• ホーム
  • ブログ
  • [2024年04月] 最新のPDP9試験問題集には合格保証が付きます [Q22-Q46]

[2024年04月] 最新のPDP9試験問題集には合格保証が付きます [Q22-Q46]

Share

[2024年04月] 最新のPDP9試験問題集には合格保証が付きます

信頼できるBCS Practitioner PDP9問題集PDFで2024年04月29日に更新された問題


BCS Practitioner証明書データ保護(PDP9)認定試験は、さまざまな組織でデータ保護を扱う個人の能力とスキルを評価するために設計された専門的な認定です。認定試験は、データ保護法と規制、データ管理とガバナンス、およびリスク管理プロセスに関する候補者の知識をテストすることです。 PDP9認定はグローバルに認識されており、British Computer Society(BCS)によって管理されています。

 

質問 # 22
What does NOT have an exemption prescribed under schedule 3 of the Data Protection Act 2018?

  • A. Social Work Data.
  • B. Education data, examination scripts and marks
  • C. Credit checking agency data
  • D. Health data

正解:C

解説:
Explanation
Schedule 3 of the Data Protection Act 2018 (DPA 2018) provides exemptions from some of the UK GDPR provisions for certain types of personal data processing, such as health data, social work data, education data, and child abuse data. These exemptions are intended to balance the rights and freedoms of data subjects with the public interest or the legitimate interests of data controllers in specific contexts. For example, the exemptions may allow data controllers to restrict the data subjects' access to their personal data, or to process their personal data without their consent, if complying with the UK GDPR would be likely to prejudice the purposes of the processing, such as the provision of health care, social work, education, or child protection.
However, Schedule 3 of the DPA 2018 does not provide any exemption for credit checking agency data, which is personal data processed by credit reference agencies for the purposes of assessing the creditworthiness of individuals or organisations, or preventing fraud or money laundering. Credit checking agency data is subject to the UK GDPR provisions as normal, unless another exemption applies. For example, credit reference agencies may rely on the crime and taxation exemption in Schedule 2, Part 1, Paragraph 2 of the DPA 2018 if disclosing personal data to a data subject would be likely to prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders. References:
* Data Protection Act 2018, Schedule 31
* ICO Guide to Data Protection, Exemptions2
* ICO Guide to Data Protection, Credit3


質問 # 23
What are Information Society Services'? Select the INCORRECT answer

  • A. Information services provided by non-profit or government organisations with no remuneration
  • B. A service provided for remuneration, by electronic means, at distance to an individual that has requested it.
  • C. Business to business online networking sites
  • D. An electronic information service provided to individuals but paid for solely by advertising

正解:A

解説:
Explanation
Information society services (ISS) are defined in Article 4(25) of the UK GDPR as "any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services". This means that ISS are online services that are paid for, either by the user or by another source of income, such as advertising or sponsorship, and that are provided without the parties being physically present, using electronic equipment for the transmission and reception of data, and upon the request of the user.
Examples of ISS include apps, programs, websites, search engines, social media platforms, online marketplaces, content streaming services, online games, and any other online services that offer goods or services to users over the internet. Therefore, options A, B and C are correct examples of ISS, as they meet the criteria of the definition. However, option D is not a correct example of ISS, as it does not involve any remuneration for the service provider. Information services provided by non-profit or government organisations with no remuneration are not considered ISS under the UK GDPR, unless they compete with other ISS on the market. References:
* UK GDPR, Article 4(25)4
* Services covered by this code5


質問 # 24
Which one task are supervisory authorities NOT required to carry out under Article 57(1 )(f) of the UK GDPR? Select the CORRECT answer.

  • A. Investigate complaints and inform the complainant of the progress of their investigation
  • B. Co-ordinate where necessary with other supervisory authorities
  • C. Handle complaints lodged by a data subject
  • D. Mediate between the complainant and the entity against which the complaint has been lodged, to resolve the complaint

正解:D

解説:
Explanation
Article 57(1)(f) of the UK GDPR requires the supervisory authority (the ICO in the UK) to handle complaints lodged by a data subject, investigate the subject matter of the complaint, and inform the complainant of the progress and the outcome of the investigation. It also requires the supervisory authority to cooperate with other supervisory authorities if the complaint involves cross-border processing. However, it does not require the supervisory authority to mediate between the complainant and the controller or processor against which the complaint has been lodged, to resolve the complaint. This is not a task of the supervisory authority under the UK GDPR, although it may be possible in some cases as a way of achieving an amicable solution. References
:
* Article 57(1)(f) of the UK GDPR1
* ICO and complaints2


質問 # 25
When were data protection rights first introduced into UK law'?

