Questions on EU GDPR regulations

Welcome to your Questions on EU GDPR regulations

You undergo a medical examination and are awaiting the results. When accessing your electronic health records, you find out that your hospital has included a medical report of a different patient in your records. Fearing that your medical report might have ended up in the hands of someone else, you file a complaint with the data protection authority. What might the authority rule?

If the mistake is proven to be the result of a human error, there would be no violation of the GDPR.

If it is proven that your medical report has not been included in the electronic health records of another patient, there would be no violation of the GDPR.

There would be a violation of the principle of confidentiality under the GDPR.

There would be a violation of the principle of minimization under the GDPR.

An individual submits a request to a company to exercise a right provided for by the GDPR. Can the company charge the individual a fee for the administrative paperwork involved in responding to the request and for sending the response?

No. The company may not charge a fee under any circumstances since the GDPR states that a response must be provided free of charge.

Yes. The company may set and charge a fee for handling all such requests.

Yes. The company may charge a fee for handling such requests only when the requests are manifestly unfounded or excessive.

Yes. The company may charge a fee for handling all such requests only if the fee is less than €50.

Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects on them or significantly affects them in a similar way, unless the decision:

Is necessary for the conclusion or performance of a contract.

Is based on the explicit consent of such persons.

All of the above

The company "Mar & Nera" hires three employees in 2021. One of the employees is a lawyer specializing in data protection. Another employee is a computer engineer specializing in information security and data protection. The third employee is an auditor specializing in data protection. Who is the data controller?

The company "Mar & Nera".

The lawyer specializing in data protection.

The computer engineer specializing in information security and data protection.

The auditor specializing in data protection.

Does the GDPR apply to the protection of personal data of deceased persons?

Yes

No

Yes, but only to the data of those persons deceased before May 24, 2016.

Yes, but only to the data of those persons deceased before May 25, 2018.

Which of the following elements is part of the minimum content of a Register of Processing Activities?

Purpose of processing

Categories of data subjects, personal data, and recipients

International transfers

All of the above

In a private school, surveys are conducted with various teachers as part of an effort to improve the quality of the school. The results of the surveys are given to the school principal. Which of the following statements is correct?

The surveys include only the initials of the teachers' first names and surnames, but not their full first names and surnames. The surveys therefore do not collect personal data.

The surveys include the course, year, group and specific subject they teach, but do not include the teachers' first names and surnames. The surveys therefore do not collect personal data.

The surveys include only a code, but do not include teachers' first names and surnames. The school management has a database that relates each code to a teacher for organizational purposes. There is therefore no personal data on the surveys.

None of these statements are correct.

What is the “one-stop shop” mechanism?

It is the mechanism ensuring cooperation between data protection authorities in the event of cross-border processing.

It is the mechanism enabling data subjects to authorise a single entity, organization, or non-profit association to lodge a complaint on their behalf.

It is the mechanism that establishes a single channel of communication between the Data Protection Officer and the Data Controller.

It is the mechanism that makes it possible to group all breaches of the GDPR committed by a data controller in a year into a single sanction.

Which of the following is one of the cases in which data subjects have the right to request the restriction of their personal data?

The processing is lawful, but the data subject opposes the erasure of the data and requests instead the limitation of its use.

The processing is unlawful, and the data subject objects to the erasure of the data and requests instead the limitation of its use.

The processing is unlawful because the data subject had not given his explicit consent.

None of the above

During the end-of-year festival, a dance school takes photographs of its best students in the 8 to 12-years-old category. The next day, the photos are published on the school's website and Facebook page. Parents ask the school to remove the photos. Which of the following statements is correct?

The dance school has the right to publish the photos since they are photos of its own students.

The dance school has the right to publish the photos since it had already announced on its Facebook page the day before that it would do so.

The dance school is entitled to publish the photos since, although the parents were not informed, the children themselves had signed up on a list to authorize such publication.

None of these statements are correct.

Ana signs up for the notification service of a job portal. All she has to do is enter her email address "a.iturburu.garcia@gmail.com" to start receiving notifications of job postings for lawyers in Spain. One year later, she approaches the company that runs the job portal to exercise her right of access. Which of the following statements is correct?

The company must reply to Ana by indicating that it does not have any information about Ana or her professional profile, only her email address.

The company must reply to Ana by indicating the steps to follow to stop receiving notifications or to modify her preferences for job notifications.

Answers A. and B. are correct.

The company must reply to Ana by indicating that it does process Ana’s personal data and by providing her with the information under Art. 15 of the GDPR.

If, at the end of a Data Protection Impact Assessment, the controller finds that the processing would entail a high risk that cannot be mitigated, what must the controller do?

The controller must consult with its Data Protection Officer, who will decide whether the processing can be carried out or not.

The controller must consult with all of its processors before starting to process the data.

The controller must consult with the relevant supervisory authority.

The controller must consult with the European Data Protection Board.

Tom has just started his traineeship with a big automotive company headquartered in Berlin. He has just finished his LLM in Data Protection and IT Law and is excited to start working in the field and gain some hands-on experience. The company has appointed a single Data Protection Officer for all of its European Union branches, and Tom will be working as part of the DPO’s team. During his first week as a trainee, he is asked to go through the existing data processing agreements and point out any relevant issues, particularly any international transfer issues. Tom is aware of the implications of the Schrems II ruling and tries to read all relevant material and guidance regarding requirements for international transfers. One data processing agreement includes regular international transfers to the processor, an Australian company with servers in Australia. How is this transfer most likely being legitimized?

With relevant appropriate safeguards according to Article 46 of the GDPR

With an adequacy decision because Australia has been recognized by the European Commission as offering an adequate level of data protection

With the implicit consent of data subjects

With binding corporate rules

Luigi has started working as a marketing manager for a medium-sized company. He is very active on LinkedIn and uses the social network as a tool for obtaining better business results. From day 1, Luigi sends “requests to connect” to 10 to 20 LinkedIn users each day. With each request to connect, Luigi adds a message in which he introduces himself and offers some information about the services his new company provides. One day, a LinkedIn user asks Luigi to stop sending him commercial communications. Is Luigi allowed to keep sending this type of message?

Yes, but only to those LinkedIn users whose profiles are set to allow them to receive communications from any other LinkedIn user.

Yes, because LinkedIn is intended to enable users to send marketing messages for the purpose of selling products and services.

Yes, but only to those LinkedIn users who are first-level connections of Luigi.

No, because the purpose of LinkedIn is to help connect people with job opportunities. It is not intended to to enable users to send marketing messages for the purpose of selling products and services.

An international nongovernmental organization (NGO) decides to implement a fingerprint-based control system to control its employees’ attendance. The NGO has recently found that some of its staff have been exchanging their employee badges to cover each other's absences from work. Does the NGO need to carry out a data protection impact assessment before implementing the fingerprint-based control system?

No, there is no need to carry out a data protection impact assessment.

Yes, the NGO must carry out a data protection impact assessment before implementing such a system.

No, the NGO must carry out a data protection impact assessment after implementing such a system.

Yes, but only if the employees request that a data protection impact assessment be carried out.