Audit modelData Protection Knowledge Audit

This questionnaire assesses understanding of privacy laws, data handling, cybersecurity, and compliance. Identify strengths and areas for improvement in data protection knowledge.

1. GDPR to be in compliance

1.1. 1.1. The right to portability exists only for processing operations based on a contract or the consent of the data subjects.

True

False

1.2. 1.2. Is the clocking file of a community's officers' schedules a data processing operation submitted to the GDPR?

Yes

1.3. 1.3. Who is the data controller for the management of the employee's personnel file?

The human resources manager

The manager

The company

1.4. 1.4. With regard to processing operations, date processors must adhere to the instructions given by the data controller in documented form.

True

False

1.5. 1.5. Companies that have signed up to codes of conduct are obliged to apply them.

True

False

1.6. 1.6. Which of these organizations are subject to the GDPR?

A body established in the European Union which processes data of people who are in the territory of the EU

A body established in the EU which processes personal data

A body established outside the EU which offers goods or services to people within the EU

A body established outside the EU that only processes personal data of people outside the EU

1.7. 1.7. Certification is mandatory for organizations subject to the GDPR

True

False

1.8. 1.8. A company has a file of its suppliers with contact e-mail addresses. The GDPR does not apply to this file because this information is collected in a professional context.

True

False

1.9. 1.9. Julie is randomly interviewed on the street by a polling organization. She is asked a total of 3 questions: Do you watch television? Do you watch it every day? How much time per day? The polling company does not collect any additional information. Is it an anonymous survey?

Yes

1.10. 1.10. An organisation may be both data controller and data processor.

Yes

1.11. 1.11. You fill out an information sheet about your employees. Each sheet is filed in alphabetical order in a dedicated folder. Does the GDPR apply?

Yes

1.12. 1.12. The data controller of an online sales site is:

The organization that initiated the creation of the site

The organization hosting the site

1.13. 1.13. In the case of data transfers to an "unsuitable" country, the organization does not need authorization if:

It sets up Binding Corporate Rules (BCR)

It makes use of the standard contractual clauses (SCTs) adopted by the European Commission

It puts in place specific contractual clauses

The person has given consent

1.14. 1.14. Which of the following data relating to a natural person, taken in isolation, is considered as "personal data"?

Vehicle registration number

Photograph

Postal code

Telephone number

1.15. 1.15. Which of these organizations are affected by the GDPR?

A school

An association

A self-entrepreneur

A public administration

2. Identify security breaches

2.1. 2.1. Personal data that are no longer in common use by the operational services concerned must necessarily be destroyed or anonymised if they are not of historical, statistical or scientific interest.

True

False

2.2. 2.2. Choose the proposal that best describes a cyber attack:

Intrusion into Government Computer Systems

Damage to computer systems carried out with malicious intent

Receipt of an email announcing an upcoming computer attack

2.3. 2.3. In the case of "subsequent data processing", the main data processor may be sanctioned for a fault committed by the subprocessor it has itself chosen.

True

False

2.4. 2.4. The notions of "privacy by default" and "privacy by design" must be applied by:

Data processors

Data controllers

2.5. 2.5. The respect of the obligation of security can be appreciated:

Once and for all; when registering the processing activities of the security measures implemented

On an ongoing basis; as technology and fraud techniques develop

Once a year; on the basis of the annual report of the DPO

2.6. 2.6. The implementation of an Information Systems Security Policy:

Is done under the responsibility of a person in charge of its establishment; evolution and application

Allows you to dispense with the need to carry out risk analyses and PIAs (impact analysis) of personal data processing

Must not be the subject of information of the collaborators in order not to disclose the means implemented

2.7. 2.7. The traces and the trace access policy allows:

To monitor employee productivity

Monitoring access to the information system only from outside (computer network, internet...)

To control the proper functioning and use of the company's IT resources on a permanent basis (traceability of actions; access; intrusions; virus attack; etc.)

2.8. 2.8. The obligation to ensure the security of personal data requires the systematic encryption of personal data.

True

False

2.9. 2.9. How to protect yourself from cyber attacks?

Destroy unsolicited messages without replying

Use secure passwords

Do not execute instructions from an unknown person

Share your password with your colleagues

Keep your equipment up to date

Do not disseminate personal and/or confidential information on the Internet

2.10. 2.10. What is loss of data integrity?

Unauthorized alteration of a data

The unavailability of a data

Loss of confidentiality of data

2.11. 2.11. What are the objectives of hackers during cyber attacks? (several answers are possible)

Espionage

Revenge

Destabilization

Data Resale

Political or ideological claim

Technical Challenge

2.12. 2.12. A breach of personal data occurs when the data has been subject to a loss of:

availability

integrity

confidentiality

2.13. 2.13. Identify situations that may affect the confidentiality of data.

Phone theft

Conversation espionage

Computer theft

Email recipient error

Modification of data

3. Role of the DPO

3.1. 3.1. It is mandatory for a public body to designate a DPO.

True

False

It depends

3.2. 3.2. Concerning relations with the supervisory authority, tick the exact proposal:

The DPO acts as a point of contact with the supervisory authority which means that he/she is the person who can refer to the supervisory authority for any consultation following a PIA or other matters that arise for the controller

Any person in the undertaking other than the DPO may refer a matter concerning a processing operation to the supervisory authority provided that he or she informs the DPO

3.3. 3.3. With regard to internal control operations, tick the exact proposal:

The DPO must monitor compliance with the GDPR; which implies that he can check the conformity of a treatment before it is implemented or afterwards

The DPO must monitor compliance with the GDPR; which implies that he can de facto only intervene after the processing operations have been implemented

The DPO must monitor compliance with the GDPR including the related audits; which implies that the DPO does not have to carry out the audits himself/herself

3.4. 3.4. The missions of the DPO are:

Inform and advise

Control

Sanctioning

Carrying out the impact assessment

Cooperate with the supervisory authority

3.5. 3.5. Can the Chief Information Security Officer (CISO) of a company be appointed as the DPO of this company?

