Free GDPR Mock Exam – Practice Online Confidently

Scenario: Bankbio is a financial institution that handles personal data of its customers. Its data processing activities involve processing that is necessary for the legitimate interests pursued by the institution. In such cases, Bankbio processes personal data without obtaining consent from data subjects. Is the data processing lawful under GDPR?  

Scenario 8: MA store is an online clothing retailer founded in 2010. They provide quality products at areasonable cost. One thing that differentiates MA store from other online shopping sites is theirexcellent customer service.MA store follows a customer-centered business approach. They have created a user-friendly websitewith well-organized content that is accessible to everyone. Through innovative ideas and services,MA store offers a seamless user experience for visitors while also attracting new customers. Whenvisiting the website, customers can filter their search results by price, size, customer reviews, andother features. One of MA store's strategies for providing, personalizing, and improving its productsis data analytics. MA store tracks and analyzes the user actions on its website so it can createcustomized experience for visitors.In order to understand their target audience, MA store analyzes shopping preferences of itscustomers based on their purchase history. The purchase history includes the product that wasbought, shipping updates, and payment details. Clients' personal data and other information relatedto MA store products included in the purchase history are stored in separate databases. Personalinformation, such as clients' address or payment details, are encrypted using a public key. Whenanalyzing the shopping preferences of customers, employees access only the information about theproduct while the identity of customers is removed from the data set and replaced with a commonvalue, ensuring that customer identities are protected and cannot be retrieved.Last year, MA store announced that they suffered a personal data breach where personal data ofclients were leaked. The personal data breach was caused by an SQL injection attack which targetedMA stores web application. The SQL injection was successful since no parameterized queries wereused.Based on this scenario, answer the followingHow could MA store prevent the SQL attack described in scenario 8? 

Scenario: Bankbio is a financial institution that handles personal data of its customers. Its data processing activities involve processing that is necessary for the legitimate interests pursued by the institution. In such cases, Bankbio processes personal data without obtaining consent from data subjects. Is the data processing lawful under GDPR?  

Scenario 8: MA store is an online clothing retailer founded in 2010. They provide quality products at a

reasonable cost. One thing that differentiates MA store from other online shopping sites is their

excellent customer service.

MA store follows a customer-centered business approach. They have created a user-friendly website

with well-organized content that is accessible to everyone. Through innovative ideas and services,

MA store offers a seamless user experience for visitors while also attracting new customers. When

visiting the website, customers can filter their search results by price, size, customer reviews, and

other features. One of MA store's strategies for providing, personalizing, and improving its products

is data analytics. MA store tracks and analyzes the user actions on its website so it can create

customized experience for visitors.

In order to understand their target audience, MA store analyzes shopping preferences of its

customers based on their purchase history. The purchase history includes the product that was

bought, shipping updates, and payment details. Clients' personal data and other information related

to MA store products included in the purchase history are stored in separate databases. Personal

information, such as clients' address or payment details, are encrypted using a public key. When

analyzing the shopping preferences of customers, employees access only the information about the

product while the identity of customers is removed from the data set and replaced with a common

value, ensuring that customer identities are protected and cannot be retrieved.

Last year, MA store announced that they suffered a personal data breach where personal data of

clients were leaked. The personal data breach was caused by an SQL injection attack which targeted

MA stores web application. The SQL injection was successful since no parameterized queries were

used.

Based on this scenario, answer the following

How could MA store prevent the SQL attack described in scenario 8? 

Scenario 7: EduCCS is an online education platform based in Netherlands. EduCCS helps

organizations find, manage, and deliver their corporate training. Most of EduCCS's clients are EU

residents. EduCCS is one of the few education organizations that have achieved GDPR compliance

since 2019. Their DPO is a full-time employee who has been engaged in most data protection

processes within the organization. In addition to facilitating GDPR compliance, the DPO acts as an

intermediary point between EduCCS and other relevant interested parties. EduCCS's users can

benefit from the variety of up-to-date training library and the possibility of accessing it through their

phones, tablets, or computers. EduCCS's services are offered through two main platforms: online

learning and digital training. To use one of these platforms, users should sign on EduCCS's website by

providing their personal information. Online learning is a platform in which employees of other

organizations can search for and request the training they need. Through its digital training platform,

on the other hand, EduCCS manages the entire training and education program for other

organizations. Organizations that need this type of service need to provide information about their

core activities and areas where training sessions are needed. This information is then analyzed by

EduCCS and a customized training program is provided. In the beginning, all IT-related services were

managed by two employees of EduCCS. However, after acquiring a large number of clients,

managing these services became challenging That is why EduCCS decided to outsource the IT service

function to X-Tech. X-Tech provides IT support and is responsible for ensuring the security of

EduCCS's network and systems. In addition, X-Tech stores and archives EduCCS's information

including their training programs and clients' and employees' dat

a. Recently, X-Tech made headlines in the technology press for being a victim of a phishing attack. A

group of three attackers hacked X-Techs systems via a phishing campaign which targeted the

employees of the Marketing Department. By compromising X-Tech's mail server, hackers were able

to gain access to more than 200 computer systems. Consequently, access to the networks of

EduCCSs clients was also allowed. Using EduCCS's employee accounts, attackers installed a remote

access tool on EduCCS's compromised systems. By doing so, they gained access to personal

information of EduCCS's clients, training programs, and other information stored in its online

payment system. The attack was detected by X-Techs system administrator. After detecting unusual 

activity in X-Techs network, they immediately reported it to the incident management team of the

company. One week after being notified about the personal data breach, EduCCS communicated the

incident to the supervisory authority with a document that outlined the reasons for the delay

revealing that due to the lack of regular testing or modification, their incident response plan was not

adequately prepared to handle such an attack. Based on this scenario, answer the following Questio

n:

What is the role of EduCCS' DPO in the situation described in scenario 7?