• Home
  • Articles
  • Updated Jan-2024 Test Engine to Practice PDP9 Dumps & Practice Exam [Q15-Q34]

Updated Jan-2024 Test Engine to Practice PDP9 Dumps & Practice Exam [Q15-Q34]

Share

Updated Jan-2024 Test Engine to Practice PDP9 Dumps & Practice Exam

Dumps Collection PDP9 Test Engine Dumps Training With 42 Questions

NEW QUESTION # 15
Describe the act of processing under the authority of a controller or processor as stipulated in UK GDPR Article 29.

  • A. The processor shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
  • B. A processor shall not process those data except on instructions from the controller, unless required to do so by domestic law
  • C. Each processor and, where applicable, the processors representative shall maintain a record of all categories of processing activities earned out on behalf of a controller.
  • D. The processor shall consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the processor to mitigate the risk.

Answer: B

Explanation:
Explanation
Article 29 of UK GDPR states that the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by domestic law. This means that the processor must follow the controller's directions on how to handle the personal data, and cannot use it for its own purposes or deviate from the agreed terms. The only exception is when the processor is obliged by law to process the data in a different way, for example, to comply with a court order or a legal obligation. The other options are not related to Article 29, but to other articles of UK GDPR, such as Article 25 (data protection by design and by default), Article 30 (records of processing activities), and Article 36 (prior consultation). References:
* Article 29 of UK GDPR1
* ICO guidance on controllers and processors2


NEW QUESTION # 16
A privacy notice MUST NOT contain

  • A. Details of the right to lodge a complaint with the supervisory authority
  • B. The contact details of the controller
  • C. The purpose of the processing
  • D. Details of the processor's staff

Answer: D

Explanation:
Explanation
A privacy notice is a document that provides individuals with information about how their personal data is processed, as required by Article 13 and 14 of the UK GDPR5. A privacy notice must include the following information, among others:
* the identity and contact details of the controller and, where applicable, the controller's representative and the data protection officer;
* the purposes and legal basis of the processing;
* the categories of personal data concerned;
* the recipients or categories of recipients of the personal data, including any third parties or international organisations;
* where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;
* the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
* the existence of the rights of the data subject, such as the right to access, rectify, erase, restrict, object or port the data, and the conditions or limitations on those rights;
* the existence of the right to withdraw consent at any time, where the processing is based on consent;
* the right to lodge a complaint with a supervisory authority;
* whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
* the existence of automated decision-making, including profiling, and meaningful information about the
* logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
A privacy notice does not need to contain details of the processor's staff, as this is not relevant or necessary for the data subject to understand how their personal data is processed. However, the controller may need to inform the data subject if their personal data is shared with a processor, and provide the identity and contact details of the processor, as part of the information on the recipients or categories of recipients of the personal data. References:
* Article 13 and 14 of the UK GDPR5


NEW QUESTION # 17
A company based in France uses a specialist IT support business in China The two companies have signed a Data Processing Agreement.The Chinese business provides specialist IT support for the French company's digital customer experience platform No personal data is sent to China, but employees of the Chinese business access the platform on a regular basis and have access to the databases that sit behind it.Which of the following statements is CORRECT in relation to the French company's requirements to ensure compliance with the GDPR?

  • A. There is a Data Processing Agreement in place therefore no transfer mechanism is needed
  • B. The French company must identify and implement an appropriate transfer mechanism
  • C. China provides an adequate level of protection for personal data, therefore no transfer mechanism is needed
  • D. No personal data is being transferred, therefore no transfer mechanism is needed

Answer: B

Explanation:
Explanation
According to the GDPR, a transfer of personal data to a third country or an international organisation occurs when the personal data is made available to someone outside the EU and EEA, regardless of whether the data is physically sent or not. Therefore, the fact that the Chinese business accesses the platform and the databases that contain personal data of the French company's customers constitutes a transfer of personal data to China, which is a third country under the GDPR. The French company, as the controller of the personal data, must ensure that the transfer complies with the GDPR requirements and that the level of protection of the personal data is not undermined. This means that the French company must identify and implement an appropriate transfer mechanism, such as an adequacy decision, appropriate safeguards, or derogations for specific situations, as set out in Chapter V of the GDPR. A data processing agreement, although necessary to define the roles and responsibilities of the controller and the processor, is not sufficient to ensure the legality of the transfer, as it does not provide the same guarantees as the GDPR. China is not a country that has been recognised by the European Commission as providing an adequate level ofprotection for personal data, so the French company cannot rely on an adequacy decision either. References:
* Article 44 of the GDPR1
* ICO guidance on international transfers2


NEW QUESTION # 18
If a complainant disagrees with the decision of the UK's supervisory authority, how do they appeal this decision?

