1091 お客様のコメント
質問 1:
Question:
UnderGDPR, the controller must demonstrate thatdata subjects have consentedto the processing of their personal data, and theconsent must be freely given.
What is therole of the DPO in ensuring compliancewith this requirement?
A. TheDPO should ensurethat the controller hasimplemented procedures to provide evidencethat consent has been obtained for all relevant personal data.
B. TheDPO should approvethe legal basis for consent processing before the controller can collect personal data.
C. TheDPO should personally recordinformation such aswho consented, when they consented, and how consent was given.
D. TheDPO should ensurethat the controller hasinformed data subjectsabout theirright to withdraw consent.
正解:A
解説: (Pass4Test メンバーにのみ表示されます)
質問 2:
Question:
What is themain purpose of conducting a DPIA?
A. Toidentify the causesof the identified risks.
B. Toextensively assess the impactsof the identified risks on individuals.
C. Toeliminate all risksassociated with processing personal data.
D. Tomeasure the potential consequencesof the identified risks on the organization.
正解:B
解説: (Pass4Test メンバーにのみ表示されます)
質問 3:
Scenario5:
Recpond is a German employment recruiting company. Their services are delivered globally and include consulting and staffing solutions. In the beginning. Recpond provided its services through an office in Germany. Today, they have grown to become one of the largest recruiting agencies, providing employment to more than 500,000 people around the world. Recpond receives most applications through its website. Job searchers are required to provide the job title and location. Then, a list of job opportunities is provided. When a job position is selected, candidates are required to provide their contact details and professional work experience records. During the process, they are informed that the information will be used only for the purposes and period determined by Recpond. Recpond's experts analyze candidates' profiles and applications and choose the candidates that are suitable for the job position. The list of the selected candidates is then delivered to Recpond's clients, who proceed with the recruitment process. Files of candidates that are not selected are stored in Recpond's databases, including the personal data of candidates who withdraw the consent on which the processing was based. When the GDPR came into force, the company was unprepared.
The top management appointed a DPO and consulted him for all data protection issues. The DPO, on the other hand, reported the progress of all data protection activities to the top management. Considering the level of sensitivity of the personal data processed by Recpond, the DPO did not have direct access to the personal data of all clients, unless the top management deemed it necessary. The DPO planned the GDPR implementation by initially analyzing the applicable GDPR requirements. Recpond, on the other hand, initiated a risk assessment to understand the risks associated with processing operations. The risk assessment was conducted based on common risks that employment recruiting companies face. After analyzing different risk scenarios, the level of risk was determined and evaluated. The results were presented to the DPO, who then decided to analyze only the risks that have a greater impact on the company. The DPO concluded that the cost required for treating most of the identified risks was higher than simply accepting them. Based on this analysis, the DPO decided to accept the actual level of the identified risks. After reviewing policies and procedures of the company. Recpond established a new data protection policy. As proposed by the DPO, the information security policy was also updated. These changes were then communicated to all employees of Recpond.Based on this scenario, answer the following question:
Question:
Based on scenario 5, Recpond established and communicated thedata protection policyto all employees.
What should theDPOensure in this regard?