Yes

It depends

3.6. 3.6. The register of processing operations is only compulsory for companies transferring data outside the European Union:

True

False

3.7. 3.7. The record of data processing activities must be kept by:

Data processors

Data controllers

3.8. 3.8. Does the following situation represent a misuse of purpose? The use by a municipality, for the purpose of updating its user files, of data collected on behalf of the State in the context of the population census.

Yes

3.9. 3.9. The data controller may give instructions to the DPO on how to analyse the results of an audit.

True

False

4. DPO: managing the protection of personal data

4.1. 4.1. Is it obligatory for the data controller of a company to communicate the register of its company if a person asks to do so?

Yes

4.2. 4.2. What categories of data can be archived?

All data likely to be of interest in the future

Useful data in the event of litigation

Data subject to legal obligation to retain

All data

4.3. 4.3. Individuals who have suffered harm may be represented by an association to bring an action on their behalf.

True

False

4.4. 4.4. Updating the data contained in the files satisfies the principle of data minimization.

True

False

4.5. 4.5. Does the next processing require an impact assessment? "Videosurveillance of a warehouse storing valuable goods and staffed by warehouse workers".

Yes

4.6. 4.6. When a person exercises one of his rights (e.g. right of access) with a joint data controller which is not in charge of processing this type of request, the latter must:

Give the person the contact details of the joint controller person in charge of processing these requests

Inform the joint controller for processing the request so that a reply can be given to the data subject

4.7. 4.7. The data protection compliance audit shall be limited to the internal processing operations carried out by the organisation:

True

False

4.8. 4.8. A data protection compliance audit must absolutely be carried out by external auditors:

True

False

4.9. 4.9. The PIA risk analysis is limited to technical risks:

True

False

4.10. 4.10. The PIA should be reviewed on a regular basis:

True

False

4.11. 4.11. The main purpose of the data protection compliance audit is to sanction employees who do not comply with data protection:

True

False

4.12. 4.12. Where an individual objects to the processing of his or her data by a body, the body shall:

Refuse to grant the request if a legal provision makes it obligatory to treat

Ask the person to justify the request if the processing in question is not intended for canvassing/prospecting

Necessarily grant the application if the ground presented is legitimate

4.13. 4.13. Documenting processing activities involves collecting and maintaining the following documents:

Information used

Impact assessments carried out

Outsourcing contracts in progress

Consent forms

4.14. 4.14. Failure to notify a breach of personal data is likely to lead the data controller:

To be the subject of an administrative penalty by the supervisory authority

To be the subject of a criminal sanction

4.15. 4.15. A data protection impact assessment (PIA) should:

Be carried out by the Control Authority

Be carried out in the event of a risk to the rights and freedoms of individuals

Be systematically submitted to the Control Authority

5. Manage controls by the authority

5.1. 5.1. The supervisory authority may impose a sanction only if the body concerned has not complied with a formal notice to comply with the GDPR.

True

False

5.2. 5.2. The supervisory authority shall have access to the body's register of processing operations only in the context of a control.

True

False

5.3. 5.3.1. Who: Co-ordinates the action of the data protection authorities of the Member States

National data protection authority (e.g. CNIL)

Court of Justice of the European Union (CJEU)

European Data Protection Committee (EDPS)

5.4. 5.3.2. Who: Ensures that EU legislation is interpreted and applied in the same way in all EU countries and guarantees that EU countries and institutions comply with European legislation

National data protection authority (e.g. CNIL)

Court of Justice of the European Union (CJEU)

European Data Protection Committee (EDPS)

5.5. 5.3.3. Who: Helps individual to master their rights; assists professionals in complying with them and sanctions bodies that do not comply why the regulations

National data protection authority (e.g. CNIL)

Court of Justice of the European Union (CJEU)

European Data Protection Committee (EDPS)

5.6. 5.4. In case of cross-border processing, the data protection authorities concerned may have to agree that, as the case may be, a single sanction decision should be taken on behalf of all the authorities.

True

False

5.7. 5.5. The law allows public authorities to access personal data held by bodies without having to provide evidence.

True

False

5.8. 5.6. Any person who considers that processing of data relating to him or her does not comply with the GDPR may lodge a complaint with the supervisory authority of the Member State where the breach of the GDPR is alleged to have occurred.

True

False

5.9. 5.7. In the event of a breach of data representing a high risk to the privacy of individuals, the data controller must:

Inform the supervisory authority

Inform the data subjects directly

5.10. 5.8. The formal notice and the sanction are confidential procedures that cannot be made public.

True

False

5.11. 5.9. What is the maximum time limit for notifying a data breach to the supervisory authority?

24h

48h

72h

5.12. 5.10. In the event of formal notice, the body must:

Bring to an end the failure(s) identified by the supervisory authority within a specified period of time

Communicate to the supervisory authority the justifications for the actions taken

5.13. 5.11. Penalties for non-compliance with the fundamental principles of the GDPR (purpose, minimisation, shelf life, etc.) or the rights of individuals may amount up to:

2% of sales or 10 million euros

4% of sales or 20 million euros

6% of sales or 40 million euros

5.14. 5.12. Designating a lead authority serves to facilitate the management of exchanges with supervisory authorities in the event of:

joint responsability for processing

further processing

cross-border processing

Created at:2023-02-01T21:40:38.6417757

Updated on :2024-03-05T15:27:37.5380078