Question 1

Scenario: ChatBubble is a software company that stores personal data, including usernames, emails, and passwords. Last month, an attacker gained access to ChatBubbles system, but the personal data was encrypted, preventing unauthorized access. Should the data subjects be notified in this case?

Options :

A : Yes, the company shall communicate all incidents regarding personal data to the data subjects.

B :

No, the company is not required to notify data subjects about a data breach that affects a large number of individuals.

C :

No, the company is not required to notify data subjects when the personal data is protected with appropriate technical and organizational measures.

D : Yes, but only if the supervisory authority explicitly requests notification

Answer: C

Question 2

Scenario: Bankbio is a financial institution that handles personal data of its customers. Its data processing activities involve processing that is necessary for the legitimate interests pursued by the institution. In such cases, Bankbio processes personal data without obtaining consent from data subjects. Is the data processing lawful under GDPR?

Options :

A :

Yes, processing is lawful when it is necessary for the legitimate interests pursued by the controller, except where such interests are overridden by the interests of fundamental rights.

B :

No, the processing is lawful only if the data subject has given explicit consent to the processing of personal data for the specified purpose.

C :

Yes, GDPR allows the processing of personal data for the legitimate interest pursued by the controller or by a third party in all cases.

D : No, financial institutions must always obtain explicit consent before processing personal data.

Answer: A

Question 3

Based on Article 58 of GDPR, what powers must the supervisory authority have?

Options :

A : To appoint a single DPO in a group of undertakings.

B :

To obtain access to any premises of the controller and processor, including data processing equipment.

C : To assign the tasks of the controller or the processor and monitor their implementation.

D : To approve all privacy policies before they are implemented.

Answer: B

Question 4

According to the principle of data minimization, data must be:

Options :

A : In a form which permits the identification of data subjects for no longer than is necessary.

B : Acquired only for specified, explicit, and legitimate purposes.

C : Adequate, relevant, and limited to what is necessary in relation to the purposes of processing.

D : Stored for no more than five years from the date of collection.

Answer: C

Question 5

Scenario 8: MA store is an online clothing retailer founded in 2010. They provide quality products at a

reasonable cost. One thing that differentiates MA store from other online shopping sites is their

excellent customer service.

MA store follows a customer-centered business approach. They have created a user-friendly website

with well-organized content that is accessible to everyone. Through innovative ideas and services,

MA store offers a seamless user experience for visitors while also attracting new customers. When

visiting the website, customers can filter their search results by price, size, customer reviews, and

other features. One of MA store's strategies for providing, personalizing, and improving its products

is data analytics. MA store tracks and analyzes the user actions on its website so it can create

customized experience for visitors.

In order to understand their target audience, MA store analyzes shopping preferences of its

customers based on their purchase history. The purchase history includes the product that was

bought, shipping updates, and payment details. Clients' personal data and other information related

to MA store products included in the purchase history are stored in separate databases. Personal

information, such as clients' address or payment details, are encrypted using a public key. When

analyzing the shopping preferences of customers, employees access only the information about the

product while the identity of customers is removed from the data set and replaced with a common

value, ensuring that customer identities are protected and cannot be retrieved.

Last year, MA store announced that they suffered a personal data breach where personal data of

clients were leaked. The personal data breach was caused by an SQL injection attack which targeted

MA stores web application. The SQL injection was successful since no parameterized queries were

used.

Based on this scenario, answer the following

How could MA store prevent the SQL attack described in scenario 8?

Options :

A :

Using security measures that support data protection at the database level, such as authorized queries

B :

Using cryptographic protocols such as TLS as encryption mechanisms instead of a public key encryption

C :

Processing only the data they actually need to achieve processing purposes in database and application servers

Answer: A