A. That thedata protection policy is approved by the supervisory authoritybefore implementation.
B. That theupdates of the data protection policyare communicated to all employees through anofficial letter.
C. That all policies within Recpond arereviewed and updatedby the DPO.
D. Thatemployee awarenesson the data protection policy is monitored.
正解:D
解説: (Pass4Test メンバーにのみ表示されます)
質問 4:
Scenario4:
Berc is a pharmaceutical company headquartered in Paris, France, known for developing inexpensive improved healthcare products. They want to expand to developing life-saving treatments. Berc has been engaged in many medical researches and clinical trials over the years. These projects required the processing of large amounts of data, including personal information. Since 2019, Berc has pursued GDPR compliance to regulate data processing activities and ensure data protection. Berc aims to positively impact human health through the use of technology and the power of collaboration. They recently have created an innovative solution in participation with Unity, a pharmaceutical company located in Switzerland. They want to enable patients to identify signs of strokes or other health-related issues themselves. They wanted to create a medical wrist device that continuously monitors patients' heart rate and notifies them about irregular heartbeats. The first step of the project was to collect information from individuals aged between 50 and 65. The purpose and means of processing were determined by both companies. The information collected included age, sex, ethnicity, medical history, and current medical status. Other information included names, dates of birth, and contact details. However, the individuals, who were mostly Berc's and Unity's customers, were not aware that there was an arrangement between Berc and Unity and that both companies have access to their personal data and share it between them. Berc outsourced the marketing of their new product to an international marketing company located in a country that had not adopted the adequacy decision from the EU commission. However, since they offered a good marketing campaign, following the DPO's advice, Berc contracted it. The marketing campaign included advertisement through telephone, emails, and social media. Berc requested that Berc's and Unity's clients be first informed about the product. They shared the contact details of clients with the marketing company.Based on this scenario, answer the following question:
Question:
According to scenario 4,individuals from whom the health data was collected were not informed about the arrangement between Berc and Unty. Which option below is correct?
A. Berc and Unty have determined the purpose and means of processing, so they can decide if they want to inform individuals or not.
B. The data processing means, purpose, or other arrangements between Berc and Unty areconfidentialand should not be disclosed to individuals.
C. The arrangement and roles and responsibilities of Berc and Unty should be available to individuals.
D. The supervisory authority should decide whether individuals need to be informed.
正解:C
解説: (Pass4Test メンバーにのみ表示されます)
質問 5:
Scenario1:
MED is a healthcare provider located in Norway. It provides high-quality and affordable healthcare services, including disease prevention, diagnosis, and treatment. Founded in 1995, MED is one of the largest health organizations in the private sector. The company has constantly evolved in response to patients' needs.
Patients that schedule an appointment in MED's medical centers initially need to provide their personal information, including name, surname, address, phone number, and date of birth. Further checkups or admission require additional information, including previous medical history and genetic data. When providing their personal data, patients are informed that the data is used for personalizing treatments and improving communication with MED's doctors. Medical data of patients, including children, are stored in the database of MED's health information system. MED allows patients who are at least 16 years old to use the system and provide their personal information independently. For children below the age of 16, MED requires consent from the holder of parental responsibility before processing their data.
MED uses a cloud-based application that allows patients and doctors to upload and access information.
Patients can save all personal medical data, including test results, doctor visits, diagnosis history, and medicine prescriptions, as well as review and track them at any time. Doctors, on the other hand, can access their patients' data through the application and can add information as needed.
Patients who decide to continue their treatment at another health institution can request MED to transfer their data. However, even if patients decide to continue their treatment elsewhere, their personal data is still used by MED. Patients' requests to stop data processing are rejected. Thisdecision was made by MED's top management to retain the information of everyone registered in their databases.
The company also shares medical data with InsHealth, a health insurance company. MED's data helps InsHealth create health insurance plans that meet the needs of individuals and families.
MED believes that it is its responsibility to ensure the security and accuracy of patients' personal data. Based on the identified risks associated with data processing activities, MED has implemented appropriate security measures to ensure that data is securely stored and processed.
Since personal data of patients is stored and transmitted over the internet, MED uses encryption to avoid unauthorized processing, accidental loss, or destruction of data. The company has established a security policy to define the levels of protection required for each type of information and processing activity. MED has communicated the policy and other procedures to personnel and provided customized training to ensure proper handling of data processing.
Question:
Considering the nature of data processing activities described in scenario 1, is GDPR applicable to MED?
A. No, because MED operates only in Norway, and GDPR does not apply to domestic processing.
B. Yes, MED's use of cloud-based software to store and process health-related information necessitates compliance with GDPR's data protection requirements.
C. No, MED's activities include healthcare services within one of the four EFTA states, which do not fall under the scope of GDPR.
D. Yes, GDPR is applicable to MED due to its processing activities involving personal information.
正解:D
解説: (Pass4Test メンバーにのみ表示されます)
Question:
UnderGDPR, the controller must demonstrate thatdata subjects have consentedto the processing of their personal data, and theconsent must be freely given.
