Dienstag, 14. November 2017

GDPR/DSGVO Übungstest – Prüfen Sie Ihr Datenschutz-Wissen!

Viele Unternehmen und IT-Professionals sind laut Umfragen noch nicht ausreichend auf die EU-Datenschutz-Grundverordnung vorbereitet, die ab dem 25. Mai 2018 zwingend umgesetzt sein muss.

Was ist die DSGVO?


Die EU-Datenschutz-Grundverordnung (DSGVO, auch: GDPR - General Data Protection Regulation) setzt sich aus Regelungen rund um die Sammlung, Speicherung und Verarbeitung personenbezogener Daten zusammen. Die Rechte natürlicher Personen werden durch die DSGVO gestärkt.

Die neuen Richtlinien betreffen alle Geschäftsbereiche und wirken sich auch darauf aus, wie IT-Security Abteilungen Daten sicher abspeichern und einen verbesserten Schutz vor Datendiebstählen entwickeln können.

Verstöße gegen die neue Richtlinie und mangelnde Datensicherheit werden dann hohe finanzielle Strafen nach sich ziehen.

Was ändert sich durch die DSGVO?


Jedes Unternehmen, das mit Daten von EU-Bürgern zu tun hat, ist von der DSGVO betroffen, unabhängig vom tatsächlichen Unternehmenssitz.

Neben der Verpflichtung zu regelmäßigem Reporting und Monitoring, Meldepflicht bei Datenverletzungen und der Durchführung sogenannter Datenschutz-Folgeabschätzungen benötigen Unternehmen unter Umständen einen Datenschutzbeauftragten. Im Vergleich zum bestehenden Bundesdatenschutzgesetz müssen die Grundprinzipien zukünftig außerdem nicht nur eingehalten, sondern auch nachgewiesen werden können (Accountability).

Lesen Sie hier, was Sie noch über die DSGVO/GDPR wissen sollten. 

Um sich auf eine Datenschutz-Prüfung vorzubereiten, beispielsweise für eine Zertifizierung als Datenschutzbeauftragter, testen Sie Ihr Wissen mit den folgenden, offiziellen Übungsfragen!


GDPR/DSGVO Übungsfragen


1. Which of the following controller/processing scenarios in principle CAN use the Public Interest legal basis?

A. A vehicle licensing agency selling owner names and contact details to the private sector in exchange for money

B. A company director credit checking agency republishing the contents of a Mandatory Public Register of directors which is already in the public domain publishing the names and addresses of directors on the internet

C. A registered and regulated charity receiving information from any public sector body as part of a lawful Data Sharing Agreement

D. None of the above


2. Where the data subject is a child, what steps must controllers take in respect of consent, within the constraints of available technology?

A. Controllers must make best efforts to verify the consent

B. Controllers must make reasonable efforts to verify the consent

C. Controllers must make best efforts to request the consent in clear and plain language, in the context of the age of the child

D. Controllers must make reasonable efforts to request the consent in clear and plain language, in the context of the age of the child


3. "While implementing certain data subject rights the controller is NOT obliged by Article 19 to inform each third party recipient of the personal data" For which of the following rights is that statement TRUE?

A. "Non-profiling" under Article 22

B. B. Rectification under Article 16

C. Erasure / "right to be forgotten" under Article 17

D. Restriction under Article 18


4. For purposes of a data protection impact assessment, when must the controller seek the views of data subjects or their representatives on the intended processing?

A. Always

B. Never

C. When appropriate

D. When the supervisory authority requests it


5. Regarding data subjects protected by the GDPR, which of the following statements is true?

A. The GDPR protects only people who are physically located in the EU

B. The GDPR protects only EU citizens

C. The GDPR protects only EU residents

D. The GDPR protects only EU domiciliaries


6. In respect of non-profit representation of data subjects, which of the following statements is FALSE?

A. For a not-for-profit body, organisation to execute a mandate on behalf of a data subject, it must have been properly constituted in accordance with the law of a Member State.

B. Member State laws may provide that not-for-profit bodies may bring complaints under Articles 77, 78, and 79 in the absence of mandates from affected data subjects.

C. Any data subject has the right to mandate any not-for-profit body, organisation or association to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf.

D. Unless a Member State's laws facilitate it, a not-for-profit body cannot exercise the right to receive compensation referred to in Article 82 on a data subject's behalf.


Lösungen

Markieren Sie die schwarzen Felder, um die korrekten Antworten zu sehen:

1. D

2. B

3. A

4. C

5. A

6. C



CDPO Data Protection Officer Übungsfragen


Firebrand führt in Kooperation mit PECB offizielle CDPO Kurse durch. Folgende Prüfungsfragen mit möglichen Antworten wurden von PECB zur Verfügung gestellt:


1. The purpose of the GDPR

GDPR considers the protection of natural persons in relation to the processing of personal data as a fundamental right. Please prepare a summary explaining the purpose of this regulation and the areas that the GDPR intends to contribute to.

Possible Answer:

Purposes of this regulation are to:
  • Establish standardized data protection laws over all European countries
  • Eliminate inconsistencies in national laws
  • Raise the bar to provide better privacy protection for individuals
  • Update the law to better address contemporary privacy challenges, such as those posed by the internet, social media, big data” and behavioural marketing
  • Reduce the costly administrative burdens for organizations dealing with multiple data protection authorities
This Regulation is intended to contribute to the security and justice area, as well as to the economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.


2. Data protection officer

Please determine what tasks shall be assigned to the data protection officer, in order to assist the controllers and processors ensure compliance with the regulation.

Possible Answer:

The data protection officer shall be involved properly and in a timely manner in all issues related to the protection of the personal data.

Some of the tasks of the data protection officer include:

Having an advisory role by:
  • Providing information and advice to the data controller, data processor and employees who carry out processing of their obligations in compliance with GDPR
  • Provide advice regarding the data protection impact assessment (upon request) Monitoring:
  • Monitor compliance with GDPR
  • Monitor compliance with internal policies

Monitoring:
  • Monitor compliance with GDPR
  • Monitor compliance with internal policies
  • Monitor compliance with other data protection legislation
  • Monitor the performance of the DPIA (upon request)

Other tasks:
  • Cooperate with supervisory authority
  • Act as a contact point for the supervisory authorities on issues relating to processing


3. Data Protection Measures

Please define the measures that an organisation can implement to demonstrate compliance with the following.

Possible Answer:

Transparency of data collection:
  • Establish policies
  • Conduct periodic review
  • Create supported operating systems
  • Turn on automated updates

Privacy and data breach:
  • Ensure that staff comprehends that data breach is more than the loss of personal data
  • Make sure that there is an internal breach reporting procedure in place
  • Make sure that investigation and internal reporting procedures are in place



Keine Kommentare:

Facebook Comments