Question 1

Scenario 3:COR Bank is an international banking group that operates in 31 countries. It was formed as themerger of two well-known investment banks in Germany. Their two main fields of business are retailand investment banking. COR Bank provides innovative solutions for services such as payments, cashmanagement, savings, protection insurance, and real-estate services. COR Bank has a large numberof clients and transactions. Therefore, they process large information, including clients' personal data. Some of the data from the application processes of COR Bank, including archived data, is operatedby Tibko, an IT services company located in Canada. To ensure compliance with the GDPR, COR Bankand Tibko have reached a data processing agreement Based on the agreement, the purpose andconditions of data processing are determined by COR Bank. However, Tibko is allowed to maketechnical decisions for storing the data based on its own expertise. COR Bank aims to remain atrustworthy bank and a long-term partner for its clients. Therefore, they devote special attention tolegal compliance. They started the implementation process of a GDPR compliance program in 2018.The first step was to analyze the existing resources and procedures. Lisa was appointed as the dataprotection officer (DPO). Being the information security manager of COR Bank for many years, Lisahad knowledge of the organization's core activities. She was previously involved in most of theprocesses related to information systems management and data protection. Lisa played a key role inachieving compliance to the GDPR by advising the company regarding data protection obligations and creating a data protection strategy. After obtaining evidence of the existing data protectionpolicy, Lisa proposed to adapt the policy to specific requirements of GDPR. Then, Lisa implementedthe updates of the policy within COR Bank. To ensure consistency between processes of differentdepartments within the organization, Lisa has constantly communicated with all heads of GDPR.Then, Lisa implemented the updates of the policy within COR Bank. To ensure consistency betweenprocesses of different departments within the organization, Lisa has constantly communicated withall heads of departments. As the DPO, she had access to several departments, including HR andAccounting Department. This assured the organization that there was a continuous cooperationbetween them. The activities of some departments within COR Bank are closely related to dataprotection. Therefore, considering their expertise, Lisa was advised from the top management totake orders from the heads of those departments when taking decisions related to their field. Basedon this scenario, answer the followingConsidering the GDPR's territorial scope and the data processing agreement between COR Bank andTibko, which of the following best describes Tibko's obligations under the GDPR?

Options :

A : Tibko-s compliance with GDPR is limited to implementing technical safeguards for data storage, as stipulated by the data processing agreement with COR Bank.

B : Tibko must adhere to all GDPR provisions independently, including determining the purpose of processing personal data, as a processor acting under COR Bank-s authority.

C : Tibko is required to comply with the GDPR because it processes personal data on behalf of COR Bank, and COR Bank determines the purpose of processing under their agreement.

D : Tibko is not subject to GDPR since it is located outside the EU and only provides IT services.

Answer: C

Question 2

Scenario 7: EduCCS is an online education platform based in Netherlands. EduCCS helpsorganizations find, manage, and deliver their corporate training. Most of EduCCS's clients are EUresidents. EduCCS is one of the few education organizations that have achieved GDPR compliancesince 2019. Their DPO is a full-time employee who has been engaged in most data protectionprocesses within the organization. In addition to facilitating GDPR compliance, the DPO acts as anintermediary point between EduCCS and other relevant interested parties. EduCCS's users canbenefit from the variety of up-to-date training library and the possibility of accessing it through theirphones, tablets, or computers. EduCCS's services are offered through two main platforms: onlinelearning and digital training. To use one of these platforms, users should sign on EduCCS's website byproviding their personal information. Online learning is a platform in which employees of otherorganizations can search for and request the training they need. Through its digital training platform,on the other hand, EduCCS manages the entire training and education program for otherorganizations. Organizations that need this type of service need to provide information about theircore activities and areas where training sessions are needed. This information is then analyzed byEduCCS and a customized training program is provided. In the beginning, all IT-related services weremanaged by two employees of EduCCS. However, after acquiring a large number of clients,managing these services became challenging That is why EduCCS decided to outsource the IT servicefunction to X-Tech. X-Tech provides IT support and is responsible for ensuring the security ofEduCCS's network and systems. In addition, X-Tech stores and archives EduCCS's informationincluding their training programs and clients' and employees' data. Recently, X-Tech made headlines in the technology press for being a victim of a phishing attack. Agroup of three attackers hacked X-Techs systems via a phishing campaign which targeted theemployees of the Marketing Department. By compromising X-Tech's mail server, hackers were ableto gain access to more than 200 computer systems. Consequently, access to the networks ofEduCCSs clients was also allowed. Using EduCCS's employee accounts, attackers installed a remoteaccess tool on EduCCS's compromised systems. By doing so, they gained access to personalinformation of EduCCS's clients, training programs, and other information stored in its onlinepayment system. The attack was detected by X-Techs system administrator. After detecting unusual activity in X-Techs network, they immediately reported it to the incident management team of thecompany. One week after being notified about the personal data breach, EduCCS communicated theincident to the supervisory authority with a document that outlined the reasons for the delayrevealing that due to the lack of regular testing or modification, their incident response plan was notadequately prepared to handle such an attack. Based on this scenario, answer the following Question:What is the role of EduCCS' DPO in the situation described in scenario 7?

