organisation, as a condition to participate in a free competition that my organisation launches, so that I can send out direct marketing material later? Yes, if the individual is an adult Yes, if it is free to enter the competion No Records of Processing Activities (RoPA) [Ropa] What is a RoPA in GDPR? Register of Procurement Actions Register of Privacy Assessments Records of Processing Activities [Ropa] The Records of Processing Activities is A legal requirment for controllers AND processors A legal requirment for controllers OR processors A legal requirment for controllers only [Ropa] Where a Controller RoPA is required and, where possible, it must contain which of the following? Processor contact details Description of DPIAs Time limits for erasure [Ropa] The Records of Processing Activities must be kept regarding Finance and HR processes Sales and Finance processes All processes that involve personal data [Ropa] In what form must a RoPA be maintained? By using a software Printed on paper In writing, including in electronic form Data Subject Rights Request (DSRR) [DSRR] Someone's asking if my organisation is processing data on him. Do I have to answer? Yes No [DSRR] Which of the following is true? Controller A must facilitate personal data transfer directly to Controller B where … …technically possible …a fee has been paid for this transfer …a contract mandates the transfer [DSRR] Should I inform the person that I am collecting personal data from them for direct marketing purposes? Yes No, it will be evident when they receive the brochure [DSRR] The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed. Which of the below is considered personal data?A. Badge number B. Credit Score C. Names of the parents, mother tongue D. The story of clicks on your website, IP address" A and B B and C A, B and C A, B, C and D [DSRR] Who is a data subject? Only former, potential and current employees Only former, potential and current customers Any living person your organisation processes personal data about Whoever your organisation ever processed personal data about Privacy notice [Privacy notice] Is it true that only companies having a website are required under GDPR to publish information (also often referred to as privacy notice) about their data processing? Yes No [Privacy notice] Which of the following is true? A privacy policy is a clear communication given to the data subjects about the essence of the data processing. It is mandatory to have a privacy lawyer write the privacy notice for your organisation. As long as your organisation has used a free template available on the internet, it ensures that your privacy notice will be correct and complete. Contentwise it is laid down in the GDPR what details must be given to the data subjects, when their personal data is obtained directly from them and in case you have obtained their data indirectly from another source. [Privacy notice] Is it true that a privacy notice has to be as complex as possible, to make sure every detail is included? Yes No [Privacy notice] Is it good practice to copy a privacy notice that another organisation has published on its website? Only if that another company has dealings in the same industry as your organisation. Only if that privacy notice has recently been updated. It would be a terrible idea [Privacy notice] Is it true that your organisaton´s privacy notice must include the name and contact details of your Data Protection Officer? No, only the name No, only the contact details Yes It´s all about cookies [It´s all about cookies] If your marketing people base their online marketing activities on website statistics, is it allowed to use these numbers via analytics cookies that are loading by default, when someone opens your website? Yes No [It´s all about cookies] Using which of the following tracking technologies you have to comply with ePrivacy / GDPR? Cookies and pixels Software development kits All of the above [It´s all about cookies] Necessary cookies ... ... are used to track information necessary for business purposes (e.g for marketing purposes) ... are OK to be loaded by default ... require the online visitors´consent before loading [It´s all about cookies] Is it true that if your organisation places a Facebook “Like” button on its website, this Like button starts transferring personal data to Facebook’s servers, regardless of whether the visitor actually clicked the Like button or not? What a nonsense Yes, but only if the visitor is a member of Facebook Yes, the second the visitor loads the page where the Like button is placed [It´s all about cookies] Using cookies and other, similar tracking technologies... ...happens behind the scenes, it is therefore not necessary to ask for consent ...is easy to discover for regulators only, they have specific tools for that purpose ...is easy to discover for everyone. There are free web scanner tools available [Breach] Breach [Breach] Imagine that your IT manager has access to personal data because they can retrieve it from your company´s system. The manager downloads the names and email addresses to their personal USB and offers it to another company that wants to send brochures about e-learning webinars. Is it a data breach in your opinion? It is not a data breach, webinars are welcome to keep awareness in the company It