Audit modelData Protection Knowledge Audit
This questionnaire assesses understanding of privacy laws, data handling, cybersecurity, and compliance. Identify strengths and areas for improvement in data protection knowledge.
1. GDPR to be in compliance
1.1. 1.1. The right to portability exists only for processing operations based on a contract or the consent of the data subjects.
1.2. 1.2. Is the clocking file of a community's officers' schedules a data processing operation submitted to the GDPR?
1.3. 1.3. Who is the data controller for the management of the employee's personnel file?
1.4. 1.4. With regard to processing operations, date processors must adhere to the instructions given by the data controller in documented form.
1.5. 1.5. Companies that have signed up to codes of conduct are obliged to apply them.
1.6. 1.6. Which of these organizations are subject to the GDPR?
1.7. 1.7. Certification is mandatory for organizations subject to the GDPR
1.8. 1.8. A company has a file of its suppliers with contact e-mail addresses. The GDPR does not apply to this file because this information is collected in a professional context.
1.9. 1.9. Julie is randomly interviewed on the street by a polling organization. She is asked a total of 3 questions: Do you watch television? Do you watch it every day? How much time per day? The polling company does not collect any additional information. Is it an anonymous survey?
1.10. 1.10. An organisation may be both data controller and data processor.
1.11. 1.11. You fill out an information sheet about your employees. Each sheet is filed in alphabetical order in a dedicated folder. Does the GDPR apply?
1.12. 1.12. The data controller of an online sales site is:
1.13. 1.13. In the case of data transfers to an "unsuitable" country, the organization does not need authorization if:
1.14. 1.14. Which of the following data relating to a natural person, taken in isolation, is considered as "personal data"?
1.15. 1.15. Which of these organizations are affected by the GDPR?
2. Identify security breaches
2.1. 2.1. Personal data that are no longer in common use by the operational services concerned must necessarily be destroyed or anonymised if they are not of historical, statistical or scientific interest.
2.2. 2.2. Choose the proposal that best describes a cyber attack:
2.3. 2.3. In the case of "subsequent data processing", the main data processor may be sanctioned for a fault committed by the subprocessor it has itself chosen.
2.4. 2.4. The notions of "privacy by default" and "privacy by design" must be applied by:
2.5. 2.5. The respect of the obligation of security can be appreciated:
2.6. 2.6. The implementation of an Information Systems Security Policy:
2.7. 2.7. The traces and the trace access policy allows:
2.8. 2.8. The obligation to ensure the security of personal data requires the systematic encryption of personal data.
2.9. 2.9. How to protect yourself from cyber attacks?
2.10. 2.10. What is loss of data integrity?
2.11. 2.11. What are the objectives of hackers during cyber attacks? (several answers are possible)
2.12. 2.12. A breach of personal data occurs when the data has been subject to a loss of:
2.13. 2.13. Identify situations that may affect the confidentiality of data.
3. Role of the DPO
3.1. 3.1. It is mandatory for a public body to designate a DPO.
3.2. 3.2. Concerning relations with the supervisory authority, tick the exact proposal:
3.3. 3.3. With regard to internal control operations, tick the exact proposal:
3.4. 3.4. The missions of the DPO are:
3.5. 3.5. Can the Chief Information Security Officer (CISO) of a company be appointed as the DPO of this company?
3.6. 3.6. The register of processing operations is only compulsory for companies transferring data outside the European Union:
3.7. 3.7. The record of data processing activities must be kept by:
3.8. 3.8. Does the following situation represent a misuse of purpose? The use by a municipality, for the purpose of updating its user files, of data collected on behalf of the State in the context of the population census.
3.9. 3.9. The data controller may give instructions to the DPO on how to analyse the results of an audit.
4. DPO: managing the protection of personal data
4.1. 4.1. Is it obligatory for the data controller of a company to communicate the register of its company if a person asks to do so?
4.2. 4.2. What categories of data can be archived?
4.3. 4.3. Individuals who have suffered harm may be represented by an association to bring an action on their behalf.
4.4. 4.4. Updating the data contained in the files satisfies the principle of data minimization.
4.5. 4.5. Does the next processing require an impact assessment? "Videosurveillance of a warehouse storing valuable goods and staffed by warehouse workers".
4.6. 4.6. When a person exercises one of his rights (e.g. right of access) with a joint data controller which is not in charge of processing this type of request, the latter must:
4.7. 4.7. The data protection compliance audit shall be limited to the internal processing operations carried out by the organisation:
4.8. 4.8. A data protection compliance audit must absolutely be carried out by external auditors:
4.9. 4.9. The PIA risk analysis is limited to technical risks:
4.10. 4.10. The PIA should be reviewed on a regular basis:
4.11. 4.11. The main purpose of the data protection compliance audit is to sanction employees who do not comply with data protection:
4.12. 4.12. Where an individual objects to the processing of his or her data by a body, the body shall:
4.13. 4.13. Documenting processing activities involves collecting and maintaining the following documents:
4.14. 4.14. Failure to notify a breach of personal data is likely to lead the data controller:
4.15. 4.15. A data protection impact assessment (PIA) should:
5. Manage controls by the authority
5.1. 5.1. The supervisory authority may impose a sanction only if the body concerned has not complied with a formal notice to comply with the GDPR.
5.2. 5.2. The supervisory authority shall have access to the body's register of processing operations only in the context of a control.
5.3. 5.3.1. Who: Co-ordinates the action of the data protection authorities of the Member States
5.4. 5.3.2. Who: Ensures that EU legislation is interpreted and applied in the same way in all EU countries and guarantees that EU countries and institutions comply with European legislation
5.5. 5.3.3. Who: Helps individual to master their rights; assists professionals in complying with them and sanctions bodies that do not comply why the regulations
5.6. 5.4. In case of cross-border processing, the data protection authorities concerned may have to agree that, as the case may be, a single sanction decision should be taken on behalf of all the authorities.
5.7. 5.5. The law allows public authorities to access personal data held by bodies without having to provide evidence.
5.8. 5.6. Any person who considers that processing of data relating to him or her does not comply with the GDPR may lodge a complaint with the supervisory authority of the Member State where the breach of the GDPR is alleged to have occurred.
5.9. 5.7. In the event of a breach of data representing a high risk to the privacy of individuals, the data controller must:
5.10. 5.8. The formal notice and the sanction are confidential procedures that cannot be made public.
5.11. 5.9. What is the maximum time limit for notifying a data breach to the supervisory authority?
5.12. 5.10. In the event of formal notice, the body must:
5.13. 5.11. Penalties for non-compliance with the fundamental principles of the GDPR (purpose, minimisation, shelf life, etc.) or the rights of individuals may amount up to:
5.14. 5.12. Designating a lead authority serves to facilitate the management of exchanges with supervisory authorities in the event of:
Created at:01/01/2023
Updated on :02/05/2024
License : © Creative commons :
Attribution / Pas d'utilisation commerciale
CC-BY-NC
Attribution / Pas d'utilisation commerciale
CC-BY-NC
author :
Uses :2