.

Data Protection & GDPR Quiz

Here are various questions about data protection and GDPR, compiled from the provided sample tests and
examinations.

1. What is Personal Data?

• Question: Which one of the following is an example of personal data?

o a. The medical records of a deceased person.

o b. The share price of a company on the stock market.

o c. The job description for a personal assistant role.

o d. The location data on a person's mobile phone.

• Correct Answer: d. The location data on a person's mobile phone.

o Explanation: Personal data is defined as any information relating to an identified or identifiable

natural person (data subject), such as location data on a mobile phone. Medical records of a
deceased person are generally not considered personal data under these regulations.

2. Purpose of Data Protection

• Question: The purpose of data protection is to protect:

o a. A company's right to privacy in relation to its financial performance.

o b. A person's right to withhold personal information from the tax authorities.

o c. A government's right to withhold information from its citizens in relation to its budget.

o d. A person's right to privacy in relation to the processing of their personal data.

• Correct Answer: d. A person's right to privacy in relation to the processing of their personal data.

o Explanation: The primary purpose of data protection regulations is to protect an individual's right to
privacy concerning how their personal data is processed, ensuring they maintain control over their
information. The right to privacy is about protecting the freedom to live a personal life free from
unwanted or unnecessary intrusion.

3. Supervisory Authority

• Question: Which one of the following is the independent public authority in a European Union member state
whom a data subject can contact in relation to data protection regulations?

o a. Data protection officer.

o b. Data controller.

o c. Supervisory authority.

o d. Data subject.

• Correct Answer: c. Supervisory authority.

o Explanation: The Supervisory Authority is the independent public authority in an EU member state
that is responsible for overseeing and enforcing data protection regulations, such as the GDPR, and
to which data controllers must report breaches.
4. Scope of GDPR

• Question: Which one of the following does the General Data Protection Regulation apply to?

o a. Lawyers recording personal data as part of criminal prosecutions.

o b. Individuals storing records relating to household expenses in a file.

o c. Military officials processing personal data for national security activities.

o d. Social networks recording personal data gathered from online activity.

• Correct Answer: d. Social networks recording personal data gathered from online activity.

o Explanation: The General Data Protection Regulation (GDPR) is a law governing personal data
processing enforceable in the European Economic Area, aimed at protecting personal data and
privacy for individuals within the EU and EEA. It specifically applies to activities like social networks
recording personal data from online activity, governing the processing of personal data for
commercial and other activities, especially concerning individuals within the European Economic
Area.

5. Transparency Principle

• Question: The General Data Protection Regulation requires that organisations process personal data in a
transparent manner in relation to individuals, which means processing:

o a. In a way that is considered fair.

o b. In a way that makes clear when and why data is collected.

o c. In a way that is consistent with the law.

o d. In a way that prevents international data transfers.

• Correct Answer: b. In a way that makes clear when and why data is collected.

o Explanation: The principle of transparency under GDPR means organizations must process personal
data in a way that clearly indicates when and why data is collected, allowing individuals to
understand how their information is being used.

6. Data Minimisation Principle

• Question: Which one of the following best describes the principle of data minimisation?

o a. Personal data shall be adequate, relevant, and limited to what is necessary for processing.

o b. Personal data shall be kept accurate and up to date and erased or rectified if necessary.

o c. Personal data shall be processed in a way that preserves its security.

o d. Personal data shall be collected for a specified, explicit, and legitimate purpose.

• Correct Answer: a. Personal data shall be adequate, relevant, and limited to what is necessary for
processing.

o Explanation: The principle of data minimisation dictates that personal data collected should be
adequate, relevant, and limited to what is strictly necessary for the purpose of processing, advising
organizations to avoid collecting excessive data.

7. Storage Limitation Principle

• Question: Which one of the following describes the principle of storage limitation?
 o a. Personal data shall be collected for a specified, explicit, and legitimate purpose and not further
processed.

o b. Personal data shall be processed in a manner that preserves its security.

o c. Personal data shall be kept no longer than is needed for the purposes of processing.

o d. Personal data shall be kept correct and up to date and erased or rectified if required.