is a data breach It is not a data breach, the IT manger is authorised to access such data [Breach] When must a data breach be reported to the supervisory authority? When the breach has impacted more than 1000 people Always When the breach is risking the individuals´ rights and freedom [Breach] Your Head of IT becomes aware on a Friday at 3pm that the entire HR database had been hacked the previous night. He decides to tell about it to the DPO first thing on Monday morning. When does the clock start ticking regarding the 72 hours reporting obligation? On Friday at 3 pm When the breach occurred, the night before it was discovered by the Head of IT On Monday morning [Breach] Which of the following is a personal data breach? A database of individuals was breached as the result of a cyber attack by a hacker who accessed and disclosed personal information. A customer call to your customer service informing that no invoice has been received for the last 3 months. Business plan and budget figures have been stolen from a high level position employee´s car. [Breach] Personal data breaches must ... ...be always be reported to the supervisory authority ...be always communicated to the data subjects ...be always recorded in the breach logs of your organisation [DPbDD] DPbDD [DPbDD] What does Data protection (or privacy) by default mean? It means that once you make your product or service available to your audience, the strictest privacy settings should be set up by default, without any manual intervention from the end user. It means that personal data by default must be encrypted. It means that your organisation must ensure that strong security measures are in place to protect personal data, starting from the collection point until it is erased. [DPbDD] Is it true that the Data Protection Officer of your organisation is responsible for making the decisions as to what security measures must be in place to protect the personal data you process? Yes Only if there is a DPO appointed. No [DPbDD] What does a DPIA stand for in GDPR? Data Processing Information Analysis Data Protection Impact Assessment Data Path Improvement Architecture [DPbDD] When is it mandatory to perform a DPIA? For processes that are likely to result in a high risk to individuals When the number of data subjects impacted by the process is more than 1000 When a data subject makes a complaint [DPbDD] What do you have to do, when the results of a DPIA show, that there are residual high risks that you cannot mitigate with any measures? Have your DPO sign off on these risks and proceed Inform the data subjects Consult the supervisory authority Biometrics [Biometrics] What is NOT biometric data under GDPR? Finger prints Criminal offences Typing patterns (eg. the speed of typing, the length of time it takes to go from one letter to another) [Biometrics] Is it true that biometric data provides for 100% accuracy to identify someone? Of course Of course not [Biometrics] Is it permitted under GDPR to process biometric data? No Yes, with conditions Yes, but only for scientific research and access control purposes [Biometrics] If your organisation has installed the biometric access control system before GDPR was introduced. ..it is permitted to use it without further considerations. ..it is only permitted to use if complies with the regulation. [Biometrics] Storing biometric data in the cloud hosted by a supplier ... ...is the most secure way. ...means that your organisation outsourced all responsibility of securing the data. ..is possibly the most exposed to cyber threats. [Data in move] Data in move [Data in move] Which of the following is true? Processors AND Controllers can freely decide if they want to disclose personal data to another organisation. Processors can freely decide if they want to disclose personal data to another organisation. Controllers can freely decide if they want to disclose personal data to another organisation. [Data in move] Which of the following is true? The aim of GDPR is to ensure the movement of personal data within the European Union. The aim of GDPR is to ensure the movement of personal data between the European Union and the USA. The aim of GDPR is to ensure the movement of personal data in the world. [Data in move] Who from the following may be a third party under GPDR? The data subject The processor The police [Data in move] If your organisation engages a processor, the data processing agreement must contain which of the following? The purpose of the processing The rights of the data subjects The procedure for reporting a breach, occured at the end of the processor, to the controller [Data in move] Which of the following is NOT true? Standard Contractual Clauses are approved by the European Commission and they must be included in a contract, in their entirety and without amendment The effect of an adequacy decision is that personal data can be disclosed from the EEA to the third country with adequacy decision without any further safeguard being necessary It is not permitted under GDPR to disclose personal data to outside the EEA Time is Up! Time's up Submit a Comment Cancel replyYour email address will not be published. Required fields are marked *Comment * Name * Email * Website Save my name, email, and website in this browser for the next time I comment.
Recent Comments