What is therole of the DPO in ensuring compliancewith this requirement?
A. TheDPO should ensurethat the controller hasimplemented procedures to provide evidencethat consent has been obtained for all relevant personal data.
B. TheDPO should approvethe legal basis for consent processing before the controller can collect personal data.
C. TheDPO should personally recordinformation such aswho consented, when they consented, and how consent was given.
D. TheDPO should ensurethat the controller hasinformed data subjectsabout theirright to withdraw consent.
正解:A
解説: (Pass4Test メンバーにのみ表示されます)
質問 2:
Question:
What is themain purpose of conducting a DPIA?
A. Toidentify the causesof the identified risks.
B. Toextensively assess the impactsof the identified risks on individuals.
C. Toeliminate all risksassociated with processing personal data.
D. Tomeasure the potential consequencesof the identified risks on the organization.
正解:B
解説: (Pass4Test メンバーにのみ表示されます)
質問 3:
Scenario5:
Recpond is a German employment recruiting company. Their services are delivered globally and include consulting and staffing solutions. In the beginning. Recpond provided its services through an office in Germany. Today, they have grown to become one of the largest recruiting agencies, providing employment to more than 500,000 people around the world. Recpond receives most applications through its website. Job searchers are required to provide the job title and location. Then, a list of job opportunities is provided. When a job position is selected, candidates are required to provide their contact details and professional work experience records. During the process, they are informed that the information will be used only for the purposes and period determined by Recpond. Recpond's experts analyze candidates' profiles and applications and choose the candidates that are suitable for the job position. The list of the selected candidates is then delivered to Recpond's clients, who proceed with the recruitment process. Files of candidates that are not selected are stored in Recpond's databases, including the personal data of candidates who withdraw the consent on which the processing was based. When the GDPR came into force, the company was unprepared.
The top management appointed a DPO and consulted him for all data protection issues. The DPO, on the other hand, reported the progress of all data protection activities to the top management. Considering the level of sensitivity of the personal data processed by Recpond, the DPO did not have direct access to the personal data of all clients, unless the top management deemed it necessary. The DPO planned the GDPR implementation by initially analyzing the applicable GDPR requirements. Recpond, on the other hand, initiated a risk assessment to understand the risks associated with processing operations. The risk assessment was conducted based on common risks that employment recruiting companies face. After analyzing different risk scenarios, the level of risk was determined and evaluated. The results were presented to the DPO, who then decided to analyze only the risks that have a greater impact on the company. The DPO concluded that the cost required for treating most of the identified risks was higher than simply accepting them. Based on this analysis, the DPO decided to accept the actual level of the identified risks. After reviewing policies and procedures of the company. Recpond established a new data protection policy. As proposed by the DPO, the information security policy was also updated. These changes were then communicated to all employees of Recpond.Based on this scenario, answer the following question:
Question:
Based on scenario 5, Recpond established and communicated thedata protection policyto all employees.
What should theDPOensure in this regard?
A. That thedata protection policy is approved by the supervisory authoritybefore implementation.
B. That theupdates of the data protection policyare communicated to all employees through anofficial letter.
C. That all policies within Recpond arereviewed and updatedby the DPO.
D. Thatemployee awarenesson the data protection policy is monitored.
正解:D
解説: (Pass4Test メンバーにのみ表示されます)
質問 4:
Scenario4:
Berc is a pharmaceutical company headquartered in Paris, France, known for developing inexpensive improved healthcare products. They want to expand to developing life-saving treatments. Berc has been engaged in many medical researches and clinical trials over the years. These projects required the processing of large amounts of data, including personal information. Since 2019, Berc has pursued GDPR compliance to regulate data processing activities and ensure data protection. Berc aims to positively impact human health through the use of technology and the power of collaboration. They recently have created an innovative solution in participation with Unity, a pharmaceutical company located in Switzerland. They want to enable patients to identify signs of strokes or other health-related issues themselves. They wanted to create a medical wrist device that continuously monitors patients' heart rate and notifies them about irregular heartbeats. The first step of the project was to collect information from individuals aged between 50 and 65. The purpose and means of processing were determined by both companies. The information collected included age, sex, ethnicity, medical history, and current medical status. Other information included names, dates of birth, and contact details. However, the individuals, who were mostly Berc's and Unity's customers, were not aware that there was an arrangement between Berc and Unity and that both companies have access to their personal data and share it between them. Berc outsourced the marketing of their new product to an international marketing company located in a country that had not adopted the adequacy decision from the EU commission. However, since they offered a good marketing campaign, following the DPO's advice, Berc contracted it. The marketing campaign included advertisement through telephone, emails, and social media. Berc requested that Berc's and Unity's clients be first informed about the product. They shared the contact details of clients with the marketing company.Based on this scenario, answer the following question:
Question:
According to scenario 4,individuals from whom the health data was collected were not informed about the arrangement between Berc and Unty. Which option below is correct?
A. Berc and Unty have determined the purpose and means of processing, so they can decide if they want to inform individuals or not.
B. The data processing means, purpose, or other arrangements between Berc and Unty areconfidentialand should not be disclosed to individuals.
C. The arrangement and roles and responsibilities of Berc and Unty should be available to individuals.
D. The supervisory authority should decide whether individuals need to be informed.
正解:C
解説: (Pass4Test メンバーにのみ表示されます)
質問 5:
Scenario1:
MED is a healthcare provider located in Norway. It provides high-quality and affordable healthcare services, including disease prevention, diagnosis, and treatment. Founded in 1995, MED is one of the largest health organizations in the private sector. The company has constantly evolved in response to patients' needs.
Patients that schedule an appointment in MED's medical centers initially need to provide their personal information, including name, surname, address, phone number, and date of birth. Further checkups or admission require additional information, including previous medical history and genetic data. When providing their personal data, patients are informed that the data is used for personalizing treatments and improving communication with MED's doctors. Medical data of patients, including children, are stored in the database of MED's health information system. MED allows patients who are at least 16 years old to use the system and provide their personal information independently. For children below the age of 16, MED requires consent from the holder of parental responsibility before processing their data.
MED uses a cloud-based application that allows patients and doctors to upload and access information.
Patients can save all personal medical data, including test results, doctor visits, diagnosis history, and medicine prescriptions, as well as review and track them at any time. Doctors, on the other hand, can access their patients' data through the application and can add information as needed.
Patients who decide to continue their treatment at another health institution can request MED to transfer their data. However, even if patients decide to continue their treatment elsewhere, their personal data is still used by MED. Patients' requests to stop data processing are rejected. Thisdecision was made by MED's top management to retain the information of everyone registered in their databases.
The company also shares medical data with InsHealth, a health insurance company. MED's data helps InsHealth create health insurance plans that meet the needs of individuals and families.
MED believes that it is its responsibility to ensure the security and accuracy of patients' personal data. Based on the identified risks associated with data processing activities, MED has implemented appropriate security measures to ensure that data is securely stored and processed.
Since personal data of patients is stored and transmitted over the internet, MED uses encryption to avoid unauthorized processing, accidental loss, or destruction of data. The company has established a security policy to define the levels of protection required for each type of information and processing activity. MED has communicated the policy and other procedures to personnel and provided customized training to ensure proper handling of data processing.
Question:
Considering the nature of data processing activities described in scenario 1, is GDPR applicable to MED?
A. No, because MED operates only in Norway, and GDPR does not apply to domestic processing.
B. Yes, MED's use of cloud-based software to store and process health-related information necessitates compliance with GDPR's data protection requirements.
C. No, MED's activities include healthcare services within one of the four EFTA states, which do not fall under the scope of GDPR.
D. Yes, GDPR is applicable to MED due to its processing activities involving personal information.
正解:D
解説: (Pass4Test メンバーにのみ表示されます)
Harada -
問題集の九割がGDPR試験の問題にも出ていて凄かった。Pass4Testさん、やはり信頼できますね。