SECO
Which of the following statements is correct? A.'Risk appetite' refers to the amount of risk an organisation needs to take in order to achieve its strategic objectives. B.'Risk capacity'refers to theamount ofrisk an organisation needs to take in order to achieve its strategic objectives. C.'Risk tolerance'refers to theamount ofrisk an organisation can afford to take. D.'Risk appetite'refers to the amount of risk an organisation can afford to take.
A.'Risk appetite' refers tothe amount ofrisk an organisation needsto takein order to achieve its strategic objectives. The correct answer is A. 'Risk appetite' refers to the amount of risk an organisation needs to take in order to achieve its strategic objectives.The three correct statements are:•Risk appetite refers to the amount of risk an organisation needs to take in order to achieve its strategic objectives.•Risk tolerance refers to the amount of risk an organisation prefers to take.•Risk capacity refers to the amount of risk an organisation can afford to take.
As Bicsma's DPO, you realise that My Can of Bicsma's Privacy Notice is very basic. It only describes what categories of personal data Bicsma collectsfrom its customers, and how Bicsma uses thatdata to deliver orders, answer inquiries and send newsletters. List 4 more content elements you would include in the Privacy Notice.
Correct answers may include: •A description of the data subject's rights •An overview of how data subjects can submitrequests and complaints •The contact details of Bicsma's DPO •The (categories of) recipients of the personal data •Whether or not the personal data will be transferred to an entity outside the EU/EEA (if yes, reference to adequacy decision or safeguards) •A description of the technical and organisational security measures •The data retention periods per processing purpose/personal data category
The GDPR requires controllers to perform a Data Protection Impact Assessment (DPIA) where the processing "is likely to result in a high risk to the rights and freedoms of natural persons".As a DPO, which activity would you subject to a DPIA in any event? A.HR and recruitment B.Access rights management C.Supplier relationship management D.Accountingand bookkeeping
HR and recruitment The correct answer is A. HR and recruitmentshould be subjected to a Data Protection Impact Assessment in any event. The Article 29 Working Party's Guidelines on Data Protection Impact Assessment list 9 criteria the controller should consider when determining the level of risk inherent in the processing. The general rule is that the more criteria the processing meets, the more likely it is to present a high risk to data subjects, and therefore to require a DPIA. The Working Party strongly recommends controllers to perform a DPIA if the processing meets at least 2 out of the 9 criteria listed below (form Module 2, Section: DPIA in the Context of the GDPR):1.Evaluation or scoring, including profiling 2.Automated decision-making that has a significant effect on the data subject's rights and interests 3.Systematic monitoring4.Sensitive data (special categories of personal data, such as health data)5.Data processed on a large scale6.Matching or combining datasets 7.Data concerning vulnerable data subjects (power imbalance between the data subject and the controller)8.Innovative use (new technological or organisational solutions) 9.The processing prevents data subjects from exercising a right or using a service or a contractHR and recruitment meet at least 3 criteria: 2, 4 and 7:2.Recruitment is likely to use automated decision-making that may have a significant effect on the data subject.4.Sensitive data are processed (a typical example is the processing of health datafor sick leave management purposes).7.HR processing concerns vulnerable data subjects (employees). Vulnerable data subjects are those who may be unable to oppose the processing due to an increased power imbalance between the data subject and the controller.Considering that HR and recruitment is likely to meet at least 3 of the 9 criteria, a DPO should recommend the performance of a DPIA on this process in any event. Naturally, this does not mean that a DPIA cannot be (or should never be) performed on access rights management, supplier relationship management, or accounting and bookkeeping. Those processes may also use personal data, but whether or not they require a DPIA depends on the particular circumstances.
Bicsma's marketing department uses a popular online marketing platform to create newsletter campaigns. The platform is operated by a U.S.-based service provider. As Bicsma's DPO, you need to advise Bicsma on how to use the platform and remain GDPR-compliant. What will you do? A.Verify whether the provider has joined the EU-U.S. Privacy Shield framework. If the answer is yes, the issue requires no further action from Bicsma. The Privacy Shield framework has obtained an adequacy decision from the European Commission, and personal data transfers under an adequacy decision are regarded as intra-EEA transfers. B.Inform the relevant stakeholders that the platform should not be used until Bicsma and the provider sign a legally binding agreement. C.Check whether the provider has a representative in the EU. If there is an EU-representative, GDPR-compliance is automatically ensured. D.Read the provider's data protection policy. If the policy states that the provider will process personal data in accordance with the GDPR, it is safe to use the service.
The correct answer is B. Inform the relevant stakeholders that the platform should not be used until Bicsma and the provider sign a legally binding agreement. The GDPR requires controllers to conclude binding agreements with all their processors. It is true that the U.S. has obtained an adequacy decision, the scope of which is limited to those U.S. organisations that comply with the Privacy Shield. It is also true that the GDPR regards personal data transfers under an adequacy decision as intra-EEA transfers. Yet the controller's obligation to conclude legally binding agreements with its processors applies to all controller-processor relationships. The GDPR contains no specifications on the binding agreement:it may be drawn up either by the processor or the controller, and it may be a standard document which the controller accepts when accepting the terms of use. The only important point is that the agreement must be binding and must address all the requirements set out in Article 28 of the GDPR.The GDPR mandates that non-EU controllers and processors who process the personal data of individuals who are in the EU appoint a representative in the EU. Yet responsibilities for compliance with the GDPR cannot be transferred to the representative and having a representative is no guarantee for a controller's or processor's GDPR-compliance. Similarly, a processor's data protection policy does not guarantee that the processor will process personal data in line with the GDPR.