Exin Privacy and Data Protection Foundation PDPF Exam Dumps: Updated Questions & Answers (October 2025)

The Article 20 of GDPR establishes the Right to data portability.

The second paragraph mentions:

In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

However, it is worth noting that the paragraph 1 of this article mentions:

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format…

The utterance explains that she requested that the data was transferred, that is why the correct answer is “The current gym should send all her data directly to the new gym.” (B)

Yet she has the right to request her own data, so if the utterance was referenced in that way, the correct answer would be: “The current gym should provide the data to her.” (D)

Article 6 legislates on the lawfulness of treatment and in it cites the 6 legal bases provided:

1 - the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

2- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering a contract

3 - processing is necessary for compliance with a legal obligation to which the controller is subject;

4- processing is necessary in order to protect the vital interests of the data subject or of another natural person;

5- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

6- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which requires protection of personal data, in particular where the data subject is a child.

The GDPR has 173 recitals. The Recitals introduce a better understanding of the law and its articles. The Articles, which are 99 in total, contain the mandatory requirements of the law.

When personal data is processed at a facility of the processor that is not located within the borders of the EEA. Incorrect. The location where the data is processed is of no significance to the obligation to notify data subjects of personal data breaches.

When personal data is processed by a party that agreed to the draft processing contract but has not yet sign it. Incorrect. Personal data processed by another party than the controller without a valid written contract is considered a personal data breach. In the given situation however, negative consequences for the data subjects are unlikely. Notifying the data subject is not obligatory in that case.

When the system on which the personal data is processed is attacked causing damage to its storage devices. Incorrect. Damage to storage devices will make access to the data difficult or even impossible but does not imply illegal processing.

When there is a significant probability that the breach will lead to a high risk for the privacy of the data subjects. Correct. If there is a significant probability of negative impact on the data subjects, the controller is obliged to notify them of the breach. (Literature: A, Chapter 5)

€ 10.000.000 or 2% of the annual global turnover, whichever is higher. Correct. This is the maximum according to the GDPR for infringement of the personal data breach notification obligation. (Literature: A, Chapter 7; GDPR Article 33)

€ 20.000.000 or 4% of the annual global turnover, whichever is higher. Incorrect. This fine is given for non- compliance or non-conformity to the basic principles for processing, including conditions for consent.

Up to € 500.000 with a minimum of € 120.000. Incorrect. This is an outdated number based on the Dutch Penal code. GDPR rules specify higher fines.

Up to € 820.000 with a minimum of € 350.000. Incorrect. This is an outdated number based on the Dutch Penal code. GDPR rules specify higher fines.

Article 28 of the GDPR in its paragraph 3 mentions:

This contract or other normative act stipulates, inter alia, that the subcontractor:

a)processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

b)ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

c)takes all measures required pursuant to Article 32;

d)respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;

e)taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;

f)assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;

g)at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

h)makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Recital 10 of GDPR states:

“Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member

States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation.”

It also says: “This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’).

However, this does not mean that Member States can approve a rule that goes against a GDPR guideline. Note that these national provisions are measures to increase the effectiveness of the law. Here is an example the case of Ireland where it was established that the DPO is responsible for data breaches, something that is not provided for in the GDPR.

Article 22 provides for this type of damage to the data subject and legislates on “Automated individual decisions, including profiling”:

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Data Life Cycle Management (DLM)

It aims to manage data flow throughout the lifecycle, from collection, processing, sharing, storage and deletion. Having the knowledge where the data travels, who is responsible, who has access, helps a lot to implement

security measures.