  • A. To the First Tier Tribunal (Information Rights)
  • B. To the European Data Protection Supervisor.
  • C. To the European Commission
  • D. To the Information Commissioner

Answer: A

Explanation:
Explanation
If a complainant disagrees with the decision of the UK's supervisory authority, which is the Information Commissioner's Office (ICO), they have the right to appeal to the First Tier Tribunal (Information Rights).
The tribunal is an independent body that can review the ICO's decision and either uphold it, vary it or cancel it. The tribunal can also direct the ICO to take certain actions, such as issuing a decision notice or an enforcement notice. The appeal must be lodged within 28 days of receiving the ICO's decision, using the notice of appeal form and providing the relevant documents and grounds for appeal. The tribunal will then notify the ICO and the complainant of the appeal and the procedure for dealing with it. The tribunal may hold a hearing to examine the evidence and arguments of both parties, or decide the case on the basis of written submissions only. The tribunal will issue a written decision, which will be sent to both parties and published on the tribunal's website. The tribunal's decision can be further appealed tothe Upper Tribunal on a point of law, with the permission of the First Tier Tribunal or the Upper Tribunal. References:
* Information rights and data protection: appeal against the Information Commissioner1
* Notice of appeal form2
* First Tier Tribunal (Information Rights) website3


NEW QUESTION # 19
An individual applies for a job as a security guard The employer has had significant issues with the sickness record of past recruits They therefore decide to offer the position to the individual on the basis they request a copy of their medical record so that the employer can be assured that they are in a good state of health.
The Data Protection Officer has been asked to advise. What advice is MOST appropriate?

  • A. In requesting information that is more than they necessary require to verify the medical condition of the individual they will have breached the data minimisation principle
  • B. While requesting and viewing medical evidence may be legitimate, they should ask for evidence that the individual consents to the proposition that they make the request
  • C. Providing the medical evidence is used for a legitimate purpose, and that the information is securely destroyed on verification that the employee is healthy, this is an acceptable action.
  • D. This is a criminal offence under the Data Protection Act 2018 No individual should be asked to make a subject access request in order to obtain health records in these circumstances.

Answer: D

Explanation:
Explanation
The Data Protection Act 2018 (DPA 2018) makes it a criminal offence for a person to require another person to make a subject access request for information about their health, convictions or cautions, or spent convictions, and to provide that information to the first person or a third person, as a condition of providing or offering to provide goods, facilities or services, or as a condition of entering into or continuing a contract. This is known as an enforced subject access request. The employer in this scenario is committing a criminal offence by offering the job to the individual on the condition that they request a copy of their medical record and provide it to the employer. The employer is also breaching the data protection principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, and storage limitation, as they are processing health data, which is a special category of personal data, without a valid legal basis, without informing the individual of the purpose and legal basis of the processing, and without limiting the processing to what is necessary and relevant for the employment relationship. The employer should instead obtain the individual's explicit consent to request the health information directly from the relevant health professional, and only request the information that is necessary and proportionate for the specific role of a security guard. References
:
* Section 184 of the DPA 20183
* ICO guidance on enforced subject access requests4
* ICO guidance on special category data5


NEW QUESTION # 20
What is the basis of the accountability and data governance obligation (Article 5 (2) of the GDPR)?

  • A. The controller shall be responsible for. and be able to demonstrate compliance with the data protection principles.
  • B. Controllers and Processors each have a responsibility to conduct legitimate interests balancing tests before processing data for direct marketing
  • C. Processors have overarching responsibility to ensure their processing is compliant
  • D. The controller shall appoint a DPO before carrying out large scale processing

Answer: A

Explanation:
Explanation
Article 5(2) of the GDPR introduces the principle of accountability, which requires that the controller is responsible for, and be able to demonstrate compliance with, the data protection principles set out in Article
5(1). These principles are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and data protection by design and by default. The controller must implement appropriate technical and organisational measures to ensure and demonstrate compliance, such as policies, procedures, records, audits, reviews, and DPIAs. The controller must also cooperate with the supervisory authority and provide any information requested by it. The other options are not the basis of the accountability and data governance obligation, although they may be related to other obligations under the GDPR. References:
* Article 5(2) of the GDPR3
* ICO guidance on accountability and governance4


NEW QUESTION # 21
What does NOT have an exemption prescribed under schedule 3 of the Data Protection Act 2018?