  • A. 1984 (Data Protection Act 1984).
  • B. 2018 (Data Protection Act 2018)
  • C. 1992 (Data Protection Act 1992).
  • D. 2000 (Data Protection Act 1998)

正解:A

解説:
Explanation
Data protection rights were first introduced into UK law by the Data Protection Act 1984, which was enacted to implement the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 1981. The Data Protection Act 1984 established a set of principles for the processing of personal data by data users, such as obtaining consent, ensuring accuracy, and limiting retention.
It also created a system of registration for data users and a Data Protection Registrar (later renamed as the Information Commissioner) to oversee and enforce the law. The Data Protection Act 1984 was replaced by the Data Protection Act 1998, which transposed the EU Data Protection Directive 1995 into UK law and extended the scope of data protection to cover manual as well as automated processing of personal data. The Data Protection Act 1998 was further amended by the Data Protection Act 2018, which incorporated the EU General Data Protection Regulation (GDPR) and the Law Enforcement Directive into UK law and made provisions for specific processing situations, such as national security, immigration, and journalism.
References:
* Data Protection Act 19844
* Council of Europe Convention 1085
* Data Protection Act 19986
* Data Protection Act 20187


質問 # 26
Which of the following is NOT a key requirement of independent supervisory authorities?

  • A. They review DPIAs in cases of unmitigated high risk
  • B. They must operate independently.
  • C. They must provide each other with mutual assistance
  • D. Their leadership must change every four years

正解:D

解説:
Explanation
Independent supervisory authorities are public authorities that supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints lodged against violations of the UK GDPR and the relevant national laws. The UK GDPR sets out the key requirements for independent supervisory authorities in Chapter VI, which include the following:
* They must operate independently and remain free from external influence, whether direct or indirect, and must neither seek nor take instructions from anybody.
* They must have adequate human, technical and financial resources to perform their tasks and exercise their powers effectively.
* They must review data protection impact assessments in cases of unmitigated high risk and provide prior consultation to controllers on such processing operations.
* They must provide each other with mutual assistance and cooperate with each other and the European Data Protection Board to ensure the consistent application of the UK GDPR across the EU.
* They must handle complaints lodged by data subjects or by bodies, organisations or associations representing them, and investigate the subject matter of the complaint to the extent appropriate.
* They must adopt binding decisions on matters concerning the application of the UK GDPR and impose effective, proportionate and dissuasive administrative fines for infringements of the UK GDPR.
The UK GDPR does not specify any fixed term for the leadership of independent supervisory authorities, nor does it require their leadership to change every four years. However, it does require that the members of the supervisory authority must be appointed by means of a transparent procedure by the parliament, the government or the head of state of the Member State concerned, and that they must act with integrity, refrain from any action incompatible with their duties and not engage in any incompatible occupation during and after their term of office. The UK GDPR also allows Member States to provide for rules regarding the establishment, appointment, duration of the term and dismissal of the head or members of the supervisory authority. References:
* UK GDPR, Chapter VI7
* ICO website, About the ICO8


質問 # 27
Article 9(2)(c) of UK GDPR condition of processing special category data in the vital interests of the data subject is only applicable in which of the following circumstances:

  • A. When another lawful basis applies.
  • B. When a data subject is incapacitated
  • C. When the data subject refuses to consent
  • D. When the data subject is physically unable to be present

正解:B

解説:
Explanation
Article 9(2) of UK GDPR allows the processing of special category data when it is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent. This means that the data subject is unable to exercise their right to consent or object to the processing, either because they are unconscious, in a coma, suffering from a severe mental disorder, or otherwise unable to communicate their wishes. This condition is intended to cover emergency situations, such as life-threatening medical interventions, where the data subject's consent cannot be obtained in time. It does not apply when another lawful basis applies, when the data subject is physically absent but still capable of giving consent, or when the data subject refuses to consent. References:
* Article 9(2) of UK GDPR1
* ICO guidance on special category data2


質問 # 28
Under the Privacy and Electronic Communications Regulations, organisations must NOT make marketing telephone calls to which of the following?

  • A. Any person who is registered with the Telephone Preference Service, unless they have given specific consent to receive your calls
  • B. Any person who has not consented to receiving marketing calls
  • C. Any person outside of the United Kingdom.
  • D. Any person under the age of 18, unless their parent or guardian has provided permission

正解:A

解説:
Explanation
The Privacy and Electronic Communications Regulations (PECR) are a set of rules that regulate the use of electronic communications for marketing purposes, such as phone calls, texts, emails and faxes. One of the rules is that organisations must not make unsolicited marketing calls to individuals who have registered their numbers with the Telephone Preference Service (TPS), unless they have given their prior consent to receive such calls from that organisation. The TPS is a free service that allows individuals to opt out of receiving any marketing calls. It is a legal requirement for organisations to check the TPS before making any marketing calls and to respect the preferences of the individuals registered on it. If an organisation fails to comply with this rule, it may face enforcement action from the Information Commissioner's Office (ICO), which is the UK's data protection authority and the regulator of PECR. References:
* Telephone Preference Service
* Marketing calls
* Enforcement action


質問 # 29
When does a personal data breach need to be reported to a supervisory authority?

  • A. All personal data breaches must be reported to a supervisory authority
  • B. Where the personal data breach is likely to result in a risk to the rights and freedoms of natural persons.
  • C. When the controller's right of freedom of expression outweighs the data subject's right to a private home and family life.
  • D. Only where a disclosure is of special category data

正解:B

解説:
Explanation
Article 33 of the UK GDPR requires controllers to notify the supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. This means that not all personal data breaches need to be reported to the supervisory authority, only those that pose a risk to individuals. The risk should be assessed in terms of the potential negative consequences for individuals, such as discrimination, identity theft, fraud, financial loss, damage to reputation, loss of confidentiality, or any other significant economic or social disadvantage. The UK GDPR also requires controllers to communicate the personal data breach to the affected data subjects without undue delay, where the breach is likely to result in a high risk to their rights and freedoms. The other options are incorrect because:
* The UK GDPR does not require all personal data breaches to be reported to the supervisory authority, only those that pose a risk to individuals. However, controllers must document all personal data breaches, regardless of whether they are reported or not, as part of their accountability obligations.
* The UK GDPR does not make a distinction between personal data and special category data when it comes to reporting personal data breaches. Special category data is a type of personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns health, sex life or sexual orientation, or biometric or genetic data for the purpose of uniquely identifying a natural person. The processing of special category data is subject to stricter conditions and safeguards under the UK GDPR, but the reporting of personal data breaches involving such data is subject to the same criteria as any other personal data breach, namely the risk to individuals.
* The UK GDPR does not provide an exemption from reporting personal data breaches based on the controller's right of freedom of expression. The right of freedom of expression is a fundamental right that is recognised and protected by the UK GDPR, but it is not an absolute right that overrides the rights and freedoms of data subjects. The UK GDPR allows Member States to provide for exemptions or derogations from certain provisions of the UK GDPR for the processing of personal data carried out for journalistic purposes or the purpose of academic, artistic or literary expression, where such exemptions or derogations are necessary to reconcile the right to the protection of personal data with the right to freedom of expression and information. However, these exemptions or derogations do not apply to the obligation to report personal databreaches to the supervisory authority, unless the Member State law specifies otherwise. References:
* UK GDPR, Article 334
* UK GDPR, Article 34
* UK GDPR, Article 9
* UK GDPR, Article 85


質問 # 30
A privacy notice MUST NOT contain

  • A. The purpose of the processing
  • B. The contact details of the controller
  • C. Details of the right to lodge a complaint with the supervisory authority
  • D. Details of the processor's staff

正解:D

解説:
Explanation
A privacy notice is a document that provides individuals with information about how their personal data is processed, as required by Article 13 and 14 of the UK GDPR5. A privacy notice must include the following information, among others:
* the identity and contact details of the controller and, where applicable, the controller's representative and the data protection officer;
* the purposes and legal basis of the processing;
* the categories of personal data concerned;
* the recipients or categories of recipients of the personal data, including any third parties or international organisations;
* where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;
* the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
* the existence of the rights of the data subject, such as the right to access, rectify, erase, restrict, object or port the data, and the conditions or limitations on those rights;
* the existence of the right to withdraw consent at any time, where the processing is based on consent;
* the right to lodge a complaint with a supervisory authority;
* whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
* the existence of automated decision-making, including profiling, and meaningful information about the
* logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
A privacy notice does not need to contain details of the processor's staff, as this is not relevant or necessary for the data subject to understand how their personal data is processed. However, the controller may need to inform the data subject if their personal data is shared with a processor, and provide the identity and contact details of the processor, as part of the information on the recipients or categories of recipients of the personal data. References:
* Article 13 and 14 of the UK GDPR5


質問 # 31
A company based in France uses a specialist IT support business in China The two companies have signed a Data Processing Agreement.The Chinese business provides specialist IT support for the French company's digital customer experience platform No personal data is sent to China, but employees of the Chinese business access the platform on a regular basis and have access to the databases that sit behind it.Which of the following statements is CORRECT in relation to the French company's requirements to ensure compliance with the GDPR?

  • A. There is a Data Processing Agreement in place therefore no transfer mechanism is needed
  • B. No personal data is being transferred, therefore no transfer mechanism is needed
  • C. The French company must identify and implement an appropriate transfer mechanism
  • D. China provides an adequate level of protection for personal data, therefore no transfer mechanism is needed

正解:C

解説:
Explanation
According to the GDPR, a transfer of personal data to a third country or an international organisation occurs when the personal data is made available to someone outside the EU and EEA, regardless of whether the data is physically sent or not. Therefore, the fact that the Chinese business accesses the platform and the databases that contain personal data of the French company's customers constitutes a transfer of personal data to China, which is a third country under the GDPR. The French company, as the controller of the personal data, must ensure that the transfer complies with the GDPR requirements and that the level of protection of the personal data is not undermined. This means that the French company must identify and implement an appropriate transfer mechanism, such as an adequacy decision, appropriate safeguards, or derogations for specific situations, as set out in Chapter V of the GDPR. A data processing agreement, although necessary to define the roles and responsibilities of the controller and the processor, is not sufficient to ensure the legality of the transfer, as it does not provide the same guarantees as the GDPR. China is not a country that has been recognised by the European Commission as providing an adequate level ofprotection for personal data, so the French company cannot rely on an adequacy decision either. References:
* Article 44 of the GDPR1
* ICO guidance on international transfers2


質問 # 32
How does the GDPR relate to cookies?

  • A. The GDPR only applies where a cookie processes personal data
  • B. The GDPR applies in all cases where cookies are used
  • C. Websites only need an opt out of cookies if GDPR applies
  • D. Where PECR is engaged only PECR will apply to the processing of personal data

正解:D

解説:
Explanation
The GDPR and the Privacy and Electronic Communications Regulations (PECR) are two different but related legal frameworks that regulate the use of cookies and similar technologies. Cookies are small text files that are stored on the user's device when they visit a website or use an online service. Cookies can be used for various purposes, such as remembering user preferences, tracking user behaviour, delivering targeted advertising, or enabling online transactions. The GDPR applies to the processing of personal data by cookies and similar technologies, as they can be used to identify or single out individuals, either directly or indirectly. Personal data is any information relating to an identified or identifiable natural person, such as a name, an email address, a location data, or a cookie identifier. The GDPR requires data controllers to obtain the user's consent before using any cookies that are not strictly necessary for the functioning of the website or service, and to provide clear and transparent information about the purposes and legal basis of the processing, the categories and recipients of the personal data, the retention periods, and the rights of the data subjects. The GDPR also requires data controllers to implement appropriate technical and organisational measures to ensure the security and confidentiality of the personal data, and to comply with the principles of data protection by design and by default. The PECR are a set of UK-specific rules that implement the EU ePrivacy Directive, which is a complementary legislation to the GDPR that deals with the privacy and security of electronic communications.
The PECR apply to the use of cookies and similar technologies, as well as to the sending of marketing communications by phone, email, text, or fax, and to the provision of public electronic communications services and networks. The PECR require data controllers to obtain the user's consent before using any cookies or similar technologies, except those that are strictly necessary for the provision of an information society service requested by the user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network. The PECR also require data controllers to provide clear and comprehensive information about the purposes of the cookies or similar technologies, and to offer the user a way to refuse or withdraw their consent. The PECR do not apply to the processing of personal data by cookies or similar technologies, as this is covered by the GDPR. Therefore, the correct answer is C, as where PECR is engaged only PECR will apply to the use of cookies or similar technologies, but not to the processing of personal data by them. The other options are incorrect because:
* The GDPR does not only apply where a cookie processes personal data, but to any processing of personal data by any means, including cookies and similar technologies. The GDPR applies to the processing of personal data by cookies and similar technologies, regardless of whether they are strictly necessary or not, or whether they are first-party or third-party cookies. However, the GDPR does not apply to the use of cookies or similar technologies, as this is covered by the PECR.
* The GDPR does not apply in all cases where cookies are used, but only in cases where cookies are used to process personal data. The GDPR does not apply to the use of cookies or similar technologies that do not process personal data, such as those that are strictly necessary for the functioning of the website orservice, or those that do not identify or single out individuals. However, the PECR still apply to the use of cookies or similar technologies, regardless of whether they process personal data or not, except for some limited exemptions.
* Websites do not only need an opt out of cookies if GDPR applies, but also if PECR applies. The GDPR and the PECR both require data controllers to obtain the user's consent before using any cookies or similar technologies that are not strictly necessary, and to offer the user a way to refuse or withdraw their consent. The opt out of cookies is a mechanism that allows the user to exercise their right to object to the use of cookies or similar technologies, and to prevent the processing of their personal data by them. Websites need to provide an opt out of cookies in all cases where the user's consent is required, regardless of whether the GDPR or the PECR applies. References:
* GDPR, Article 4(1)5
* GDPR, Article 6(1)(a)6
* GDPR, Article 13 and 147
* GDPR, Article 328
* GDPR, Article 25
* PECR, Regulation 6
* PECR, Regulation 5