• Correct Answer: c. Personal data shall be kept no longer than is needed for the purposes of processing.

o Explanation: The principle of storage limitation means that personal data should be kept only as
long as necessary for its specific processing purposes. Once the purpose is fulfilled, the data should
be erased or anonymised.

8. Accountability Principle

• Question: Which one of the following describes the principle of accountability?

o a. Personal data shall be kept correct and current, and erased or rectified if necessary.

o b. Personal data shall be processed in a manner that guarantees appropriate security of the data.

o c. Personal data shall be adequate, relevant, and limited to what is necessary for the purpose of
processing.

o d. The data controller shall be responsible for, and be able to show, compliance with other data
protection principles.

• Correct Answer: d. The data controller shall be responsible for, and be able to show, compliance with
other data protection principles.

o Explanation: Accountability, as a principle under data protection regulations, means the data
controller is responsible for and must be able to demonstrate compliance with other data protection
principles.

9. Agreement Between Data Controller and Processor

• Question: A data controller uses an external party to process personal data. A legal agreement that covers
compliance with data protection regulations and protects the rights of the data subject must exist between:

o a. The data processor and the data subject.

o b. The data processor and the data controller.

o c. The data controller, data subject, and data processer.

o d. The data subject and the supervisory authority.

• Correct Answer: b. The data processor and the data controller.

o Explanation: This legal agreement is crucial to ensure both parties understand their responsibilities
regarding data protection and to protect the data subject's rights. A data controller determines the
purposes and means of processing personal data, while a data processor processes personal data on
behalf of the data controller.

10. Importance of Privacy Notices

• Question: When collecting personal data, it is very important to provide privacy notices that:

o a. Plainly outline how any requests for refunds or exchanges are processed.

o b. Clearly describe how an individual's information is processed and their related rights.
 o c. Comprehensively explain the origin and rationale for privacy laws.

o d. Technically describe the features and benefits of any products or services offered.

• Correct Answer: b. Clearly describe how an individual's information is processed and their related rights.

o Explanation: Privacy notices are statements provided to individuals when collecting personal data
that clearly describe how their information is processed and their related rights.

11. Right of Access

• Question: If you receive an e-mail from an individual requesting confirmation that their personal data is
being processed, which one of the following are they exercising?

o a. The right to restrict processing.

o b. The right to rectification.

o c. The right to erasure.

o d. The right of access.

• Correct Answer: d. The right of access.

o Explanation: The right of access is the right of a data subject to obtain confirmation from a data
controller as to whether personal data concerning them is being processed, and, if so, to access that
personal data.

12. Right to be Forgotten (Right to Erasure)

• Question: Which one of the following best describes the right to be forgotten?

o a. The right to restrict the processing of personal data.

o b. The right to request a copy of personal data being processed.

o c. The right to revise personal data if it is inaccurate or incomplete.

o d. The right to delete personal data when processing is over.

• Correct Answer: d. The right to delete personal data when processing is over.

o Explanation: The right to be forgotten, also known as the right to erasure, is the right to delete
personal data when processing is no longer necessary or legitimate.

13. Right to Data Portability

• Question: A data subject asks a data controller for their personal data in a machine-readable format that
they can reuse for their own purposes across various online services. Which one of the following rights are
they exercising?

o a. The right to restrict processing.

o b. The right of access.

o c. The right to rectification.

o d. The right to data portability.

• Correct Answer: d. The right to data portability.

o Explanation: The right to data portability is the right of a data subject to receive their personal data
in a machine-readable format and to transmit it to another data controller without hindrance.

14. Addressing Risk in Data Processing

 • Question: Which one of the following is the most appropriate way to address the risk to personal data from
data processing while still meeting organisational goals?

o a. Inform the supervisory authority of data processing activities.

o b. Change processing activities to exclude personal data.

o c. Check the effectiveness of existing data protection measures.

o d. Write privacy statements in a clear, concise and transparent language.