  • A. Health data
  • B. Social Work Data.
  • C. Education data, examination scripts and marks
  • D. Credit checking agency data

Answer: D

Explanation:
Explanation
Schedule 3 of the Data Protection Act 2018 (DPA 2018) provides exemptions from some of the UK GDPR provisions for certain types of personal data processing, such as health data, social work data, education data, and child abuse data. These exemptions are intended to balance the rights and freedoms of data subjects with the public interest or the legitimate interests of data controllers in specific contexts. For example, the exemptions may allow data controllers to restrict the data subjects' access to their personal data, or to process their personal data without their consent, if complying with the UK GDPR would be likely to prejudice the purposes of the processing, such as the provision of health care, social work, education, or child protection.
However, Schedule 3 of the DPA 2018 does not provide any exemption for credit checking agency data, which is personal data processed by credit reference agencies for the purposes of assessing the creditworthiness of individuals or organisations, or preventing fraud or money laundering. Credit checking agency data is subject to the UK GDPR provisions as normal, unless another exemption applies. For example, credit reference agencies may rely on the crime and taxation exemption in Schedule 2, Part 1, Paragraph 2 of the DPA 2018 if disclosing personal data to a data subject would be likely to prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders. References:
* Data Protection Act 2018, Schedule 31
* ICO Guide to Data Protection, Exemptions2
* ICO Guide to Data Protection, Credit3


NEW QUESTION # 22
How does the GDPR relate to cookies?

  • A. The GDPR applies in all cases where cookies are used
  • B. Websites only need an opt out of cookies if GDPR applies
  • C. Where PECR is engaged only PECR will apply to the processing of personal data
  • D. The GDPR only applies where a cookie processes personal data

Answer: C

Explanation:
Explanation
The GDPR and the Privacy and Electronic Communications Regulations (PECR) are two different but related legal frameworks that regulate the use of cookies and similar technologies. Cookies are small text files that are stored on the user's device when they visit a website or use an online service. Cookies can be used for various purposes, such as remembering user preferences, tracking user behaviour, delivering targeted advertising, or enabling online transactions. The GDPR applies to the processing of personal data by cookies and similar technologies, as they can be used to identify or single out individuals, either directly or indirectly. Personal data is any information relating to an identified or identifiable natural person, such as a name, an email address, a location data, or a cookie identifier. The GDPR requires data controllers to obtain the user's consent before using any cookies that are not strictly necessary for the functioning of the website or service, and to provide clear and transparent information about the purposes and legal basis of the processing, the categories and recipients of the personal data, the retention periods, and the rights of the data subjects. The GDPR also requires data controllers to implement appropriate technical and organisational measures to ensure the security and confidentiality of the personal data, and to comply with the principles of data protection by design and by default. The PECR are a set of UK-specific rules that implement the EU ePrivacy Directive, which is a complementary legislation to the GDPR that deals with the privacy and security of electronic communications.
The PECR apply to the use of cookies and similar technologies, as well as to the sending of marketing communications by phone, email, text, or fax, and to the provision of public electronic communications services and networks. The PECR require data controllers to obtain the user's consent before using any cookies or similar technologies, except those that are strictly necessary for the provision of an information society service requested by the user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network. The PECR also require data controllers to provide clear and comprehensive information about the purposes of the cookies or similar technologies, and to offer the user a way to refuse or withdraw their consent. The PECR do not apply to the processing of personal data by cookies or similar technologies, as this is covered by the GDPR. Therefore, the correct answer is C, as where PECR is engaged only PECR will apply to the use of cookies or similar technologies, but not to the processing of personal data by them. The other options are incorrect because:
* The GDPR does not only apply where a cookie processes personal data, but to any processing of personal data by any means, including cookies and similar technologies. The GDPR applies to the processing of personal data by cookies and similar technologies, regardless of whether they are strictly necessary or not, or whether they are first-party or third-party cookies. However, the GDPR does not apply to the use of cookies or similar technologies, as this is covered by the PECR.
* The GDPR does not apply in all cases where cookies are used, but only in cases where cookies are used to process personal data. The GDPR does not apply to the use of cookies or similar technologies that do not process personal data, such as those that are strictly necessary for the functioning of the website orservice, or those that do not identify or single out individuals. However, the PECR still apply to the use of cookies or similar technologies, regardless of whether they process personal data or not, except for some limited exemptions.
* Websites do not only need an opt out of cookies if GDPR applies, but also if PECR applies. The GDPR and the PECR both require data controllers to obtain the user's consent before using any cookies or similar technologies that are not strictly necessary, and to offer the user a way to refuse or withdraw their consent. The opt out of cookies is a mechanism that allows the user to exercise their right to object to the use of cookies or similar technologies, and to prevent the processing of their personal data by them. Websites need to provide an opt out of cookies in all cases where the user's consent is required, regardless of whether the GDPR or the PECR applies. References:
* GDPR, Article 4(1)5
* GDPR, Article 6(1)(a)6
* GDPR, Article 13 and 147
* GDPR, Article 328
* GDPR, Article 25
* PECR, Regulation 6
* PECR, Regulation 5


NEW QUESTION # 23
Where are the definitions of "Public Authority" and "Public Bodies" found?

  • A. Freedom of Information Act 2000 and Data Protection Act 2018
  • B. GDPRand Data Protection Act 2018.
  • C. Data Protection Act 2018 only
  • D. Data Protection Act 2018 and PECR.

Answer: A

Explanation:
Explanation
The definitions of "public authority" and "public body" for the purposes of the UK GDPR and the Data Protection Act 2018 are found in the Freedom of Information Act 2000 and the Data Protection Act 2018 respectively. Section 7 of the Data Protection Act 2018 provides that a public authority or a public body is one that is listed in Schedule 1 to the Freedom of Information Act 2000, or is designated by an order under section
5 of that Act. However, a court or tribunal acting in its judicial capacity is not considered a public authority or a public body under the Data Protection Act 2018. References:
* Section 7 of the Data Protection Act 20181
* Schedule 1 to the Freedom of Information Act 2000


NEW QUESTION # 24
Which one task are supervisory authorities NOT required to carry out under Article 57(1 )(f) of the UK GDPR? Select the CORRECT answer.

  • A. Investigate complaints and inform the complainant of the progress of their investigation
  • B. Mediate between the complainant and the entity against which the complaint has been lodged, to resolve the complaint
  • C. Handle complaints lodged by a data subject
  • D. Co-ordinate where necessary with other supervisory authorities

Answer: B

Explanation:
Explanation
Article 57(1)(f) of the UK GDPR requires the supervisory authority (the ICO in the UK) to handle complaints lodged by a data subject, investigate the subject matter of the complaint, and inform the complainant of the progress and the outcome of the investigation. It also requires the supervisory authority to cooperate with other supervisory authorities if the complaint involves cross-border processing. However, it does not require the supervisory authority to mediate between the complainant and the controller or processor against which the complaint has been lodged, to resolve the complaint. This is not a task of the supervisory authority under the UK GDPR, although it may be possible in some cases as a way of achieving an amicable solution. References
:
* Article 57(1)(f) of the UK GDPR1
* ICO and complaints2


NEW QUESTION # 25
A company has twenty retail outlets in France and thirty retail outlets in Belgium The payroll department and the Data Protection Officer are based in Poland.The Company Board and administrative functions are based in Germany. Determine where the company's 'mainestablishment' would be

  • A. France
  • B. Germany
  • C. Belgium
  • D. Poland

Answer: B

Explanation:
Explanation
The main establishment of a controller or a processor in the EU is the place where the decisions on the purposes and means of the processing of personal data are taken and implemented. According to Recital 36 of the GDPR, the main establishment of a controller with establishments in more than one Member State should be the place of its central administration in the EU, unless the decisions on the processing are taken in another establishment of the controller in the EU and the latter establishment has the power to have such decisions implemented, in which case the establishment havingtaken such decisions should be considered to be the main establishment. Similarly, the main establishment of a processor with establishments in more than one Member State should be the place of its central administration in the EU, or, if the processor has no central administration in the EU, the establishment of the processor in the EU where the main processing activities take place to the extent that the processor is subject to specific obligations under the GDPR. The main establishment is relevant for determining the lead supervisory authority, the applicable law, and the jurisdiction of the courts for cross-border processing of personal data. In this case, the company's main establishment would be Germany, as it is the place where the company board and administrative functions are based and where the decisions on the processing of personal data are likely to be taken and implemented.
References:
* Recital 36 of the GDPR8
* Article 4(16) of the GDPR9
* Article 56 of the GDPR


NEW QUESTION # 26
Which of the following is NOT a role of the Information Commissioner's Office?

  • A. Providing an annual activity report to Parliament
  • B. Providing case by case advice on what retention period companies should use
  • C. Publishing a list of the kind of processing that is subject to the requirement for a DPIA
  • D. Encouraging the establishment of data protection certification mechanisms and of data protection seals

Answer: B

Explanation:
Explanation
The Information Commissioner's Office (ICO) is the UK's independent authority for data protection, which is responsible for upholding the UK GDPR and the Data Protection Act 2018, as well as other related legislation.
The ICO has various roles and tasks, such as monitoring and enforcing the application of the data protection law, promoting publicawareness and understanding of the risks and rights related to processing, advising the Parliament and the government on legislative and administrative measures concerning data protection, encouraging the development of codes of conduct and certification schemes, and handling complaints and investigations. However, the ICO does not provide case by case advice on what retention period companies should use, as this is a matter for the companies themselves to determine, based on their own purposes, legal obligations, and risk assessments. The ICO only provides general guidance on the data minimisation and storage limitation principles, which require that personal data should be kept only for as long as necessary and no longer than that. The ICO also expects companies to have clear policies and procedures on how they retain and dispose of personal data, and to document their retention periods and the reasons for them. References:
* Article 57 of the UK GDPR1
* ICO guidance on the role of the ICO2
* ICO guidance on data minimisation and storage limitation3


NEW QUESTION # 27
You are a consulting Data Protection Officer (DPO) for a holiday resort You have been asked to conduct a Data Protection Impact Assessment (DPIA) for them in advance of adopting a new HR management database.
While working through the DPIA, which of the following is NOT a requirement?

  • A. Identify measures to mitigate the risks
  • B. Sign off and record outcomes.
  • C. Publish any potential risks in your information notice.
  • D. Describe the processing

Answer: C

Explanation:
Explanation
A DPIA is a process to help identify and minimise the data protection risks of a project that is likely to result in a high risk to individuals. A DPIA must include the following elements, according to Article 35(7) of the UK GDPR1:
* a description of the processing, including its purposes and legal basis;
* an assessment of the necessity and proportionality of the processing in relation to its purposes;
* an assessment of the risks to the rights and freedoms of individuals; and
* the measures envisaged to address the risks and demonstrate compliance with the UK GDPR.
There is no requirement to publish any potential risks in the information notice, which is a document that provides individuals with information about how their personal data is processed, as required by Article 13 and
14 of the UK GDPR2. However, it may be good practice to do so, as well as to consult with individuals or their representatives, where appropriate, as part of the DPIA process. This can help to enhance transparency, trust and accountability, and to identify any additional risks or concerns from the perspective of the data subjects. References:
* Article 35(7) of the UK GDPR1
* Article 13 and 14 of the UK GDPR2


NEW QUESTION # 28
Two businesses decide to work together to sell their products by mail order Orders are made via a single online website and they each use their existing employees to administer and update each other's orders on a single order system regardless of product.
Which of the below is CORRECT of the roles of the two businesses in relation to the single order system'?

  • A. They are both joint controllers of the information contained in the single order system
  • B. The businesses are controllers of their respective information, and the staff are processors of this information
  • C. They are controllers of their own information contained in the single order system only
  • D. They are controllers of their own information in the single order system and processors of the information they process on behalf of the other business.

Answer: A

Explanation:
Explanation
The two businesses are both joint controllers of the information contained in the single order system, because they jointly determine the purposes and means of the processing. They have a shared purpose of selling their products by mail order and they agree on the means of processing by using a single online website and a single order system. Their decisions complement each other and are necessary for the processing to take place. The processing by each party is inseparable and inextricably linked. Therefore, they meet the criteria for joint controllership under the GDPR. References:
* Article 26 of the GDPR1
* Guidelines 07/2020 on the concepts of controller and processor in the GDPR2, pp. 16-24


NEW QUESTION # 29
Who is entitled to a private life by law in the UK?

  • A. All individuals save for Members of Parliament
  • B. Nobody
  • C. All individuals.
  • D. Private individuals who do not conduct their business on public platforms (such as professional sports people and actors

Answer: C

Explanation:
Explanation
The right to a private life is a fundamental human right that is protected by law in the UK. Article 8 of the European Convention on Human Rights (ECHR), which is incorporated into UK law by the Human Rights Act
1998, states that "Everyone has the right to respect for his private and family life, his home and his correspondence". This right applies to all individuals, regardless of their status, profession, or public exposure.
The right to a private life covers aspects such as personal identity, personal relationships, physical and mental well-being, personal data, and correspondence. However, this right is not absolute and can be limited or interfered with by the state or other parties in certain circumstances, such as for the protection of national security, public safety, health, morals, or the rights and freedoms of others. References:
* Article 8 of the ECHR1
* Human Rights Act 19982
* ICO Guide to Data Protection3


NEW QUESTION # 30
How are data sharing practices governed by data protection law?

  • A. Data sharing practices are not specifically regulated, however the ICO provide best practice guidance
  • B. Data sharing practices are subject to the PECR until the new statutory Code of Practice is published
  • C. Data sharing practices are covered by the Freedom of Information Act
  • D. Data sharing practices are covered in the DPA 2018, supported by a statutory Code of Practice that provides specific guidance

Answer: D

Explanation:
Explanation
Data sharing is the disclosure of personal data from one or more organisations to a third party organisation or organisations, or the sharing of personal data within an organisation. Data sharing practices are governed by data protection law, which includes the UK GDPR and the Data Protection Act 2018 (DPA 2018). The DPA
2018 contains specific provisions on data sharing, such as the power of the Information Commissioner's Office (ICO) to issue a statutory Code of Practice on data sharing. The ICO has published a Data Sharing Code of Practice1 that provides practical guidance on how to share data in a fair, safe and transparent way, in compliance with the data protection principles and the rights of data subjects. The code is not legally binding, but it reflects the ICO's interpretation of the law and it may be used as evidence in legal proceedings or investigations. The code also contains useful tools, case studies andexamples that can help organisations to share data effectively and responsibly. References:
* Data Sharing Code of Practice1


NEW QUESTION # 31
Which of the following statements are CORRECT about records of processing'?
A It must contain contact details for the Data Protection Officer where applicable.
B It must be submitted to the Information Commissioner's Office following every Data Protection ImpactAssessment C It is mandatory for all data processors D The controller or the processor a mustmakesthe record available to the supervisory authority on request
E. It must contain contact details for the supervisory authority

  • A. B, C. and D
  • B. A. C,D, and E
  • C. A,C,andE
  • D. A, C,andD

Answer: D

Explanation:
Explanation
Article 30 of the UK GDPR3 requires both controllers and processors to maintain records of their processing activities, unless they are exempted under certain conditions. The records must contain the following information, among others:
* the name and contact details of the controller or the processor, and of any joint controller, representative or data protection officer;
* the purposes of the processing;
* the categories of data subjects and personal data;
* the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
* where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;
* where possible, the envisaged time limits for erasure of the different categories of data;
* where possible, a general description of the technical and organisational security measures.
The records must be in writing, including in electronic form, and must be made available to the ICO on request. The records do not need to contain contact details of the supervisory authority, as this is not specified in Article 30. Nor do they need to be submitted to the ICO following every DPIA, as this is not required by Article 35, which only obliges the controller to consult the ICO prior to the processing if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. References:
* Article 30 of the UK GDPR3
* Article 35 of the UK GDPR4


NEW QUESTION # 32
......

BCS PDP9 Dumps Cover Real Exam Questions: https://www.passleadervce.com/BCS-Practitioner/reliable-PDP9-exam-learning-guide.html

Real PDP9 dumps - Real BCS dumps PDF: https://drive.google.com/open?id=1ohFrbku3QPZ-hI5QgsgxmB3gZ-RIGccx 

Related Articles

more
BCS PDP9 Certification Practice Exam