BCS PDP9リアル試験問題解答は無料 [Q12-Q27]

Share

BCS PDP9リアル試験問題解答は無料

試験問題集でPDP9練習無料最新のBCS練習テスト

質問 # 12
A privacy notice MUST NOT contain

  • A. The purpose of the processing
  • B. The contact details of the controller
  • C. Details of the right to lodge a complaint with the supervisory authority
  • D. Details of the processor's staff

正解:D

解説:
Explanation
A privacy notice is a document that provides individuals with information about how their personal data is processed, as required by Article 13 and 14 of the UK GDPR5. A privacy notice must include the following information, among others:
* the identity and contact details of the controller and, where applicable, the controller's representative and the data protection officer;
* the purposes and legal basis of the processing;
* the categories of personal data concerned;
* the recipients or categories of recipients of the personal data, including any third parties or international organisations;
* where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;
* the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
* the existence of the rights of the data subject, such as the right to access, rectify, erase, restrict, object or port the data, and the conditions or limitations on those rights;
* the existence of the right to withdraw consent at any time, where the processing is based on consent;
* the right to lodge a complaint with a supervisory authority;
* whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
* the existence of automated decision-making, including profiling, and meaningful information about the
* logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
A privacy notice does not need to contain details of the processor's staff, as this is not relevant or necessary for the data subject to understand how their personal data is processed. However, the controller may need to inform the data subject if their personal data is shared with a processor, and provide the identity and contact details of the processor, as part of the information on the recipients or categories of recipients of the personal data. References:
* Article 13 and 14 of the UK GDPR5


質問 # 13
A company has twenty retail outlets in France and thirty retail outlets in Belgium The payroll department and the Data Protection Officer are based in Poland.The Company Board and administrative functions are based in Germany. Determine where the company's 'mainestablishment' would be

  • A. Germany
  • B. Poland
  • C. Belgium
  • D. France

正解:A

解説:
Explanation
The main establishment of a controller or a processor in the EU is the place where the decisions on the purposes and means of the processing of personal data are taken and implemented. According to Recital 36 of the GDPR, the main establishment of a controller with establishments in more than one Member State should be the place of its central administration in the EU, unless the decisions on the processing are taken in another establishment of the controller in the EU and the latter establishment has the power to have such decisions implemented, in which case the establishment havingtaken such decisions should be considered to be the main establishment. Similarly, the main establishment of a processor with establishments in more than one Member State should be the place of its central administration in the EU, or, if the processor has no central administration in the EU, the establishment of the processor in the EU where the main processing activities take place to the extent that the processor is subject to specific obligations under the GDPR. The main establishment is relevant for determining the lead supervisory authority, the applicable law, and the jurisdiction of the courts for cross-border processing of personal data. In this case, the company's main establishment would be Germany, as it is the place where the company board and administrative functions are based and where the decisions on the processing of personal data are likely to be taken and implemented.
References:
* Recital 36 of the GDPR8
* Article 4(16) of the GDPR9
* Article 56 of the GDPR


質問 # 14
Article 57 of the UK GDPR states that the tasks of the Commissioner include -Select the INCORRECT answer

  • A. Adopting consistency findings in cross-border data protection cases
  • B. Advising UK Parliament on issues related to the protection of personal data
  • C. Handling complaints raised by individuals/data subjects
  • D. Providing general guidance to clarify the law.

正解:A

解説:
Explanation
Article 57 of the UK GDPR states that the tasks of the Commissioner include handling complaints raised by individuals/data subjects, providing general guidance to clarify the law, and advising UK Parliament on issues related to the protection of personal data, among other tasks. However, adopting consistency findings in cross-border data protection cases is not a task of the Commissioner, but of the European Data Protection Board (EDPB), which is an independent body composed of the heads of the supervisory authorities of the EU and EEA member states and the European Data Protection Supervisor. The EDPB is responsible for ensuring the consistent application of the EU GDPR across the EU and EEA, and for issuing opinions and decisions on matters of general application or affecting more than one member state. The UK is no longer part of the EU or the EEA, and therefore the EDPB does not have jurisdiction over the UK GDPR or the Commissioner. The UK has its own mechanism for ensuring consistency and cooperation with other countries, which involves the Commissioner and the Secretary of State. References:
* Article 57 of the UK GDPR1
* Article 63 and 64 of the EU GDPR4
* ICO guidance on the UK GDPR and the EU GDPR5


質問 # 15
Describe the act of processing under the authority of a controller or processor as stipulated in UK GDPR Article 29.

  • A. Each processor and, where applicable, the processors representative shall maintain a record of all categories of processing activities earned out on behalf of a controller.
  • B. A processor shall not process those data except on instructions from the controller, unless required to do so by domestic law
  • C. The processor shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
  • D. The processor shall consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the processor to mitigate the risk.

正解:B

解説:
Explanation
Article 29 of UK GDPR states that the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by domestic law. This means that the processor must follow the controller's directions on how to handle the personal data, and cannot use it for its own purposes or deviate from the agreed terms. The only exception is when the processor is obliged by law to process the data in a different way, for example, to comply with a court order or a legal obligation. The other options are not related to Article 29, but to other articles of UK GDPR, such as Article 25 (data protection by design and by default), Article 30 (records of processing activities), and Article 36 (prior consultation). References:
* Article 29 of UK GDPR1
* ICO guidance on controllers and processors2


質問 # 16
Which of the following statements MOST accurately describes why a risk-based approach to the use of Al is necessary?

  • A. Al is inherently negative and its use should be limited
  • B. Al carries new and complex risks not present in other technologies
  • C. Al's benefits make accepting all arising risks necessary.
  • D. Al is unlawful

正解:B

解説:
Explanation
Artificial intelligence (AI) is the use of digital systems to perform tasks that would normally require human intelligence, such as recognition, decision making, learning and adaptation. AI can bring many benefits to society, such as innovation, efficiency, personalisation and convenience. However, AI also carries new and complex risks that are not present in other technologies, such as opacity, unpredictability, bias, discrimination, intrusion, manipulation and harm. These risks can affect the rights and freedoms of individuals, especially their data protection rights, such as privacy, transparency, fairness, accuracy and accountability. Therefore, a risk-based approach to the use of AI is necessary, which means identifying, assessing and mitigating the potential adverse impacts of AI on individuals and society, while balancing them with the benefits and opportunities. A risk-based approach also means complying with the relevant legal and ethical frameworks, such as the UK GDPR and the DPA 2018, and following the best practices and guidance issued by the ICO and other authorities on AI and data protection234. References:
* Guidance on AI and data protection2
* Explaining decisions made with AI3
* AI auditing framework4


質問 # 17
Which of the below would be the BEST example of processing that could utilise the Public Interest Task lawful basis?

  • A. A tax authority drops cookies on the devices of visitors to its website
  • B. A debt collection agency processing information relating to unpaid fines for misuse of community council car parking.
  • C. A local authority processing the personal information of the person responsible for paying council tax
  • D. A health authority processing the personal information of its staff in order to record all training undertaken

正解:C

解説:
Explanation
The public interest task lawful basis applies to the processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The relevant task or authority must have a clear basis in domestic law, such as a statutory power, a common law duty, or a function of the Crown, central or local government. The processing must also be necessary, meaning that there is no reasonable and less intrusive way to achieve the same purpose. The public interest task lawful basis is most relevant to public authorities, but it can also apply to any organisation that exercises official authority or carries out tasks in the public interest. In scenario C, a local authority processing the personal information of the person responsible for paying council tax is likely to rely on the public interest task lawful basis, as it is performing a task in the public interest that is laid down by law, namely the Local Government Finance Act 1992, and the processing is necessary for the collection and administration of council tax. In contrast, scenarios A, B and D are less likely to qualify for the public interest task lawful basis, as they do not involve a clear task or authority that is set out in law, or that serves the public interest. For example, a health authority processing the personal information of its staff in order to record all training undertaken may have a different lawful basis, such as legitimate interests or contractual necessity. A debt collection agency processinginformation relating to unpaid fines for misuse of community council car parking may not have any official authority or public interest justification for its processing. A tax authority dropping cookies on the devices of visitors to its website may not be able to demonstrate that the processing is necessary for its official functions, and may also need to comply with the Privacy and Electronic Communications Regulations (PECR) for the use of cookies. References:
* UK GDPR, Article 6 (1) (e) and (3)8
* ICO Guide to Data Protection, Public Task9
* Local Government Finance Act 199210


質問 # 18
Of the following options which is NOT a purpose of carrying out a Data Protection Impact Assessment (DPIA)?

  • A. It assists in identifying the main risks that may exist in any use of data, so that they can be mitigated
  • B. It fulfils a requirement that data protection is carried out by design and default.
  • C. It is key to the accountability element of the GDPR.
  • D. It is necessary to fulfil the requirement that all DPIAs are submitted to the ICO

正解:D


質問 # 19
What is the meaning of storage limitation in relation to UK GDPR Article 5 (1 )(e)?

  • A. Only storing data in locations within the EU. except where there is an adequacy decision.
  • B. Limiting the number of records stored in any single repository to minimise risk surface.
  • C. Storing data in a secure format only permitting access to those with a business need
  • D. Keeping identifiable personal data for no longer than is necessary for the intended processing

正解:D

解説:
Explanation
Storage limitation is one of the principles of data protection under the UK GDPR. It means that personal data should not be kept in a form that allows identification of data subjects for longer than is necessary for the purposes for which the data are processed. The UK GDPR does not specify any fixed time limits for different types of data, but rather requires data controllers to determine and justify the appropriate retention periods for their processing activities, taking into account factors such as the nature, scope, context and purposes of the processing, the risks to the rights and freedoms of data subjects, and the legal obligations and expectations of the data controller. Data controllers should also have a policy setting out standard retention periods where possible, and review the data they hold regularly to ensure that it is erased or anonymised when it is no longer needed. Data subjects have the right to request the erasure of their personal data if the data controller no longer has a lawful basis or a legitimate interest for keeping it. The UK GDPR allows for some exceptions to the storage limitation principle, such as when the personal data is processed solely forarchiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to appropriate safeguards for the rights and freedoms of data subjects. References:
* UK GDPR, Article 5 (1) (e) and (2)4
* UK GDPR, Article 175
* UK GDPR, Article 896
* ICO Guide to Data Protection, Storage Limitation7


質問 # 20
A company based in France uses a specialist IT support business in China The two companies have signed a Data Processing Agreement.The Chinese business provides specialist IT support for the French company's digital customer experience platform No personal data is sent to China, but employees of the Chinese business access the platform on a regular basis and have access to the databases that sit behind it.Which of the following statements is CORRECT in relation to the French company's requirements to ensure compliance with the GDPR?

  • A. There is a Data Processing Agreement in place therefore no transfer mechanism is needed
  • B. China provides an adequate level of protection for personal data, therefore no transfer mechanism is needed
  • C. No personal data is being transferred, therefore no transfer mechanism is needed
  • D. The French company must identify and implement an appropriate transfer mechanism

正解:D

解説:
Explanation
According to the GDPR, a transfer of personal data to a third country or an international organisation occurs when the personal data is made available to someone outside the EU and EEA, regardless of whether the data is physically sent or not. Therefore, the fact that the Chinese business accesses the platform and the databases that contain personal data of the French company's customers constitutes a transfer of personal data to China, which is a third country under the GDPR. The French company, as the controller of the personal data, must ensure that the transfer complies with the GDPR requirements and that the level of protection of the personal data is not undermined. This means that the French company must identify and implement an appropriate transfer mechanism, such as an adequacy decision, appropriate safeguards, or derogations for specific situations, as set out in Chapter V of the GDPR. A data processing agreement, although necessary to define the roles and responsibilities of the controller and the processor, is not sufficient to ensure the legality of the transfer, as it does not provide the same guarantees as the GDPR. China is not a country that has been recognised by the European Commission as providing an adequate level ofprotection for personal data, so the French company cannot rely on an adequacy decision either. References:
* Article 44 of the GDPR1
* ICO guidance on international transfers2


質問 # 21
What are Information Society Services'? Select the INCORRECT answer

  • A. A service provided for remuneration, by electronic means, at distance to an individual that has requested it.
  • B. Business to business online networking sites
  • C. An electronic information service provided to individuals but paid for solely by advertising
  • D. Information services provided by non-profit or government organisations with no remuneration

正解:D

解説:
Explanation
Information society services (ISS) are defined in Article 4(25) of the UK GDPR as "any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services". This means that ISS are online services that are paid for, either by the user or by another source of income, such as advertising or sponsorship, and that are provided without the parties being physically present, using electronic equipment for the transmission and reception of data, and upon the request of the user.
Examples of ISS include apps, programs, websites, search engines, social media platforms, online marketplaces, content streaming services, online games, and any other online services that offer goods or services to users over the internet. Therefore, options A, B and C are correct examples of ISS, as they meet the criteria of the definition. However, option D is not a correct example of ISS, as it does not involve any remuneration for the service provider. Information services provided by non-profit or government organisations with no remuneration are not considered ISS under the UK GDPR, unless they compete with other ISS on the market. References:
* UK GDPR, Article 4(25)4
* Services covered by this code5


質問 # 22
How does the GDPR relate to cookies?

  • A. The GDPR applies in all cases where cookies are used
  • B. The GDPR only applies where a cookie processes personal data
  • C. Where PECR is engaged only PECR will apply to the processing of personal data
  • D. Websites only need an opt out of cookies if GDPR applies

正解:C

解説:
Explanation
The GDPR and the Privacy and Electronic Communications Regulations (PECR) are two different but related legal frameworks that regulate the use of cookies and similar technologies. Cookies are small text files that are stored on the user's device when they visit a website or use an online service. Cookies can be used for various purposes, such as remembering user preferences, tracking user behaviour, delivering targeted advertising, or enabling online transactions. The GDPR applies to the processing of personal data by cookies and similar technologies, as they can be used to identify or single out individuals, either directly or indirectly. Personal data is any information relating to an identified or identifiable natural person, such as a name, an email address, a location data, or a cookie identifier. The GDPR requires data controllers to obtain the user's consent before using any cookies that are not strictly necessary for the functioning of the website or service, and to provide clear and transparent information about the purposes and legal basis of the processing, the categories and recipients of the personal data, the retention periods, and the rights of the data subjects. The GDPR also requires data controllers to implement appropriate technical and organisational measures to ensure the security and confidentiality of the personal data, and to comply with the principles of data protection by design and by default. The PECR are a set of UK-specific rules that implement the EU ePrivacy Directive, which is a complementary legislation to the GDPR that deals with the privacy and security of electronic communications.
The PECR apply to the use of cookies and similar technologies, as well as to the sending of marketing communications by phone, email, text, or fax, and to the provision of public electronic communications services and networks. The PECR require data controllers to obtain the user's consent before using any cookies or similar technologies, except those that are strictly necessary for the provision of an information society service requested by the user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network. The PECR also require data controllers to provide clear and comprehensive information about the purposes of the cookies or similar technologies, and to offer the user a way to refuse or withdraw their consent. The PECR do not apply to the processing of personal data by cookies or similar technologies, as this is covered by the GDPR. Therefore, the correct answer is C, as where PECR is engaged only PECR will apply to the use of cookies or similar technologies, but not to the processing of personal data by them. The other options are incorrect because:
* The GDPR does not only apply where a cookie processes personal data, but to any processing of personal data by any means, including cookies and similar technologies. The GDPR applies to the processing of personal data by cookies and similar technologies, regardless of whether they are strictly necessary or not, or whether they are first-party or third-party cookies. However, the GDPR does not apply to the use of cookies or similar technologies, as this is covered by the PECR.
* The GDPR does not apply in all cases where cookies are used, but only in cases where cookies are used to process personal data. The GDPR does not apply to the use of cookies or similar technologies that do not process personal data, such as those that are strictly necessary for the functioning of the website orservice, or those that do not identify or single out individuals. However, the PECR still apply to the use of cookies or similar technologies, regardless of whether they process personal data or not, except for some limited exemptions.
* Websites do not only need an opt out of cookies if GDPR applies, but also if PECR applies. The GDPR and the PECR both require data controllers to obtain the user's consent before using any cookies or similar technologies that are not strictly necessary, and to offer the user a way to refuse or withdraw their consent. The opt out of cookies is a mechanism that allows the user to exercise their right to object to the use of cookies or similar technologies, and to prevent the processing of their personal data by them. Websites need to provide an opt out of cookies in all cases where the user's consent is required, regardless of whether the GDPR or the PECR applies. References:
* GDPR, Article 4(1)5
* GDPR, Article 6(1)(a)6
* GDPR, Article 13 and 147
* GDPR, Article 328
* GDPR, Article 25
* PECR, Regulation 6
* PECR, Regulation 5


質問 # 23
What is the Employment Practices Code?

  • A. A statutory framework for implementing data protection training for employees.
  • B. A set of exemptions that can be used when processing data related to employees
  • C. Guidance on the requirements for employing a Data Protection Officer
  • D. Guidance on meeting legal requirements of data protection when employing staff

正解:D

解説:
Explanation
The Employment Practices Code is a guidance document issued by the ICO that provides recommendations on how to comply with the data protection principles and the rights of data subjects when processing personal data in the context of employment. The code covers various aspects of employment practices, such as recruitment and selection, employment records, monitoring at work, and information about workers' health.
The code is not legally binding, but it reflects the ICO's interpretation of the Data Protection Act and the UK GDPR, and it may be used as evidence in legal proceedings or investigations. The code is intended to help employers balance their legitimate interests in managing their workforce with the privacy rights of their workers. References:
* The Employment Practices Code
* Quick Guide to the Employment Practices Code


質問 # 24
If a complainant disagrees with the decision of the UK's supervisory authority, how do they appeal this decision?

  • A. To the European Data Protection Supervisor.
  • B. To the European Commission
  • C. To the Information Commissioner
  • D. To the First Tier Tribunal (Information Rights)

正解:D

解説:
Explanation
If a complainant disagrees with the decision of the UK's supervisory authority, which is the Information Commissioner's Office (ICO), they have the right to appeal to the First Tier Tribunal (Information Rights).
The tribunal is an independent body that can review the ICO's decision and either uphold it, vary it or cancel it. The tribunal can also direct the ICO to take certain actions, such as issuing a decision notice or an enforcement notice. The appeal must be lodged within 28 days of receiving the ICO's decision, using the notice of appeal form and providing the relevant documents and grounds for appeal. The tribunal will then notify the ICO and the complainant of the appeal and the procedure for dealing with it. The tribunal may hold a hearing to examine the evidence and arguments of both parties, or decide the case on the basis of written submissions only. The tribunal will issue a written decision, which will be sent to both parties and published on the tribunal's website. The tribunal's decision can be further appealed tothe Upper Tribunal on a point of law, with the permission of the First Tier Tribunal or the Upper Tribunal. References:
* Information rights and data protection: appeal against the Information Commissioner1
* Notice of appeal form2
* First Tier Tribunal (Information Rights) website3


質問 # 25
Who is entitled to a private life by law in the UK?

  • A. Nobody
  • B. Private individuals who do not conduct their business on public platforms (such as professional sports people and actors
  • C. All individuals save for Members of Parliament
  • D. All individuals.

正解:D

解説:
Explanation
The right to a private life is a fundamental human right that is protected by law in the UK. Article 8 of the European Convention on Human Rights (ECHR), which is incorporated into UK law by the Human Rights Act
1998, states that "Everyone has the right to respect for his private and family life, his home and his correspondence". This right applies to all individuals, regardless of their status, profession, or public exposure.
The right to a private life covers aspects such as personal identity, personal relationships, physical and mental well-being, personal data, and correspondence. However, this right is not absolute and can be limited or interfered with by the state or other parties in certain circumstances, such as for the protection of national security, public safety, health, morals, or the rights and freedoms of others. References:
* Article 8 of the ECHR1
* Human Rights Act 19982
* ICO Guide to Data Protection3


質問 # 26
In which of the following circumstances does a public authority NOT need to appoint a Data Protection Officer?

  • A. Where it processes special category data
  • B. Where it is a court acting in its judicial capacity
  • C. Where it is defined as a public body in the Data Protection Act 2018
  • D. Where it processes a large amount of personal data

正解:B

解説:
Explanation
Under Article 37 of the UK GDPR, a public authority or a public body must appoint a data protection officer (DPO) unless it is a court acting in its judicial capacity. This is the only exception for public authorities or bodies from the obligation to appoint a DPO. The other circumstances listed in the question, such as processing a large amount of personal data, processing special category data, or being defined as a public body in the Data Protection Act 2018, do not exempt a public authority or a public body from appointing a DPO.
References:
* Article 37 of the UK GDPR2
* Data protection officers | ICO2


質問 # 27
......


BCSデータ保護実務者資格証(PDP9)は、データ保護法および実践の知識と理解を評価する、世界的に認められた資格です。この試験は、データ保護、セキュリティ、およびプライバシーに関する問題を扱う専門家向けに設計されています。職場でのデータ保護規制とその実践的な適用の理解を証明したい個人に理想的です。

 

確認済みPDP9試験問題集と解答で時間限定無料提供!PDP9には正解付き:https://jp.fast2test.com/PDP9-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어