• Correct Answer: c. Check the effectiveness of existing data protection measures.

15. Technical Measure for Cloud Security

• Question: Which one of the following is an appropriate technical measure to reduce the risk of unauthorised
access to personal data when processing data using cloud computing?

o a. Collect documents from the printer immediately.

o b. Shred documents immediately when no longer needed.

o c. Only allow authorised staff to access cloud accounts.

o d. Use security measures to access the premises.

• Correct Answer: c. Only allow authorised staff to access cloud accounts.

16. Definition of a Personal Data Breach

• Question: Which one of the following constitutes a breach of personal data?

o a. A flaw in processes that could possibly lead to personal data being revealed.

o b. A failure in security that results in the accidental disclosure of corporate financial data.

o c. A failure in security that leads to the accidental disclosure of personal data stored by a data
processor.

o d. A failure in procedures that results in the accidental disclosure of anonymised data.

• Correct Answer: c. A failure in security that leads to the accidental disclosure of personal data stored by a
data processor.

o Explanation: A personal data breach is defined as a failure in security that leads to the accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data that has
been transmitted, stored, or otherwise processed.

17. Data Controller's Action for High-Risk Breach

• Question: If a personal data breach occurs and the data subject's rights and freedoms are at high risk, the
data controller must:

o a. Inform the affected data subject without undue delay.

o b. Publish an apology on the organisation's website.

o c. Publish a full public list of all categories of data processed.

o d. Inform the police force in the organisation's country.

• Correct Answer: a. Inform the affected data subject without undue delay.

o Explanation: Prompt notification is crucial to allow individuals to take necessary precautions when
their rights and freedoms are at high risk due to a data breach.
18. Complaining about Direct Marketing

• Question: You wish to complain about how your personal data was used to market products directly to you.
Which of one of the following actions should you take?

o a. Make a complaint to your local policy authority.

o b. Make a complaint only to the data processor.

o c. Make a complaint to your data protection supervisory authority.

o d. Make a complaint to the European Commission.

• Correct Answer: c. Make a complaint to your data protection supervisory authority.

o Explanation: The Supervisory Authority is the independent public authority in an EU member state
that a data subject can contact regarding data protection regulations.

Additional Questions from Data Protection Exam All Questions.pdf:

19. Definition of Data Processing

• Question: Which one of the following is considered data processing in relation to personal data?

o a. Creating an original piece of work.

o b. Playing a game on a computer.

o c. Stealing personal possessions.

o d. Storing patients' records.

• Correct Answer: d. Storing patients' records.

o Explanation: Processing of personal data includes any operation or set of operations performed on
personal data, whether or not by automated means, such as storing patient records.

20. Example of Manual Data Processing

• Question: Which one of the following is an example of manual data processing in a hotel environment?

o a. Generating guests' bills electronically.

o b. Storing guests' details in a database.

o c. Using online booking engines.

o d. Storing physical copies of guests' details in a filing cabinet.

• Correct Answer: d. Storing physical copies of guests' details in a filing cabinet.

21. Potential Risk to Personal Data

• Question: You work on a team in the motor tax department. Which one of the following is a potential risk
relating to personal data?

o a. Verifying a customer's identity before processing their payment.

o b. Theft of personal data from an unlocked filing cabinet.

o c. Backing up data on a regular basis.

o d. Deleting personal information that is no longer needed.

• Correct Answer: b. Theft of personal data from an unlocked filing cabinet.

22. Potential Risk for Individuals from Data Processing

• Question: Which one of the following is a potential risk for individuals from personal data processing?

o a. Reduced customer satisfaction.

o b. Fraudulent use of their data.

o c. More expensive products.

o d. Increased processing costs.

• Correct Answer: b. Fraudulent use of their data.

