The General Data Protection Regulation (GDPR) is often known as the “European privacy law”. What
is the relationship between ‘privacy’ and ‘data protection’?
Data protection and privacy are complementary, but not the same thing.
A very repeated phrase is: It is possible to have security without privacy, but it is not possible to
have privacy without security.
Privacy is a right that must be protected, and Data Protection are the measures that will be used to
achieve this protection.
Your credit card has been cloned. A card contains various personal information.
What category of data breach is this incident?
Data breach categories:
Material: Loss of equipment or material with data, lost file folders, lost smartphones, etc.
Verbal: Indiscretion, shoulder surfing, intentional leakage of sensitive information, etc.
Digital (not material): Backdoors, incorrect coding, maladministration (e.g., patch management),
insufficient security measures, card cloning etc.
Which of the following has a data breach under the General Data Protection Regulation (GDPR)?
Some data processing falls outside of the material scope of the GDPR. What type of processing is not
subject to the GDPR?
Collecting name and address information for a gymnastics club. Incorrect. Collecting is also
considered processing data.
Creating a back-up of biometric data for data security purposes. Incorrect. Storage is also considered
Editing personal photographs before printing them at home. Correct. The GDPR is not applicable to
home-use of your own photographs. (Literature: A, Chapter 1; GDPR Article 4)
The GDPR describes the principle of data minimization. How can organizations comply with this
By applying the concept of least privilege to the personal data collected, stored or otherwise
processed. Incorrect. Data minimization does not address least privilege.
By limiting access rights to staff who need the personal data for the intended processing operations.
Incorrect. This describes the concept of limiting authorization for instance to comply with the
principle of integrity and confidentiality.
By limiting file sizes, through saving all personal data that is processed in the smallest possible
format. Incorrect. Data minimization according to the GDPR is not about storage size, but about
minimalizing the use of personal data.
By limiting the personal data to what is adequate, relevant and necessary for the processing
Correct. This is the essence of the description in the GDPR. (Literature: A, Chapter 2; GDPR Article
A natural or legal person, public authority, agency or other body which, alone or jointly with others,
determines the purposes and means of the processing of personal dat
a. Which role in data protection is defined here?
Controller: Correct. The controller determines the purpose and means of the processing. (Literature:
A, Chapter 1; GDPR Article 4(7))
Processor: Incorrect. The controller determines the purpose of the processing, the processor works
on the controllers instructions.
Supervisory authority: Incorrect. The supervisory authority monitors and enforces compliance with
the GDPR requirements.
Third party: Incorrect. A third party has no role in determining the purpose of the processing. Any
party that determines the purpose would become a new controller.
What is the relationship between data protection and privacy?
Data protection and privacy are synonyms and have the same meaning. Incorrect. Data protection
helps to protect a persons privacy, but the terms are not synonyms.
Data protection is the part of privacy that protects a persons physical integrity. Incorrect. Data
protection is not related to physical integrity or physical privacy.
Data protection refers to the measures needed to protect a persons privacy. Correct. Data protection
are some of the measures needed to protect a persons privacy. (Literature: A, Chapter 1)
What is a description of data protection by design and by default?
An approach that implements data protection from the start. Correct. This is a correct description.
(Literature: A, Chapter 8; GDPR Article 25(1))
An indication of timeframes if processing relates to erasure. Incorrect. This is a description of a data
protection impact assessment (DPIA).
Data may only be collected for explicit and legitimate purposes. Incorrect. This is a description of
measures taken to comply with the principle of purpose limitation.
Not holding more data than is strictly required for processing. Incorrect. This is a description of
procedures to comply with the principle of data minimization.
One of the objectives of a data protection impact assessment (DPIA) is to strengthen the confidence
of customers or citizens in the way personal data is processed and privacy is respected. How can a
DPIA strengthen the confidence?
The organization minimizes the risk of costly adjustments in processes or the redesign of systems in a
later stage. Incorrect. This aspect may strengthen the confidence of management, but not of
customers or citizens.
The organization prevents non-compliance with the GDPR and minimizes the risk of fines. Incorrect.
Preventing fines may strengthen the confidence of management, but not of customers or citizens.
The organization proves that it takes privacy seriously and aims for compliance with the GDPR.
Correct. Doing a DPIA shows customers or citizens that the company is serious about data protection.
(Literature: A, Chapter 8)
Which data subject right is explicitly defined by the GDPR?
A copy of personal data must be provided in the format requested by the data subject. Incorrect. It
must be provided in a structured, commonly used and machine-readable format, but not necessarily
in any format the data subject specifies.
Access to personal data must be provided free of charge for the data subject. Correct. Data subjects
have a right to a copy of their data free of charge. However, only the first copy has to be free.
(Literature: A, Chapter 4)
Personal data must always be changed at the request of the data subject. Incorrect. Only erroneous
data has to be rectified.
Personal data must always be erased if the data subject requests this. Incorrect. The right to erasure
has several exceptions to this, for instance if the data are needed for the establishment, exercise or
defense of legal claims.