Scenario 1:MED is a healthcare provider located in Norway. It provides high-quality and affordable healthcare services, including disease prevention, diagnosis, and treatment. Founded in 1995, MED is one of the largest health organizations in the private sector. The company has constantly evolved in response to patients' needs.Patients that schedule an appointment in MED's medical centers initially need to provide their personal information, including name, surname, address, phone number, and date of birth. Further checkups or admission require additional information, including previous medical history and genetic dat
Answer(s): B
Under Article 17 of the General Data Protection Regulation (GDPR), also known as the "Right to be Forgotten," data subjects have the right to request the erasure of their personal data when:The data is no longer necessary for the purpose for which it was collected.The data subject withdraws consent (where processing was based on consent).The data was processed unlawfully.In this scenario, if the data is no longer necessary for the original purpose (e.g., if the patient has completed their treatment and there are no legal retention obligations), MED should erase the data. However, there are exceptions under GDPR, such as legal retention requirements for medical records under national healthcare regulations.Rejecting the request outright (Option A) is incorrect because GDPR requires controllers to assess whether retention is still necessary. Similarly, Option C is too restrictive because GDPR allows deletion even if no legal obligation mandates it. Option D is incorrect because indefinite retention is not permitted unless a valid justification exists.
GDPR Article 17 (Right to Erasure)Recital 65 (Clarification on when personal data can be erased)Article 5(1)(e) (Storage limitation principle)
Under Article 8 of the GDPR, the processing of personal data of children under 16 years is only lawful if parental or guardian consent is obtained. However, Member States can lower the age limit to 13 years if they choose.In this scenario, MED requires parental consent for children below 16 years, which aligns with GDPR requirements. Therefore, Option B is correct. Option A is incorrect because GDPR allows parental consent. Option C is incorrect because GDPR does not require explicit consent from the child when parental consent is given. Option D is incorrect because encryption alone does not determine compliance.
GDPR Article 8 (Conditions for children's consent)Recital 38 (Protection of children's data)
Answer(s): A
GDPR applies to any organization that processes personal data of individuals within the European Economic Area (EEA), regardless of the organization's location. Since MED is based in Norway, which is an EEA country, and processes personal health data, it must comply with GDPR.Option A is correct because GDPR applies to all controllers and processors within the EEA. Option B is misleading because while cloud-based software is relevant, the primary reason GDPR applies is MED's processing of personal data. Option C is incorrect because EFTA states (including Norway) are subject to GDPR. Option D is incorrect because GDPR applies to all personal data processing in the EEA.
GDPR Article 3 (Territorial Scope)Recital 22 (GDPR applies to EEA countries)
Answer(s): C
Under Article 5(1)(b) of GDPR, personal data must be collected for specific, explicit, and legitimate purposes and cannot be further processed in a manner incompatible with those purposes. Sharing medical data with an insurance company is a separate purpose and requires explicit consent or another lawful basis.
GDPR Article 5(1)(b) (Purpose limitation)
Under Article 18 of GDPR, the right to restriction of processing allows data subjects to request that processing of their personal data be limited under certain conditions, such as when accuracy is contested or processing is unlawful but the data subject opposes erasure.From the scenario, MED does not provide the option to restrict processing, as patients who request to stop processing are denied. This makes Option B correct. Option A is incorrect because MED does inform patients about data collection purposes. Option C is incorrect because medical data could be transferred to other institutions. Option D is incorrect because rectification of inaccurate data is a standard obligation.
GDPR Article 18 (Right to restriction of processing)GDPR Article 12 (Transparent communication with data subjects)
Share your comments for PECB GDPR exam with other users:
great about shared quiz
goood helping
pay attention to questions. they are very tricky. i waould say about 80 to 85% of the questions are in this exam dump.
wish you would allow more free questions
great simulation
very g inood
q35 should be a
sap c_ts450_2021
nice questions
ecellent materil for unserstanding
good so far
this is way too informative
very helpfull
q.189 - answers are incorrect.
awesome job in getting these questions
i cant find aws certified practitioner clf-c01 exam in aws website but i found aws certified practitioner clf-c02 exam. can everyone please verify the difference between the two clf-c01 and clf-c02? thank you
grazie mille. i got a satisfactory mark in my exam test today because of this exam dumps. sorry for my english.
some of the answers are incorrect. need to be reviewed.
so far so good
i am really liking it
thanks good stuff
need dump c_tadm_23
next time i will write a full review
first time using this site
please sent me oracle 1z0-1105-22 pdf
very helpful
good info about oml
very useful to practice
this website is very helpful.
good content
so challenging
17 should be d ,for morequery its scale out
nice question
yes.