23. Primary Reason for GDPR Introduction

• Question: Which one of the following is a primary reason for the introduction of the General Data Protection
Regulation?

o a. To improve the speed at which electronic personal data is processed.

o b. To remove barriers for organisations seeking to process customer information.

o c. To make it easier for individuals to find personal information by searching online.

o d. To protect growing amounts of personal data being transferred outside the European Union.

• Correct Answer: d. To protect growing amounts of personal data being transferred outside the European
Union.

24. Data Processing Activity Exempt from GDPR for Non-EU Organizations

• Question: Which one of the following data processing activities is exempt from the General Data Protection
Regulation if an organisation is established outside the European Union?

o a. Monitoring the behaviour of individuals in the European Union.

o b. Selling online services to individuals outside the European Union.

o c. Offering online services to individuals in the European Union.

o d. Selling products online to individuals in the European Union.

• Correct Answer: a. Monitoring the behaviour of individuals in the European Union.

o Note: Source incorrectly indicated "Selling online services to individuals outside the European
Union" as the correct answer. The corrected answer is provided in Source.

25. Purpose Limitation Principle

• Question: Which one of the following describes the principle of purpose limitation?

o a. The collection of non-personal data for a range of different purposes.

o b. The collection of personal data for a specified, explicit, and legitimate purpose.

o c. The collection and storage of personal data for a specific time limit.

o d. The collection of personal data that is adequate, relevant, and limited to what is necessary.

• Correct Answer: b. The collection of personal data for a specified, explicit, and legitimate purpose.

o Explanation: The principle of purpose limitation states that personal data shall be collected for a
specified, explicit, and legitimate purpose and not further processed in a manner that is
incompatible with those purposes.
26. Accuracy Principle

• Question: Which one of the following best describes the principle of accuracy?

o a. Personal data shall be collected for a specified, explicit, and legitimate purpose.

o b. Personal data shall be kept correct and up to date, and erased or rectified if required.

o c. Personal data shall be processed in a manner that preserves its security.

o d. Personal data shall be adequate, relevant, and limited to what is necessary.

• Correct Answer: b. Personal data shall be kept correct and up to date, and erased or rectified if required.

o Explanation: Accuracy is the principle that personal data should be kept correct and current, and
should be erased or rectified if necessary.

27. Confidentiality and Integrity Principle

• Question: Which one of the following describes the principle of confidentiality and integrity?

o a. Personal data shall be collected for a specified, explicit, and legitimate purpose.

o b. Personal data shall be processed in a way that makes it clear when and why it is collected.

o c. Personal data shall be processed in a manner that ensures appropriate security of the data.

o d. Personal data shall be kept correct and up to date, and erased or rectified if needed.

• Correct Answer: c. Personal data shall be processed in a manner that ensures appropriate security of the
data.

28. Lawful Basis for Processing Personal Data

• Question: Which one of the following is a condition under which processing of personal data is lawful?

o a. Legal obligation.

o b. Assumed consent.

o c. Accountability.

o d. Commercial interests of third party.

• Correct Answer: a. Legal obligation.

o Explanation: A legal obligation is a condition under which processing of personal data is lawful, often
requiring data processing to comply with a legal duty.

29. Conditions for Valid Consent

• Question: Which one of the following are conditions that must be met for consent to be considered given by
the data subject?

o a. It must be related to the performance of a contract.

o b. It must be registered with the supervisory authority.

o c. It must be recorded, clearly requested, and permanent.

o d. It must be recorded, clearly requested, withdrawable, and given freely.

• Correct Answer: d. It must be recorded, clearly requested, withdrawable, and given freely.

30. Children's Consent

 • Question: You are recording consent to process personal data as part of a registration process for your
online store. Which one of the following statements regarding children's consent is correct?

o a. Anyone, irrespective of age, can give consent to have their personal data lawfully processed.

o b. A child's personal data, if they are under the age of 13, cannot be processed lawfully.

o c. A child's personal data, if they are under the age of 13, can only be processed with parental
consent.

o d. A child, because of their age, does not have personal data, and consent is not required.

