Free GDPR Mock Exam – Practice Online Confidently

Scenario 7: EduCCS is an online education platform based in Netherlands. EduCCS helpsorganizations find, manage, and deliver their corporate training. Most of EduCCS's clients are EUresidents. EduCCS is one of the few education organizations that have achieved GDPR compliancesince 2019. Their DPO is a full-time employee who has been engaged in most data protectionprocesses within the organization. In addition to facilitating GDPR compliance, the DPO acts as anintermediary point between EduCCS and other relevant interested parties. EduCCS's users canbenefit from the variety of up-to-date training library and the possibility of accessing it through theirphones, tablets, or computers. EduCCS's services are offered through two main platforms: onlinelearning and digital training. To use one of these platforms, users should sign on EduCCS's website byproviding their personal information. Online learning is a platform in which employees of otherorganizations can search for and request the training they need. Through its digital training platform,on the other hand, EduCCS manages the entire training and education program for otherorganizations. Organizations that need this type of service need to provide information about theircore activities and areas where training sessions are needed. This information is then analyzed byEduCCS and a customized training program is provided. In the beginning, all IT-related services weremanaged by two employees of EduCCS. However, after acquiring a large number of clients,managing these services became challenging That is why EduCCS decided to outsource the IT servicefunction to X-Tech. X-Tech provides IT support and is responsible for ensuring the security ofEduCCS's network and systems. In addition, X-Tech stores and archives EduCCS's informationincluding their training programs and clients' and employees' data. Recently, X-Tech made headlines in the technology press for being a victim of a phishing attack. Agroup of three attackers hacked X-Techs systems via a phishing campaign which targeted theemployees of the Marketing Department. By compromising X-Tech's mail server, hackers were ableto gain access to more than 200 computer systems. Consequently, access to the networks ofEduCCSs clients was also allowed. Using EduCCS's employee accounts, attackers installed a remoteaccess tool on EduCCS's compromised systems. By doing so, they gained access to personalinformation of EduCCS's clients, training programs, and other information stored in its onlinepayment system. The attack was detected by X-Techs system administrator. After detecting unusual activity in X-Techs network, they immediately reported it to the incident management team of thecompany. One week after being notified about the personal data breach, EduCCS communicated theincident to the supervisory authority with a document that outlined the reasons for the delayrevealing that due to the lack of regular testing or modification, their incident response plan was notadequately prepared to handle such an attack. Based on this scenario, answer the following Question:What is the role of EduCCS' DPO in the situation described in scenario 7? 

Scenario: ChatBubble is a software company that stores personal data, including usernames, emails, and passwords. Last month, an attacker gained access to ChatBubbles system, but the personal data was encrypted, preventing unauthorized access. Should the data subjects be notified in this case?

Based on Article 58 of GDPR, what powers must the supervisory authority have?

According to the principle of data minimization, data must be: 

Scenario 8: MA store is an online clothing retailer founded in 2010. They provide quality products at a

reasonable cost. One thing that differentiates MA store from other online shopping sites is their

excellent customer service.

MA store follows a customer-centered business approach. They have created a user-friendly website

with well-organized content that is accessible to everyone. Through innovative ideas and services,

MA store offers a seamless user experience for visitors while also attracting new customers. When

visiting the website, customers can filter their search results by price, size, customer reviews, and

other features. One of MA store's strategies for providing, personalizing, and improving its products

is data analytics. MA store tracks and analyzes the user actions on its website so it can create

customized experience for visitors.

In order to understand their target audience, MA store analyzes shopping preferences of its

customers based on their purchase history. The purchase history includes the product that was

bought, shipping updates, and payment details. Clients' personal data and other information related

to MA store products included in the purchase history are stored in separate databases. Personal

information, such as clients' address or payment details, are encrypted using a public key. When

analyzing the shopping preferences of customers, employees access only the information about the

product while the identity of customers is removed from the data set and replaced with a common

value, ensuring that customer identities are protected and cannot be retrieved.

Last year, MA store announced that they suffered a personal data breach where personal data of

clients were leaked. The personal data breach was caused by an SQL injection attack which targeted

MA stores web application. The SQL injection was successful since no parameterized queries were

used.

Based on this scenario, answer the following

How could MA store prevent the SQL attack described in scenario 8?