• Home
  • Articles
  • The Best PDP9 Exam Study Material Premium Files and Preparation Tool (Jan-2024) [Q20-Q45]

The Best PDP9 Exam Study Material Premium Files and Preparation Tool (Jan-2024) [Q20-Q45]

Share

The Best PDP9 Exam Study Material Premium Files and Preparation Tool (Jan-2024)

Get Instant Access to PDP9 Practice Exam Questions

NEW QUESTION # 20
An individual applies for a job as a security guard The employer has had significant issues with the sickness record of past recruits They therefore decide to offer the position to the individual on the basis they request a copy of their medical record so that the employer can be assured that they are in a good state of health.
The Data Protection Officer has been asked to advise. What advice is MOST appropriate?

  • A. Providing the medical evidence is used for a legitimate purpose, and that the information is securely destroyed on verification that the employee is healthy, this is an acceptable action.
  • B. This is a criminal offence under the Data Protection Act 2018 No individual should be asked to make a subject access request in order to obtain health records in these circumstances.
  • C. While requesting and viewing medical evidence may be legitimate, they should ask for evidence that the individual consents to the proposition that they make the request
  • D. In requesting information that is more than they necessary require to verify the medical condition of the individual they will have breached the data minimisation principle

Answer: B

Explanation:
Explanation
The Data Protection Act 2018 (DPA 2018) makes it a criminal offence for a person to require another person to make a subject access request for information about their health, convictions or cautions, or spent convictions, and to provide that information to the first person or a third person, as a condition of providing or offering to provide goods, facilities or services, or as a condition of entering into or continuing a contract. This is known as an enforced subject access request. The employer in this scenario is committing a criminal offence by offering the job to the individual on the condition that they request a copy of their medical record and provide it to the employer. The employer is also breaching the data protection principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, and storage limitation, as they are processing health data, which is a special category of personal data, without a valid legal basis, without informing the individual of the purpose and legal basis of the processing, and without limiting the processing to what is necessary and relevant for the employment relationship. The employer should instead obtain the individual's explicit consent to request the health information directly from the relevant health professional, and only request the information that is necessary and proportionate for the specific role of a security guard. References
:
* Section 184 of the DPA 20183
* ICO guidance on enforced subject access requests4
* ICO guidance on special category data5


NEW QUESTION # 21
Which one task are supervisory authorities NOT required to carry out under Article 57(1 )(f) of the UK GDPR? Select the CORRECT answer.

  • A. Mediate between the complainant and the entity against which the complaint has been lodged, to resolve the complaint
  • B. Investigate complaints and inform the complainant of the progress of their investigation
  • C. Handle complaints lodged by a data subject
  • D. Co-ordinate where necessary with other supervisory authorities

Answer: A

Explanation:
Explanation
Article 57(1)(f) of the UK GDPR requires the supervisory authority (the ICO in the UK) to handle complaints lodged by a data subject, investigate the subject matter of the complaint, and inform the complainant of the progress and the outcome of the investigation. It also requires the supervisory authority to cooperate with other supervisory authorities if the complaint involves cross-border processing. However, it does not require the supervisory authority to mediate between the complainant and the controller or processor against which the complaint has been lodged, to resolve the complaint. This is not a task of the supervisory authority under the UK GDPR, although it may be possible in some cases as a way of achieving an amicable solution. References
:
* Article 57(1)(f) of the UK GDPR1
* ICO and complaints2


NEW QUESTION # 22
A company based in France uses a specialist IT support business in China The two companies have signed a Data Processing Agreement.The Chinese business provides specialist IT support for the French company's digital customer experience platform No personal data is sent to China, but employees of the Chinese business access the platform on a regular basis and have access to the databases that sit behind it.Which of the following statements is CORRECT in relation to the French company's requirements to ensure compliance with the GDPR?

  • A. There is a Data Processing Agreement in place therefore no transfer mechanism is needed
  • B. No personal data is being transferred, therefore no transfer mechanism is needed
  • C. The French company must identify and implement an appropriate transfer mechanism
  • D. China provides an adequate level of protection for personal data, therefore no transfer mechanism is needed

Answer: C

Explanation:
Explanation
According to the GDPR, a transfer of personal data to a third country or an international organisation occurs when the personal data is made available to someone outside the EU and EEA, regardless of whether the data is physically sent or not. Therefore, the fact that the Chinese business accesses the platform and the databases that contain personal data of the French company's customers constitutes a transfer of personal data to China, which is a third country under the GDPR. The French company, as the controller of the personal data, must ensure that the transfer complies with the GDPR requirements and that the level of protection of the personal data is not undermined. This means that the French company must identify and implement an appropriate transfer mechanism, such as an adequacy decision, appropriate safeguards, or derogations for specific situations, as set out in Chapter V of the GDPR. A data processing agreement, although necessary to define the roles and responsibilities of the controller and the processor, is not sufficient to ensure the legality of the transfer, as it does not provide the same guarantees as the GDPR. China is not a country that has been recognised by the European Commission as providing an adequate level ofprotection for personal data, so the French company cannot rely on an adequacy decision either. References:
* Article 44 of the GDPR1
* ICO guidance on international transfers2


NEW QUESTION # 23
Two businesses decide to work together to sell their products by mail order Orders are made via a single online website and they each use their existing employees to administer and update each other's orders on a single order system regardless of product.
Which of the below is CORRECT of the roles of the two businesses in relation to the single order system'?

  • A. They are controllers of their own information in the single order system and processors of the information they process on behalf of the other business.
  • B. The businesses are controllers of their respective information, and the staff are processors of this information
  • C. They are controllers of their own information contained in the single order system only
  • D. They are both joint controllers of the information contained in the single order system

Answer: D

Explanation:
Explanation
The two businesses are both joint controllers of the information contained in the single order system, because they jointly determine the purposes and means of the processing. They have a shared purpose of selling their products by mail order and they agree on the means of processing by using a single online website and a single order system. Their decisions complement each other and are necessary for the processing to take place. The processing by each party is inseparable and inextricably linked. Therefore, they meet the criteria for joint controllership under the GDPR. References:
* Article 26 of the GDPR1
* Guidelines 07/2020 on the concepts of controller and processor in the GDPR2, pp. 16-24


NEW QUESTION # 24
Which of the following is NOT a key requirement of independent supervisory authorities?

  • A. They must provide each other with mutual assistance
  • B. Their leadership must change every four years
  • C. They review DPIAs in cases of unmitigated high risk
  • D. They must operate independently.

Answer: B

Explanation:
Explanation
Independent supervisory authorities are public authorities that supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints lodged against violations of the UK GDPR and the relevant national laws. The UK GDPR sets out the key requirements for independent supervisory authorities in Chapter VI, which include the following:
* They must operate independently and remain free from external influence, whether direct or indirect, and must neither seek nor take instructions from anybody.
* They must have adequate human, technical and financial resources to perform their tasks and exercise their powers effectively.
* They must review data protection impact assessments in cases of unmitigated high risk and provide prior consultation to controllers on such processing operations.
* They must provide each other with mutual assistance and cooperate with each other and the European Data Protection Board to ensure the consistent application of the UK GDPR across the EU.
* They must handle complaints lodged by data subjects or by bodies, organisations or associations representing them, and investigate the subject matter of the complaint to the extent appropriate.
* They must adopt binding decisions on matters concerning the application of the UK GDPR and impose effective, proportionate and dissuasive administrative fines for infringements of the UK GDPR.
The UK GDPR does not specify any fixed term for the leadership of independent supervisory authorities, nor does it require their leadership to change every four years. However, it does require that the members of the supervisory authority must be appointed by means of a transparent procedure by the parliament, the government or the head of state of the Member State concerned, and that they must act with integrity, refrain from any action incompatible with their duties and not engage in any incompatible occupation during and after their term of office. The UK GDPR also allows Member States to provide for rules regarding the establishment, appointment, duration of the term and dismissal of the head or members of the supervisory authority. References:
* UK GDPR, Chapter VI7
* ICO website, About the ICO8


NEW QUESTION # 25
What factors should be considered when looking at security of processing under Article 32 of the GDPR?
Select the INCORRECT answer

  • A. Lawfulness of processing
  • B. Adherence to an approved code of conduct
  • C. The likelihood of a risk to the rights of the data subjects
  • D. The most secure option available

Answer: A

Explanation:
Explanation
Lawfulness of processing is not a factor that should be considered when looking at security of processing under Article 32 of the GDPR. Lawfulness of processing is a separate requirement that applies to all processing of personal data, regardless of the level of security. Security of processing under Article 32 of the GDPR should be based on the following factors:
* The state of the art and the costs of implementation of the security measures;
* The nature, scope, context and purposes of the processing;
* The risk of varying likelihood and severity for the rights and freedoms of natural persons;
* Adherence to an approved code of conduct or an approved certification mechanism (as an element to demonstrate compliance). References:
* Article 32 of the GDPR1
* Guidelines 07/2020 on the concepts of controller and processor in the GDPR2, p. 36


NEW QUESTION # 26
An investigation reveals that an individual is defrauding a public authority After a (suspected) tip off from a senior manager, the individual submits a Subject Access Request to the authority asking for a copy of all personal data relating to any investigations that have been carried out What would be the BEST approach?

  • A. This is criminal offence data and therefore under the provisions of the Data Protection Act 2018, there is no obligation to disclose
  • B. While the right to inform does not apply in relation to criminal acts, they need to disclose the information as this has not yet been passed to the police.
  • C. The legal and professional privilege exemption applies to this information, and therefore the information does not need to be disclosed
  • D. They do not need to disclose details of the investigation as they can rely on the crime and taxation exemption on the basis that disclosure would prejudice the investigation

Answer: D

Explanation:
Explanation
The crime and taxation exemption in Schedule 2, Part 1, Paragraph 2 of the Data Protection Act 2018 (DPA
2018) provides an exemption from the UK GDPR's transparency obligations and most individual rights, including the right of access, but only if complying with them would prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders. This means that the public authority does not need to disclose details of the investigation to the individual who submitted the subject access request, as doing so would be likely to hinder the investigation and enable the individual to evade justice. The public authority should assess the likelihood of prejudice on a case-by-case basis and document its reasons for relying on the exemption. The other options are incorrect because:
* The legal and professional privilege exemption in Schedule 2, Part 1, Paragraph 19 of the DPA 2018 applies to personal data that is subject to an obligation of confidentiality arising from the provision of legal advice or legal representation, or from the conduct of legal proceedings. This exemption does not apply to the information held by the public authority about the investigation, as it is not related to any legal advice or representation, or any legal proceedings.
* The term "criminal offence data" refers to personal data relating to criminal convictions and offences, or related security measures. This type of data is subject to specific rules under Article 10 of the UK GDPR and Part 3 of the DPA2018. However, this does not mean that there is no obligation to disclose criminal offence data in response to a subject access request. The public authority still needs to consider whether any of the exemptions in the DPA 2018 apply, such as the crime and taxation exemption, before disclosing or withholding the data.
* The right to be informed does apply in relation to criminal acts, as the UK GDPR requires controllers to provide data subjects with information about the processing of their personal data, including the purposes and legal basis of the processing, unless an exemption applies. The fact that the information has not yet been passed to the police does not affect the applicability of the right to be informed or the right of access. References:
* Data Protection Act 2018, Schedule 2, Part 1, Paragraph 21
* ICO Guide to Data Protection, Crime and Taxation2
* Data Protection Act 2018, Schedule 2, Part 1, Paragraph 193
* UK GDPR, Article 104
* Data Protection Act 2018, Part 35
* UK GDPR, Article 13 and 146


NEW QUESTION # 27
A company has twenty retail outlets in France and thirty retail outlets in Belgium The payroll department and the Data Protection Officer are based in Poland.The Company Board and administrative functions are based in Germany. Determine where the company's 'mainestablishment' would be

  • A. Belgium
  • B. Germany
  • C. France
  • D. Poland

Answer: B

Explanation:
Explanation
The main establishment of a controller or a processor in the EU is the place where the decisions on the purposes and means of the processing of personal data are taken and implemented. According to Recital 36 of the GDPR, the main establishment of a controller with establishments in more than one Member State should be the place of its central administration in the EU, unless the decisions on the processing are taken in another establishment of the controller in the EU and the latter establishment has the power to have such decisions implemented, in which case the establishment havingtaken such decisions should be considered to be the main establishment. Similarly, the main establishment of a processor with establishments in more than one Member State should be the place of its central administration in the EU, or, if the processor has no central administration in the EU, the establishment of the processor in the EU where the main processing activities take place to the extent that the processor is subject to specific obligations under the GDPR. The main establishment is relevant for determining the lead supervisory authority, the applicable law, and the jurisdiction of the courts for cross-border processing of personal data. In this case, the company's main establishment would be Germany, as it is the place where the company board and administrative functions are based and where the decisions on the processing of personal data are likely to be taken and implemented.
References:
* Recital 36 of the GDPR8
* Article 4(16) of the GDPR9
* Article 56 of the GDPR


NEW QUESTION # 28
Which of the following statements are CORRECT about records of processing'?
A It must contain contact details for the Data Protection Officer where applicable.
B It must be submitted to the Information Commissioner's Office following every Data Protection ImpactAssessment C It is mandatory for all data processors D The controller or the processor a mustmakesthe record available to the supervisory authority on request
E. It must contain contact details for the supervisory authority

  • A. B, C. and D
  • B. A, C,andD
  • C. A,C,andE
  • D. A. C,D, and E

Answer: B

Explanation:
Explanation
Article 30 of the UK GDPR3 requires both controllers and processors to maintain records of their processing activities, unless they are exempted under certain conditions. The records must contain the following information, among others:
* the name and contact details of the controller or the processor, and of any joint controller, representative or data protection officer;
* the purposes of the processing;
* the categories of data subjects and personal data;
* the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
* where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;
* where possible, the envisaged time limits for erasure of the different categories of data;
* where possible, a general description of the technical and organisational security measures.
The records must be in writing, including in electronic form, and must be made available to the ICO on request. The records do not need to contain contact details of the supervisory authority, as this is not specified in Article 30. Nor do they need to be submitted to the ICO following every DPIA, as this is not required by Article 35, which only obliges the controller to consult the ICO prior to the processing if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. References:
* Article 30 of the UK GDPR3
* Article 35 of the UK GDPR4


NEW QUESTION # 29
Article 57 of the UK GDPR states that the tasks of the Commissioner include -Select the INCORRECT answer

  • A. Handling complaints raised by individuals/data subjects
  • B. Providing general guidance to clarify the law.
  • C. Advising UK Parliament on issues related to the protection of personal data
  • D. Adopting consistency findings in cross-border data protection cases

Answer: D

Explanation:
Explanation
Article 57 of the UK GDPR states that the tasks of the Commissioner include handling complaints raised by individuals/data subjects, providing general guidance to clarify the law, and advising UK Parliament on issues related to the protection of personal data, among other tasks. However, adopting consistency findings in cross-border data protection cases is not a task of the Commissioner, but of the European Data Protection Board (EDPB), which is an independent body composed of the heads of the supervisory authorities of the EU and EEA member states and the European Data Protection Supervisor. The EDPB is responsible for ensuring the consistent application of the EU GDPR across the EU and EEA, and for issuing opinions and decisions on matters of general application or affecting more than one member state. The UK is no longer part of the EU or the EEA, and therefore the EDPB does not have jurisdiction over the UK GDPR or the Commissioner. The UK has its own mechanism for ensuring consistency and cooperation with other countries, which involves the Commissioner and the Secretary of State. References:
* Article 57 of the UK GDPR1
* Article 63 and 64 of the EU GDPR4
* ICO guidance on the UK GDPR and the EU GDPR5


NEW QUESTION # 30
What does NOT have an exemption prescribed under schedule 3 of the Data Protection Act 2018?

  • A. Credit checking agency data
  • B. Education data, examination scripts and marks
  • C. Social Work Data.
  • D. Health data

Answer: A

Explanation:
Explanation
Schedule 3 of the Data Protection Act 2018 (DPA 2018) provides exemptions from some of the UK GDPR provisions for certain types of personal data processing, such as health data, social work data, education data, and child abuse data. These exemptions are intended to balance the rights and freedoms of data subjects with the public interest or the legitimate interests of data controllers in specific contexts. For example, the exemptions may allow data controllers to restrict the data subjects' access to their personal data, or to process their personal data without their consent, if complying with the UK GDPR would be likely to prejudice the purposes of the processing, such as the provision of health care, social work, education, or child protection.
However, Schedule 3 of the DPA 2018 does not provide any exemption for credit checking agency data, which is personal data processed by credit reference agencies for the purposes of assessing the creditworthiness of individuals or organisations, or preventing fraud or money laundering. Credit checking agency data is subject to the UK GDPR provisions as normal, unless another exemption applies. For example, credit reference agencies may rely on the crime and taxation exemption in Schedule 2, Part 1, Paragraph 2 of the DPA 2018 if disclosing personal data to a data subject would be likely to prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders. References:
* Data Protection Act 2018, Schedule 31
* ICO Guide to Data Protection, Exemptions2
* ICO Guide to Data Protection, Credit3


NEW QUESTION # 31
How are data sharing practices governed by data protection law?

  • A. Data sharing practices are covered by the Freedom of Information Act
  • B. Data sharing practices are not specifically regulated, however the ICO provide best practice guidance
  • C. Data sharing practices are covered in the DPA 2018, supported by a statutory Code of Practice that provides specific guidance
  • D. Data sharing practices are subject to the PECR until the new statutory Code of Practice is published

Answer: C

Explanation:
Explanation
Data sharing is the disclosure of personal data from one or more organisations to a third party organisation or organisations, or the sharing of personal data within an organisation. Data sharing practices are governed by data protection law, which includes the UK GDPR and the Data Protection Act 2018 (DPA 2018). The DPA
2018 contains specific provisions on data sharing, such as the power of the Information Commissioner's Office (ICO) to issue a statutory Code of Practice on data sharing. The ICO has published a Data Sharing Code of Practice1 that provides practical guidance on how to share data in a fair, safe and transparent way, in compliance with the data protection principles and the rights of data subjects. The code is not legally binding, but it reflects the ICO's interpretation of the law and it may be used as evidence in legal proceedings or investigations. The code also contains useful tools, case studies andexamples that can help organisations to share data effectively and responsibly. References:
* Data Sharing Code of Practice1


NEW QUESTION # 32
Under which circumstances can the 'domestic purposes' exemption be used to justify non-compliance with the Data Protection Act 2018?
A)An individual sells make up products for commission and uses social media to promote products to friends and family B)A couple are planning their daughter's wedding and use excel to store contact details and dietary needs of the guests C)An individual employs a babysitter and stores her bank details in an encrypted document in order to make payments D)A pansh council keeps a spreadsheet to manage bookings of the village hall, it contains only contact information and time slots E)A group of students are arranging a house party and using social media to invite people that they do and do not know

  • A. A,B, C, and E.
  • B. A. B.C. and D
  • C. B,and C
  • D. B. C. D, and E

Answer: C

Explanation:
Explanation
The domestic purposes exemption applies to personal data processed by an individual only for the purposes of their personal, family or household affairs. This means that theprocessing has no connection to any professional or commercial activity. Examples of such processing include writing to friends and family, taking pictures for personal enjoyment, or keeping an address book. However, the exemption does not apply if the individual processes personal data outside the reasonable expectations of the data subject, or if the processing causes unwarranted harm to the data subject's interests. Therefore, the exemption can be used to justify non-compliance with the Data Protection Act 2018 in scenarios B and C, where the processing is purely personal and does not affect the rights and freedoms of others. However, the exemption cannot be used in scenarios A, D and E, where the processing has a professional or commercial element, or involves sharing personal data with third parties without consent or legitimate interest. References:
* Data Protection Act 2018, Schedule 2, Part 1, Paragraph 21
* ICO Guide to Data Protection, Domestic Purposes2
* ICO Guide to Data Protection, Exemptions3


NEW QUESTION # 33
Which of the following would NOT be a personal data breach'?

  • A. The unauthorised changing of a persons address details on a database of customers.
  • B. The accidental deletion of an organisation's information security policy from the public facing website
  • C. The loss of a memory stick containing the names and addresses of students in private accommodation
  • D. The accidental destruction of a current employee's HR file.

Answer: B

Explanation:
Explanation
A personal data breach is defined in Article 4(12) of the UK GDPR as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed". Personal data means any information relating to an identified or identifiable natural person, such as a name, an identification number, location data, an online identifier or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Therefore, a personal data breach only occurs when the security incident affects personal data, not any other type of information. In this case, the accidental deletion of an organisation's information security policy from the public facing website would not be a personal data breach, as the policy does not contain any personal data. However, the other scenarios would be considered personal data breaches, as they involve the loss, alteration, destruction or unauthorised access to personal data of customers, employees or students.
References:
* UK GDPR, Article 4(12)1
* UK GDPR, Article 4(1)2
* ICO Guide to Data Protection, Personal Data Breaches3


NEW QUESTION # 34
In the terms of their relevance under data protection legislation, how can CCTV images recorded in a supermarket BEST be described'?

  • A. They are special category data as they identify special characteristics
  • B. The GDPR is only engaged where these are accompanied by text or other identifier
  • C. They are personal data as they can be used to identify living human beings
  • D. They are biometric data in the terms of the definition stipulated in the GDPR.