• Correct Answer: c. A child's personal data, if they are under the age of 13, can only be processed with
parental consent.

31. Special Category of Personal Data

• Question: Which one of the following is a special category of personal data that, unless specific conditions
apply, data processors are generally not allowed to process?

o a. Postcode.

o b. Telephone number.

o c. Shopping preferences.

o d. Political opinions.

• Correct Answer: d. Political opinions.

32. Transfer of Personal Data Outside EU

• Question: Personal data collected within the European Union but transferred outside it for processing:

o a. Is not subject to European Union regulations.

o b. Must not include sensitive personal data.

o c. Must only be transferred between subsidiaries.

o d. Is subject to European Union regulations.

• Correct Answer: d. Is subject to European Union regulations.

33. Information in Privacy Notices (Direct Collection)

• Question: Which one of the following must be included in the privacy information provided to the data
subject when collecting their personal data directly from them?

o a. The name of the data processor.

o b. The purpose and legal basis of processing.

o c. The address where processing occurs.

o d. The source of the data.

• Correct Answer: The correct answer for this question is not explicitly marked in the provided sources.

34. Processing Data Fairly

• Question: Clients must be provided with any privacy information that will make processing their data:

o a. Final.

o b. Factual.
 o c. Faster.

o d. Fair.

• Correct Answer: d. Fair.

35. Information for Data Purchased from Third Parties

• Question: An online advertising company processing personal data purchased from a third party must
provide data subjects with information about:

o a. The products being advertising.

o b. The source of the personal data.

o c. The cost of the personal data.

o d. The name of the data processor.

• Correct Answer: b. The source of the personal data.

36. Right to Rectification

• Question: The right to obtain from the data controller, without undue delay, the revision of incorrect
personal data, and the completion of any incomplete personal data is known as:

o a. The right to object.

o b. The right of access.

o c. The right to erasure.

o d. The right to rectification.

• Correct Answer: d. The right to rectification.

o Explanation: The right to rectification is the right to obtain from the data controller, without undue
delay, the revision of incorrect personal data, and the completion of any incomplete personal data.

37. Right to Restrict Processing

• Question: The right to restrict processing entitles an individual to obtain from the data controller:

o a. Rectification of personal data if it is inaccurate or incomplete.

o b. Reuse of personal data across different services.

o c. Suspension of processing of personal data while its accuracy is verified.

o d. Deletion of personal data when processing is no longer reasonable.

• Correct Answer: c. Suspension of processing of personal data while its accuracy is verified.

o Explanation: The right to restrict processing involves obtaining from the data controller the
suspension of processing of personal data while its accuracy is verified or for other specific reasons.

38. Right to Object

• Question: An individual requests that an organisation stops processing their personal data. Which one of the
following rights is the individual exercising?

o a. The right to access.

o b. The right to object.

o c. The right to erasure.

 o d. The right to rectification.

• Correct Answer: b. The right to object.

o Explanation: The right to object is the right of a data subject to object to the processing of their
personal data in certain situations, for example, for direct marketing purposes.

39. When Data Controller is Not Obliged to Comply

• Question: A data controller is not generally obliged to comply with an individual's rights in relation to data
protection when data processing is for the purpose of:

o a. Profiling.

o b. Direct marketing.

o c. Compliance with other legal obligations.

o d. Automated decision making.

• Correct Answer: c. Compliance with other legal obligations.

40. Important Way for Organizations to Comply

• Question: Which one of the following is an important way for organisations to comply with data protection
regulations?

o a. Request that staff and any third parties read the full text of the data protection regulations.

o b. Confirm that organisational data protection guidelines and policies comply with data protection
regulations.

o c. Wait to address any data protection concerns if contacted by the supervisory authority.

o d. Ask data processors to learn about data protection in their own time and at their own expense.

• Correct Answer: b. