To advise the controller on the mitigation of privacy risks to protect the controller from liability

claims for non-compliance. Incorrect. The supervisory authority has the task to monitor compliance

and to advise on enhancements, but its purpose is not to protect the controller.

To fulfill the obligation in the GDPR to implement appropriate technical and organizational measures

for data protection. Incorrect. The audit is not the implementation of the measures, but an

assessment of the effectiveness of them.

To monitor and enforce the application of the GDPR by assessing that processing is performed in

compliance with the GDPR. Correct. According to the GDPR this is an important task of a supervisory

authority. (Literature: A, Chapter 7; GDPR Article 57 (1)(a))

The hospital in A can send the data directly to hospital B, as requested by the patient. Correct. The right to portability allows this. (Literature: A, Chapter 3) The hospital in A can send the file to hospital B, before the patient has requested it. Incorrect. The hospital in B can only acquire the file from A with consent or if it is in the vital interest of the data subject and consent cannot be obtained. The hospital in A can send the medical file to the data subject, but not to another hospital. Incorrect. The data subject can ask for the data to be sent directly. The hospital in A cannot send the file, because there is no legitimate ground for processing. Incorrect. A request, which implies consent, of the data subject is a sufficient legitimate ground.

Data breach categories:

Material: Loss of equipment or material with data, lost file folders, lost smartphones, etc.

Verbal: Indiscretion, shoulder surfing, intentional leakage of sensitive information, etc.

Digital (not material): Backdoors, incorrect coding, maladministration (e.g., patch management),

insufficient security measures, card cloning etc.

GDPR does not apply to the use of personal data for domestic purposes, however in this example the

controller is the Social Network, as it performs the processing of the photos. Therefore, the owner

has the right to delete this photo.

For domestic purposes, data collection is not intended for professional or commercial purposes.

Examples are the get-togethers of friends and family where we can collect names, phone numbers,

e-mails to facilitate the organization, as well as taking pictures to record the moment. Now if you

have a blog where you can record several moments with your friends and you monetize it in some

way – watch out! – you are under the scope of GDPR.

Whereas Recital 18: “This Regulation does not apply to the processing of personal data by a natural

person in the course of a purely personal or household activity and thus with no connection to a

professional or commercial activity. Personal or household activities could include correspondence

and the holding of addresses, or social networking and online activity undertaken within the context

of such activities. However, this Regulation applies to controllers or processors which provide the

means for processing personal data for such personal or household activities.”

Article 83 of GDPR

5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to

administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total

worldwide annual turnover of the preceding financial year, whichever is higher...

Article 51 of GDPR

2. Each supervisory authority shall contribute to the consistent application of this Regulation

throughout the

Union.

Data protection and privacy are synonyms and have the same meaning. Incorrect. Data protection

helps to protect a person’s privacy, but the terms are not synonyms.

Data protection is the part of privacy that protects a person’s physical integrity. Incorrect. Data

protection is not related to physical integrity or physical privacy.

Data protection refers to the measures needed to protect a person’s privacy. Correct. Data protection

are some of the measures needed to protect a person’s privacy. (Literature: A, Chapter 1)

€ 10.000.000 or 2% of the annual global turnover, whichever is higher. Correct. This is the maximum

according to the GDPR for infringement of the personal data breach notification obligation.

(Literature: A, Chapter 7; GDPR Article 33)

€ 20.000.000 or 4% of the annual global turnover, whichever is higher. Incorrect. This fine is given for

non- compliance or non-conformity to the basic principles for processing, including conditions for

consent.

Up to € 500.000 with a minimum of € 120.000. Incorrect. This is an outdated number based on the

Dutch Penal code. GDPR rules specify higher fines.

Up to € 820.000 with a minimum of € 350.000. Incorrect. This is an outdated number based on the

Dutch Penal code. GDPR rules specify higher fines.