質問 # 33
Of the following options which is NOT a purpose of carrying out a Data Protection Impact Assessment (DPIA)?

  • A. It is necessary to fulfil the requirement that all DPIAs are submitted to the ICO
  • B. It is key to the accountability element of the GDPR.
  • C. It fulfils a requirement that data protection is carried out by design and default.
  • D. It assists in identifying the main risks that may exist in any use of data, so that they can be mitigated

正解:A


質問 # 34
What is the Employment Practices Code?

  • A. A set of exemptions that can be used when processing data related to employees
  • B. Guidance on meeting legal requirements of data protection when employing staff
  • C. A statutory framework for implementing data protection training for employees.
  • D. Guidance on the requirements for employing a Data Protection Officer

正解:B

解説:
Explanation
The Employment Practices Code is a guidance document issued by the ICO that provides recommendations on how to comply with the data protection principles and the rights of data subjects when processing personal data in the context of employment. The code covers various aspects of employment practices, such as recruitment and selection, employment records, monitoring at work, and information about workers' health.
The code is not legally binding, but it reflects the ICO's interpretation of the Data Protection Act and the UK GDPR, and it may be used as evidence in legal proceedings or investigations. The code is intended to help employers balance their legitimate interests in managing their workforce with the privacy rights of their workers. References:
* The Employment Practices Code
* Quick Guide to the Employment Practices Code


質問 # 35
Which of the following statements MOST accurately describes the potential impact of Al on the principle of transparency?

  • A. Transparency requirements do not apply to Al, as there is a relevant exemption
  • B. Data subjects should generally expect Al to be present in processing activities
  • C. Transparency requirements do not apply to Al, as it is always compatible with original purposes
  • D. Al can lead to invisible processing, with data subjects not being aware of its presence.

正解:D

解説:
Explanation
The principle of transparency requires that any processing of personal data is fair, lawful and transparent to the data subjects. This means that data subjects should be informed about the existence, nature, purpose and consequences of the processing, as well as their rights and choices regarding their data. Transparency is essential for ensuring accountability, trust and compliance in data processing. However, the use of AI can pose challenges to the principle of transparency, as AI can lead to invisible processing, with data subjects not being aware of its presence, or the logic, significance and implications of the processing. For example, AI can be used to profile, infer, predict or influence the behaviour, preferences, interests, emotions or personality of data subjects, without their knowledge or consent. AI can also be used to make automated decisions that affect data subjects, such as credit scoring, recruitment, health diagnosis or social benefits, without providing meaningful explanations or opportunities for human intervention. Therefore, it is important to ensure that data subjects are informed and empowered when AI is involved in the processing of their data, and that they can exercise their rights, such as the right to access, rectify, object, restrict, erase or port their data, or the right to challenge or contest automated decisions56. References:
* Guidance on AI and data protection5
* Explaining decisions made with AI6


質問 # 36
Where a processor engages another processor ("sub-processor") to carry out processing activities on behalf of a controller, which of the following statements is CORRECT?