Answer: C

Explanation:
Explanation
CCTV images recorded in a supermarket are personal data as they can be used to identify living human beings, either directly or indirectly, by their physical appearance, clothing, accessories, or other distinctive features.
Personal data is defined in Article 4(1) of the GDPR as "any information relating to an identified or identifiable natural person". The GDPR applies to the processing of personal data by automated means, such as CCTV cameras, or by non-automated means that form part of a filing system, such as paper records. The other options are incorrect because:
* CCTV images are not special category data as they do not reveal any of the sensitive information listed in Article 9(1) of the GDPR, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, or biometric or genetic data.
Special category data is subject to stricter conditions and safeguards under the GDPR, as it poses a higher risk to the rights and freedoms of individuals.
* CCTV images are not biometric data in the terms of the definition stipulated in the GDPR. Biometric data is defined in Article 4(14) of the GDPR as "personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data". CCTV images do not result from specific technical processing, nor do they allow or confirm the unique identification of a natural person, unless they are combined with other data or identifiers.
* The GDPR is not only engaged where CCTV images are accompanied by text or other identifier. The GDPR applies to any information that relates to an identified or identifiable natural person, regardless of whether it is accompanied by text or other identifier. CCTV images can relate to an identifiable natural person even if they do not contain any text or other identifier, as long as there is a possibility to single out or link the person to other data or factors. References:
* GDPR, Article 4(1)1
* GDPR, Article 2(1)2
* GDPR, Article 9(1)3
* GDPR, Article 4(14)4


NEW QUESTION # 35
Which of the following is NOT a role of the Information Commissioner's Office?

  • A. Providing case by case advice on what retention period companies should use
  • B. Publishing a list of the kind of processing that is subject to the requirement for a DPIA
  • C. Providing an annual activity report to Parliament
  • D. Encouraging the establishment of data protection certification mechanisms and of data protection seals

Answer: A

Explanation:
Explanation
The Information Commissioner's Office (ICO) is the UK's independent authority for data protection, which is responsible for upholding the UK GDPR and the Data Protection Act 2018, as well as other related legislation.
The ICO has various roles and tasks, such as monitoring and enforcing the application of the data protection law, promoting publicawareness and understanding of the risks and rights related to processing, advising the Parliament and the government on legislative and administrative measures concerning data protection, encouraging the development of codes of conduct and certification schemes, and handling complaints and investigations. However, the ICO does not provide case by case advice on what retention period companies should use, as this is a matter for the companies themselves to determine, based on their own purposes, legal obligations, and risk assessments. The ICO only provides general guidance on the data minimisation and storage limitation principles, which require that personal data should be kept only for as long as necessary and no longer than that. The ICO also expects companies to have clear policies and procedures on how they retain and dispose of personal data, and to document their retention periods and the reasons for them. References:
* Article 57 of the UK GDPR1
* ICO guidance on the role of the ICO2
* ICO guidance on data minimisation and storage limitation3


NEW QUESTION # 36
What is the basis of the accountability and data governance obligation (Article 5 (2) of the GDPR)?

  • A. The controller shall be responsible for. and be able to demonstrate compliance with the data protection principles.
  • B. Processors have overarching responsibility to ensure their processing is compliant
  • C. The controller shall appoint a DPO before carrying out large scale processing
  • D. Controllers and Processors each have a responsibility to conduct legitimate interests balancing tests before processing data for direct marketing

Answer: A

Explanation:
Explanation
Article 5(2) of the GDPR introduces the principle of accountability, which requires that the controller is responsible for, and be able to demonstrate compliance with, the data protection principles set out in Article
5(1). These principles are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and data protection by design and by default. The controller must implement appropriate technical and organisational measures to ensure and demonstrate compliance, such as policies, procedures, records, audits, reviews, and DPIAs. The controller must also cooperate with the supervisory authority and provide any information requested by it. The other options are not the basis of the accountability and data governance obligation, although they may be related to other obligations under the GDPR. References:
* Article 5(2) of the GDPR3
* ICO guidance on accountability and governance4


NEW QUESTION # 37
......

Validate your Skills with Updated PDP9 Exam Questions & Answers and Test Engine: https://examkiller.itexamreview.com/PDP9-valid-exam-braindumps.html

Related Articles

more
BCS PDP9 Certification Practice Exam

Our examkiller dumps is the best provider of IT exam training, which is really worth being chosen for your exam preparation. The test actual reviews from our customer are positive. We ensure you 100% pass. In case of any failure, we will full refund you.

Latest Examkiller pdf

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 ITexamReview NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy