Name: PECB Certified Data Protection Officer
Brand: ValidExamDumps
SKU: GDPR
Price: 20 USD
Availability: InStock
Rating: 5.0 (148 reviews)

Question No. 1

Scenario:

BookSt is an online bookshop that collects personal data before selling its products. Sarah signed up for an account, providing her name, email, and password. To purchase a book, Sarah was required to provide her shipping address and payment information, which is needed to calculate shipping costs and complete the transaction.

Questio n:

Does the company have a legal basis for processing Sarah's data?

ANo, the processing is not legally justified if it is only for sales purposes.

BYes, the processing is necessary for the performance of a contract to which the data subject is a party.

CNo, the processing is legally justified only if it is necessary to protect the vital interests of the data subject.

DYes, but only if Sarah provides explicit consent for her data to be processed.

Show Answer

Correct Answer: B

GDPR Article 6(1)(b) (Processing necessary for contract performance)

Recital 44 (Contractual necessity as a legal basis)

Question No. 2

Bus Spot is one of the largest bus operators in Spain. The company operates in local transport and bus rental since 2009. The success of Bus Spot can be attributed to the digitization of the bus ticketing system, through which clients can easily book tickets and stay up to date on any changes to their arrival or departure time. In recent years, due to the large number of passengers transported daily. Bus Spot has dealt with different incidents including vandalism, assaults on staff, and fraudulent injury claims. Considering the severity of these incidents, the need for having strong security measures had become crucial. Last month, the company decided to install a CCTV system across its network of buses. This security measure was taken to monitor the behavior of the company's employees and passengers, enabling crime prevention and ensuring safety and security. Following this decision, Bus Spot initiated a data protection impact assessment (DPIA). The outcome of each step of the DPIA was documented as follows: Step 1: In all 150 buses, two CCTV cameras will be installed. Only individuals authorized by Bus Spot will have access to the information generated by the CCTV system. CCTV cameras capture images only when the Bus Spot's buses are being used. The CCTV cameras will record images and sound. The information is transmitted to a video recorder and stored for 20 days. In case of incidents, CCTV recordings may be stored for more than 40 days and disclosed to a law enforcement body. Data collected through the CCTV system will be processed bv another organization. The purpose of processing this tvoe of information is to increase the security and safety of individuals and prevent criminal activity. Step 2: All employees of Bus Spot were informed for the installation of a CCTV system. As the data controller, Bus Spot will have the ultimate responsibility to conduct the DPI

AAppointing a DPO at that point was deemed unnecessary. However, the data processor's suggestions regarding the CCTV installation were taken into account. Step 3: Risk Likelihood (Unlikely, Possible, Likely) Severity (Moderate, Severe, Critical) Overall risk (Low, Medium, High) There is a risk that the principle of lawfulness, fairness, and transparency will be compromised since individuals might not be aware of the CCTV location and its field of view. Likely Moderate Low There is a risk that the principle of integrity and confidentiality may be compromised in case the CCTV system is not monitored and controlled with adequate security measures. Possible Severe Medium There is a risk related to the right of individuals to be informed regarding the installation of CCTV cameras. Possible Moderate Low Step 4: Bus Spot will provide appropriate training to individuals that have access to the information generated by the CCTV system. In addition, it will ensure that the employees of the data processor are trained as well. In each entrance of the bus, a sign for the use of CCTV will be displayed. The sign will be visible and readable by all passengers. It will show other details such as the purpose of its use, the identity of Bus Spot, and its contact number in case there are any queries. Only two employees of Bus Spot will be authorized to access the CCTV system. They will continuously monitor it and report any unusual behavior of bus drivers or passengers to Bus Spot. The requests of individuals that are subject to a criminal activity for accessing the CCTV images will be evaluated only for a limited period of time. If the access is allowed, the CCTV images will be exported by the CCTV system to an appropriate file format. Bus Spot will use a file encryption software to encrypt data before transferring onto another file format. Step 5: Bus Spot's top management has evaluated the DPIA results for the processing of data through CCTV system. The actions suggested to address the identified risks have been approved and will be implemented based on best practices. This DPIA involves the analysis of the risks and impacts in only a group of buses located in the capital of Spain. Therefore, the DPIA will be reconducted for each of Bus Spot's buses in Spain before installing the CCTV system. Based on this scenario, answer the following Questio n:
Questio n:
You are appointed as the DPO of Bus Spot.
What action would you suggest when reviewing the results of the DPIA presented in scenario 6?

AReconducting a DPIA for each bus of Bus Spot is not necessary, since the nature, scope, context, and purpose of data processing are similar in all buses.

BDisplaying the identity of Bus Spot, its contact number, and the purpose of data processing in each bus is not necessary; furthermore, it breaches the data protection principles defined by GDPR.

CUsing a data processor for CCTV images is not in compliance with GDPR, since the data generated from the CCTV system should be controlled and processed by Bus Spot.

DThe DPIA should be reviewed annually, as CCTV surveillance presents ongoing risks to data subjects' privacy.

Show Answer

Correct Answer: D

Under Article 35(11) of GDPR, controllers must reassess DPIAs regularly to account for changing risks in processing activities like CCTV surveillance.

Option D is correct because CCTV monitoring poses an ongoing risk, requiring periodic DPIA reviews.

Option A is incorrect because regular DPIA reviews are required, even if the data processing remains the same.

Option B is incorrect because transparency is a key principle of GDPR, and displaying information does not breach GDPR.

Option C is incorrect because data processors can process CCTV data as long as there is a processing agreement (Article 28).

GDPR Article 35(11) (Periodic DPIA review)

Recital 90 (Regular assessment of risks)

Question No. 3

Scenario:

Pinky, a retail company, received a request from a data subject to identify which purchases they had made at different physical store locations. However, Pinky does not link purchase records to customer identities, since purchases do not require account creation.

Questio n:

Should Pinky process additional information from customers in order to identify the data subject as requested?

AYes, Pinky is required to maintain, acquire, or process additional information in order to identify the data subject.

BYes, Pinky is required to process additional information for the purpose of exercising the data subject's rights covered in Articles 15-21 of GDPR.

CNo, Pinky is not required to process additional information, since the processing of personal data in this case does not require Pinky to identify the data subject.

DNo, but Pinky must ask the data subject to provide further evidence proving their identity.

Show Answer

Correct Answer: C

Under Article 11(1) of GDPR, controllers are not required to process additional data for the sole purpose of identifying data subjects if such identification is not needed for processing.

Option C is correct because Pinky does not store identifiable purchase data, so it is not required to create additional records.

Option A and B are incorrect because GDPR does not obligate controllers to process additional data if identification is unnecessary.

Option D is incorrect because Pinky cannot require additional information when it does not have a basis to process identity-linked data.

GDPR Article 11(1) (Controllers are not required to process extra data for identification)

Recital 57 (Data controllers should avoid collecting unnecessary identity data)

Question No. 4

Scenario 8: MA store is an online clothing retailer founded in 2010. They provide quality products at a reasonable cost. One thing that differentiates MA store from other online shopping sites is their excellent customer service.

MA store follows a customer-centered business approach. They have created a user-friendly website with well-organized content that is accessible to everyone. Through innovative ideas and services, MA store offers a seamless user experience for visitors while also attracting new customers. When visiting the website, customers can filter their search results by price, size, customer reviews, and other features. One of MA store's strategies for providing, personalizing, and improving its products is data analytics. MA store tracks and analyzes the user actions on its website so it can create customized experience for visitors.

In order to understand their target audience, MA store analyzes shopping preferences of its customers based on their purchase history. The purchase history includes the product that was bought, shipping updates, and payment details. Clients' personal data and other information related to MA store products included in the purchase history are stored in separate databases. Personal information, such as clients' address or payment details, are encrypted using a public key. When analyzing the shopping preferences of customers, employees access only the information about the product while the identity of customers is removed from the data set and replaced with a common value, ensuring that customer identities are protected and cannot be retrieved.

Last year, MA store announced that they suffered a personal data breach where personal data of clients were leaked. The personal data breach was caused by an SQL injection attack which targeted MA store's web application. The SQL injection was successful since no parameterized queries were used.

Based on this scenario, answer the following Questio n:

According to scenario 8, MA store analyzed shopping preferences of its customers by analyzing the product they have bought in the customer's purchase history. Which option is correct in this case?

AMA store can use this type of information for an indefinite period of time since it is anonymized

BMA store can use this type of information for a limited period of time since it is pseudonymized

CMA store can use this type of information only during the period for which data subjects have given consent

Show Answer

Correct Answer: B

Since the data is pseudonymized (not fully anonymized), it remains personal data under GDPR and cannot be retained indefinitely. Article 5(1)(e) of GDPR states that personal data must be kept only for as long as necessary for the intended processing purpose. Additionally, Recital 26 of GDPR clarifies that pseudonymized data is still considered personal data if re-identification is possible. Therefore, MA Store must implement a retention policy that ensures the data is deleted or further anonymized once it is no longer needed for analysis.

Question No. 5

Bus Spot is one of the largest bus operators in Spain. The company operates in local transport and bus rental since 2009. The success of Bus Spot can be attributed to the digitization of the bus ticketing system, through which clients can easily book tickets and stay up to date on any changes to their arrival or departure time. In recent years, due to the large number of passengers transported daily. Bus Spot has dealt with different incidents including vandalism, assaults on staff, and fraudulent injury claims. Considering the severity of these incidents, the need for having strong security measures had become crucial. Last month, the company decided to install a CCTV system across its network of buses. This security measure was taken to monitor the behavior of the company's employees and passengers, enabling crime prevention and ensuring safety and security. Following this decision, Bus Spot initiated a data protection impact assessment (DPIA). The outcome of each step of the DPIA was documented as follows: Step 1: In all 150 buses, two CCTV cameras will be installed. Only individuals authorized by Bus Spot will have access to the information generated by the CCTV system. CCTV cameras capture images only when the Bus Spot's buses are being used. The CCTV cameras will record images and sound. The information is transmitted to a video recorder and stored for 20 days. In case of incidents, CCTV recordings may be stored for more than 40 days and disclosed to a law enforcement body. Data collected through the CCTV system will be processed bv another organization. The purpose of processing this tvoe of information is to increase the security and safety of individuals and prevent criminal activity. Step 2: All employees of Bus Spot were informed for the installation of a CCTV system. As the data controller, Bus Spot will have the ultimate responsibility to conduct the DPI

AAppointing a DPO at that point was deemed unnecessary. However, the data processor's suggestions regarding the CCTV installation were taken into account. Step 3: Risk Likelihood (Unlikely, Possible, Likely) Severity (Moderate, Severe, Critical) Overall risk (Low, Medium, High) There is a risk that the principle of lawfulness, fairness, and transparency will be compromised since individuals might not be aware of the CCTV location and its field of view. Likely Moderate Low There is a risk that the principle of integrity and confidentiality may be compromised in case the CCTV system is not monitored and controlled with adequate security measures. Possible Severe Medium There is a risk related to the right of individuals to be informed regarding the installation of CCTV cameras. Possible Moderate Low Step 4: Bus Spot will provide appropriate training to individuals that have access to the information generated by the CCTV system. In addition, it will ensure that the employees of the data processor are trained as well. In each entrance of the bus, a sign for the use of CCTV will be displayed. The sign will be visible and readable by all passengers. It will show other details such as the purpose of its use, the identity of Bus Spot, and its contact number in case there are any queries. Only two employees of Bus Spot will be authorized to access the CCTV system. They will continuously monitor it and report any unusual behavior of bus drivers or passengers to Bus Spot. The requests of individuals that are subject to a criminal activity for accessing the CCTV images will be evaluated only for a limited period of time. If the access is allowed, the CCTV images will be exported by the CCTV system to an appropriate file format. Bus Spot will use a file encryption software to encrypt data before transferring onto another file format. Step 5: Bus Spot's top management has evaluated the DPIA results for the processing of data through CCTV system. The actions suggested to address the identified risks have been approved and will be implemented based on best practices. This DPIA involves the analysis of the risks and impacts in only a group of buses located in the capital of Spain. Therefore, the DPIA will be reconducted for each of Bus Spot's buses in Spain before installing the CCTV system. Based on this scenario, answer the following Questio n:
Questio n:
According to scenario 6, which data protection solution has Bus Spot used to reduce the risk related to the principle of lawfulness, fairness, and transparency?

ARisk reduction

BRisk retention

CRisk transfer

DRisk avoidance

Show Answer

Correct Answer: A, A

Under Article 5(1)(a) of GDPR, personal data must be processed lawfully, fairly, and transparently. Bus Spot implemented measures such as employee training and signage in buses, which reduced risks associated with transparency.

Option A is correct because Bus Spot took steps to reduce risk, such as clear notification signs and restricted CCTV access.

Option B is incorrect because risk retention means accepting the risk without mitigation, which Bus Spot did not do.

Option C is incorrect because risk transfer applies to outsourcing responsibilities (e.g., insurance), which is not the case here.

Option D is incorrect because Bus Spot did not avoid risk entirely; they implemented controls to mitigate it.

GDPR Article 5(1)(a) (Principle of lawfulness, fairness, and transparency)

Recital 39 (Transparency in data processing)

Free PECB GDPR Exam Actual Questions

The questions for GDPR were last updated On Mar 22, 2025