PECB GDPR 問題集

質問 1：
Question:
You work in a company that providestraining services. One of the clientsrequests accessto information about thecategories of recipientsto whom theirpersonal data will be disclosed.
Whatactionsshould you take to becompliant with GDPR?
A. Inform the client thataccess to this type of information is not allowed, since it may result in ahigh risk to the rights and freedoms of recipients.
B. Provide theclient with the requested informationabout the recipients of their data.
C. Obtainauthorizationfrom the recipients before disclosing their identities.
D. Verify the identityof the client by sendinglogin datato their mailing address.
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 2：
Scenario:
PickFoodis an onlinefood delivery servicethat allows customers to order foodonlineand pay bycredit card.
Thepayment serviceis provided byPaySmart, which processes the transactions.
Question:
According toArticle 30 of GDPR, whattype of information should PaySmart NOT maintainwhen recording online transaction processing activity?
A. Alist of customers' transaction amounts and items purchased.
B. Theexpected time for personal data erasure.
C. Thegeneral descriptionof technical data protection measures.
D. Transfers of personal data tothird-party payment processors.
正解：A
解説: (Topexam メンバーにのみ表示されます)

質問 3：
Question:
All the statements below regarding thelawfulness of processingare correct,except:
A. Processing is necessary for theperformance of a contractto which the data subject is a party.
B. Processing is necessary toprotect the vital interestsof the data subject or another natural person.
C. Processing is necessary for thelegitimate interestspursued by the controller, except where overridden by the interests or fundamental rights of the data subject.
D. Processing is necessary toobtain consentfrom the data subject.
正解：D
解説: (Topexam メンバーにのみ表示されます)

質問 4：
Scenario1:
MED is a healthcare provider located in Norway. It provides high-quality and affordable healthcare services, including disease prevention, diagnosis, and treatment. Founded in 1995, MED is one of the largest health organizations in the private sector. The company has constantly evolved in response to patients' needs.
Patients that schedule an appointment in MED's medical centers initially need to provide theirpersonal information, including name, surname, address, phone number, and date of birth. Further checkups or admission require additional information, including previous medical history and genetic data. When providing their personal data, patients are informed that the data is used for personalizing treatments and improving communication with MED's doctors. Medical data of patients, including children, are stored in the database of MED's health information system. MED allows patients who are at least 16 years old to use the system and provide their personal information independently. For children below the age of 16, MED requires consent from the holder of parental responsibility before processing their data.
MED uses a cloud-based application that allows patients and doctors to upload and access information.
Patients can save all personal medical data, including test results, doctor visits, diagnosis history, and medicine prescriptions, as well as review and track them at any time. Doctors, on the other hand, can access their patients' data through the application and can add information as needed.
Patients who decide to continue their treatment at another health institution can request MED to transfer their data. However, even if patients decide to continue their treatment elsewhere, their personal data is still used by MED. Patients' requests to stop data processing are rejected. This decision was made by MED's top management to retain the information of everyone registered in their databases.
The company also shares medical data with InsHealth, a health insurance company. MED's data helps InsHealth create health insurance plans that meet the needs of individuals and families.
MED believes that it is its responsibility to ensure the security and accuracy of patients' personal data. Based on the identified risks associated with data processing activities, MED has implemented appropriate security measures to ensure that data is securely stored and processed.
Since personal data of patients is stored and transmitted over the internet, MED uses encryption to avoid unauthorized processing, accidental loss, or destruction of data. The company has established a security policy to define the levels of protection required for each type of information and processing activity. MED has communicated the policy and other procedures to personnel and provided customized training to ensure proper handling of data processing.
Question:
Based on scenario 1, which data subject right isNOTguaranteed by MED?
A. Right to be informed
B. Right to restriction of processing
C. Right to data portability
D. Right to rectification
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 5：
Question:
What can beincludedin a DPIA?
A. Themeasures taken to protect the integrity, availability, and confidentiality of systems.
B. Documented informationon personal data transfers tothird countries.
C. Assessment of the risksto the rights and freedoms of data subjects.
D. All of the above.
正解：D
解説: (Topexam メンバーにのみ表示されます)

質問 6：
Scenario3:
COR Bank is an international banking group that operates in 31 countries. It was formed as the merger of two well-known investment banks in Germany. Their two main fields of business are retail and investment banking. COR Bank provides innovative solutions for services such as payments, cash management, savings, protection insurance, and real-estate services. COR Bank has a large number of clients and transactions.
Therefore, they process large information, including clients' personal data. Some of the data from the application processes of COR Bank, including archived data, is operated by Tibko, an IT services company located in Canada. To ensure compliance with the GDPR, COR Bank and Tibko have reached a data processing agreement Based on the agreement, the purpose and conditions of data processing are determined by COR Bank. However, Tibko is allowed to make technical decisions for storing the data based on its own expertise. COR Bank aims to remain a trustworthy bank and a long-term partner for its clients. Therefore, they devote special attention to legal compliance. They started the implementation process of a GDPR compliance program in 2018. The first step was to analyze the existing resources and procedures. Lisa was appointed as the data protection officer (DPO). Being the information security manager of COR Bank for many years, Lisa had knowledge of the organization's core activities. She was previously involved in most of the processes related to information systems management and data protection. Lisa played a key role in achieving compliance to the GDPR by advising the company regarding data protection obligations and creating a data protection strategy. After obtaining evidence of the existing data protection policy, Lisa proposed to adapt the policy to specific requirements of GDPR. Then, Lisa implemented the updates of the policy within COR Bank. To ensure consistency between processes of different departments within the organization, Lisa has constantly communicated with all heads of GDPR. Then, Lisa implemented the updates of the policy within COR Bank. To ensure consistency between processes of different departments within the organization, Lisa has constantly communicated with all heads of departments. As the DPO, she had access to several departments,including HR and Accounting Department. This assured the organization that there was a continuous cooperation between them. The activities of some departments within COR Bank are closely related to data protection. Therefore, considering their expertise, Lisa was advised from the top management to take orders from the heads of those departments when taking decisions related to their field. Based on this scenario, answer the following question:
Question:
According to scenario 3,Lisa was appointed as the Data Protection Officer (DPO)of COR Bank. Is this action in compliance with GDPR?
A. No, Lisa cannot be appointed as a DPO because she was already an information security officer.
B. No, an external DPO must be contracted when personal data is collected or processed by an organization that is not established in the European Union.
C. Yes, the DPO may be a staff member of the controller or processor or fulfill the tasks based on a service contract.
D. Yes, the DPO must be a staff member of the controller or processor in all cases when processing includes special categories of data.
正解：C
解説: (Topexam メンバーにのみ表示されます)