Options :

A : The DPO should verify if EduCCS has adopted appropriate corrective measures to minimize the risk of similar future breaches.

B : The DPO should respond to the personal data breach based on the breach response plan as defined by EduCCS.

C : The DPO should document the personal data breach and notify the relevant parties about its occurrence.

D : The DPO is responsible for contacting the affected data subjects and compensating them for any damages.

Answer: A

Question 3

Based on Article 58 of GDPR, what powers must the supervisory authority have?

Options :

A : To appoint a single DPO in a group of undertakings.

B : To obtain access to any premises of the controller and processor, including data processing equipment.

C : To assign the tasks of the controller or the processor and monitor their implementation.

D : To approve all privacy policies before they are implemented.

Answer: B

Question 4

Scenario 7: EduCCS is an online education platform based in Netherlands. EduCCS helps

organizations find, manage, and deliver their corporate training. Most of EduCCS's clients are EU

residents. EduCCS is one of the few education organizations that have achieved GDPR compliance

since 2019. Their DPO is a full-time employee who has been engaged in most data protection

processes within the organization. In addition to facilitating GDPR compliance, the DPO acts as an

intermediary point between EduCCS and other relevant interested parties. EduCCS's users can

benefit from the variety of up-to-date training library and the possibility of accessing it through their

phones, tablets, or computers. EduCCS's services are offered through two main platforms: online

learning and digital training. To use one of these platforms, users should sign on EduCCS's website by

providing their personal information. Online learning is a platform in which employees of other

organizations can search for and request the training they need. Through its digital training platform,

on the other hand, EduCCS manages the entire training and education program for other

organizations. Organizations that need this type of service need to provide information about their

core activities and areas where training sessions are needed. This information is then analyzed by

EduCCS and a customized training program is provided. In the beginning, all IT-related services were

managed by two employees of EduCCS. However, after acquiring a large number of clients,

managing these services became challenging That is why EduCCS decided to outsource the IT service

function to X-Tech. X-Tech provides IT support and is responsible for ensuring the security of

EduCCS's network and systems. In addition, X-Tech stores and archives EduCCS's information

including their training programs and clients' and employees' dat

a. Recently, X-Tech made headlines in the technology press for being a victim of a phishing attack. A

group of three attackers hacked X-Techs systems via a phishing campaign which targeted the

employees of the Marketing Department. By compromising X-Tech's mail server, hackers were able

to gain access to more than 200 computer systems. Consequently, access to the networks of

EduCCSs clients was also allowed. Using EduCCS's employee accounts, attackers installed a remote

access tool on EduCCS's compromised systems. By doing so, they gained access to personal

information of EduCCS's clients, training programs, and other information stored in its online

payment system. The attack was detected by X-Techs system administrator. After detecting unusual

activity in X-Techs network, they immediately reported it to the incident management team of the

company. One week after being notified about the personal data breach, EduCCS communicated the

incident to the supervisory authority with a document that outlined the reasons for the delay

revealing that due to the lack of regular testing or modification, their incident response plan was not

adequately prepared to handle such an attack. Based on this scenario, answer the following Questio

n:

What is the role of EduCCS' DPO in the situation described in scenario 7?

Options :

A :

The DPO should verify if EduCCS has adopted appropriate corrective measures to minimize the risk of similar future breaches.

B :

The DPO should respond to the personal data breach based on the breach response plan as defined by EduCCS.

C :

The DPO should document the personal data breach and notify the relevant parties about its occurrence.

D :

The DPO is responsible for contacting the affected data subjects and compensating them for any damages.

Answer: A

Question 5

According to the principle of data minimization, data must be:

Options :

A : In a form which permits the identification of data subjects for no longer than is necessary.

B : Acquired only for specified, explicit, and legitimate purposes.

C : Adequate, relevant, and limited to what is necessary in relation to the purposes of processing.

D : Stored for no more than five years from the date of collection.

Answer: C

Free GDPR Mock Exam – Practice Online Confidently

Buying Options: