Exin PDPF - Privacy and Data Protection Foundation

The Article 20 of GDPR establishes the Right to data portability.

The second paragraph mentions:

In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

However, it is worth noting that the paragraph 1 of this article mentions:

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format…

The utterance explains that she requested that the data was transferred, that is why the correct answer is “The current gym should send all her data directly to the new gym.” (B)

Yet she has the right to request her own data, so if the utterance was referenced in that way, the correct answer would be: “The current gym should provide the data to her.” (D)

Privacy is a right that must be protected, and Data Protection are the measures that will be used to achieve this protection.

Data protection and privacy complement each other, but they are not the same.

A well-known phrase is: “You can have security without privacy, but you cannot have privacy without security”.

Recital 4 of the GDPR says:

The processing of personal data should be designed to serve individuals. The right to protection of personal data is not absolute; it must be considered in relation to its role in society and balanced with other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedom and principles recognized in the Charter, enshrined in the Treaties, namely respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom of business, the right to action and an impartial tribunal, and cultural, religious and linguistic diversity.

The correct option is exclusively for the Controller, the others are for the Processor in accordance with Articles 25 and 28 of the GDPR.

Yes, because the personal data on the disk were unlawfully processed. Correct. Personal data irretrievably lost is regarded as ‘a breach of security leading to unlawful destruction of personal data, which also makes it a personal data breach. (Literature: A, Chapter 5; GDPR Article 4(12))

Yes, because there were no special category personal data stored on the disk. Incorrect. Accidental loss of data is a security incident (data is no longer available). According to the GDPR it is also unlawful processing of personal data, hence a personal data breach. Data do not have to belong to the category of special

personal data to fall under the category personal data breach.

No, because no personal data on the disk were processed, only destroyed. Incorrect. A technical malfunction causing data to be no longer available is a security incident. The GDPR sees accidental loss of personal data as unlawful processing (not on instruction of the controller or processor) hence as a personal data breach.

No, because this is only a security incident and not a data breach. Incorrect. Personal data that are irretrievably lost, is regarded as unauthorized processing by the GDPR, hence a personal data breach. The fact that data was accidentally destroyed also makes the event a security incident.

Article 83 of GDPR

5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher...

Article 51 of GDPR

2. Each supervisory authority shall contribute to the consistent application of this Regulation throughout the

Union.

With the death of the data subject, the controller can process the data in any way he wishes, since personal data of deceased persons is not within the scope of the GDPR.

Recital 27 says: This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.

The controller must ask the supervisory authority for permission to outsource the processing of the data. Incorrect. The controller does not have to ask the supervisory authority for permission for each instance of outsourcing.

The controller must ask the supervisory authority if the agreed written contract is compliant with the regulations. Incorrect. The supervisory authority is not a legal counsel and will not check contracts for compliance.

The controller and processor must draft and sign a written contract guaranteeing the confidentiality of the data. Correct. There must be a written contract guaranteeing the confidentiality of the data, listing the purposes and means of processing as defined by the controller and specifying that processor will only process on instruction of the controller. Both parties must sign this contract. (Literature: A, Chapter 8; GDPR Article 28 (3))

The processor must show the controller that all demands agreed in the service level agreement (SLA) are met. Incorrect. An SLA is not enough as it will focus on operations, not necessarily on purposes.

€ 10.000.000 or 2% of the annual global turnover, whichever is higher. Correct. This is the maximum according to the GDPR for infringement of the personal data breach notification obligation. (Literature: A, Chapter 7; GDPR Article 33)

€ 20.000.000 or 4% of the annual global turnover, whichever is higher. Incorrect. This fine is given for non- compliance or non-conformity to the basic principles for processing, including conditions for consent.

Up to € 500.000 with a minimum of € 120.000. Incorrect. This is an outdated number based on the Dutch Penal code. GDPR rules specify higher fines.

Up to € 820.000 with a minimum of € 350.000. Incorrect. This is an outdated number based on the Dutch Penal code. GDPR rules specify higher fines.