  • A. The processor may use the sub-processor without the written authorisation of the controller if the processing is deemed to be low risk.
  • B. The processor may use the sub-processor without the written authorisation of the controller if the sub-processor signs a contract which reflects the same obligations as the contract with the controller
  • C. The processor may use the sub-processor without the written authorisation of the controller if it adheres to an approved code of conduct
  • D. The processor must receive prior written authorisation to use the sub-processor

正解:D

解説:
Explanation
Article 28(2) of UK GDPR states that where a processor engages another processor ("sub-processor") for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor shall be imposed on that other processor by way of a contract or other legal act under domestic law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of UK GDPR. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, theprocessor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. The other options are incorrect, as they do not reflect the requirements of UK GDPR for using a sub-processor. The processor cannot use a sub-processor without the written authorisation of the controller, regardless of whether it adheres to an approved code of conduct, signs a contract with the same obligations as the controller, or deems the processing to be low risk. References:
* Article 28(2) of UK GDPR1
* ICO guidance on contracts and liabilities between controllers and processors3


質問 # 37
Which of the following statements are CORRECT about records of processing'?
A It must contain contact details for the Data Protection Officer where applicable.
B It must be submitted to the Information Commissioner's Office following every Data Protection ImpactAssessment C It is mandatory for all data processors D The controller or the processor a mustmakesthe record available to the supervisory authority on request
E. It must contain contact details for the supervisory authority

  • A. A, C,andD
  • B. A. C,D, and E
  • C. B, C. and D
  • D. A,C,andE

正解:A

解説:
Explanation
Article 30 of the UK GDPR3 requires both controllers and processors to maintain records of their processing activities, unless they are exempted under certain conditions. The records must contain the following information, among others:
* the name and contact details of the controller or the processor, and of any joint controller, representative or data protection officer;
* the purposes of the processing;
* the categories of data subjects and personal data;
* the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
* where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;
* where possible, the envisaged time limits for erasure of the different categories of data;
* where possible, a general description of the technical and organisational security measures.
The records must be in writing, including in electronic form, and must be made available to the ICO on request. The records do not need to contain contact details of the supervisory authority, as this is not specified in Article 30. Nor do they need to be submitted to the ICO following every DPIA, as this is not required by Article 35, which only obliges the controller to consult the ICO prior to the processing if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. References:
* Article 30 of the UK GDPR3
* Article 35 of the UK GDPR4


質問 # 38
How are data sharing practices governed by data protection law?

  • A. Data sharing practices are covered in the DPA 2018, supported by a statutory Code of Practice that provides specific guidance
  • B. Data sharing practices are covered by the Freedom of Information Act
  • C. Data sharing practices are not specifically regulated, however the ICO provide best practice guidance
  • D. Data sharing practices are subject to the PECR until the new statutory Code of Practice is published

正解:A

解説:
Explanation
Data sharing is the disclosure of personal data from one or more organisations to a third party organisation or organisations, or the sharing of personal data within an organisation. Data sharing practices are governed by data protection law, which includes the UK GDPR and the Data Protection Act 2018 (DPA 2018). The DPA
2018 contains specific provisions on data sharing, such as the power of the Information Commissioner's Office (ICO) to issue a statutory Code of Practice on data sharing. The ICO has published a Data Sharing Code of Practice1 that provides practical guidance on how to share data in a fair, safe and transparent way, in compliance with the data protection principles and the rights of data subjects. The code is not legally binding, but it reflects the ICO's interpretation of the law and it may be used as evidence in legal proceedings or investigations. The code also contains useful tools, case studies andexamples that can help organisations to share data effectively and responsibly. References:
* Data Sharing Code of Practice1


質問 # 39
......

2024年最新の実際にある検証済みのPDP9問題集:https://www.goshiken.com/BCS/PDP9-mondaishu.html

必ず合格できるBCS PDP9試験で正確な42問題と解答あります:https://drive.google.com/open?id=1nHqwvskqOKmOo4z8VrrCkGo2Ax323_QS

関するブログ

もっと
PDP9無料問題集