Questions on eu gdpr regulations

Welcome to your Questions on EU GDPR regulations

You undergo a medical examination and are awaiting the results. When accessing your electronic health records, you find out that your hospital has included a medical report of a different patient in your records. Fearing that your medical report might have ended up in the hands of someone else, you file a complaint with the data protection authority. What might the authority rule?

An individual submits a request to a company to exercise a right provided for by the GDPR. Can the company charge the individual a fee for the administrative paperwork involved in responding to the request and for sending the response?

Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects on them or significantly affects them in a similar way, unless the decision:

The company "Mar & Nera" hires three employees in 2021. One of the employees is a lawyer specializing in data protection. Another employee is a computer engineer specializing in information security and data protection. The third employee is an auditor specializing in data protection. Who is the data controller?

Does the GDPR apply to the protection of personal data of deceased persons?

Which of the following elements is part of the minimum content of a Register of Processing Activities?

In a private school, surveys are conducted with various teachers as part of an effort to improve the quality of the school. The results of the surveys are given to the school principal. Which of the following statements is correct?

What is the “one-stop shop” mechanism?

Which of the following is one of the cases in which data subjects have the right to request the restriction of their personal data?

During the end-of-year festival, a dance school takes photographs of its best students in the 8 to 12-years-old category. The next day, the photos are published on the school's website and Facebook page. Parents ask the school to remove the photos. Which of the following statements is correct?

Ana signs up for the notification service of a job portal. All she has to do is enter her email address "" to start receiving notifications of job postings for lawyers in Spain. One year later, she approaches the company that runs the job portal to exercise her right of access. Which of the following statements is correct?

If, at the end of a Data Protection Impact Assessment, the controller finds that the processing would entail a high risk that cannot be mitigated, what must the controller do?

Tom has just started his traineeship with a big automotive company headquartered in Berlin. He has just finished his LLM in Data Protection and IT Law and is excited to start working in the field and gain some hands-on experience. The company has appointed a single Data Protection Officer for all of its European Union branches, and Tom will be working as part of the DPO’s team. During his first week as a trainee, he is asked to go through the existing data processing agreements and point out any relevant issues, particularly any international transfer issues. Tom is aware of the implications of the Schrems II ruling and tries to read all relevant material and guidance regarding requirements for international transfers. One data processing agreement includes regular international transfers to the processor, an Australian company with servers in Australia. How is this transfer most likely being legitimized?

Luigi has started working as a marketing manager for a medium-sized company. He is very active on LinkedIn and uses the social network as a tool for obtaining better business results. From day 1, Luigi sends “requests to connect” to 10 to 20 LinkedIn users each day. With each request to connect, Luigi adds a message in which he introduces himself and offers some information about the services his new company provides. One day, a LinkedIn user asks Luigi to stop sending him commercial communications. Is Luigi allowed to keep sending this type of message?

An international nongovernmental organization (NGO) decides to implement a fingerprint-based control system to control its employees’ attendance. The NGO has recently found that some of its staff have been exchanging their employee badges to cover each other's absences from work. Does the NGO need to carry out a data protection impact assessment before implementing the fingerprint-based control system?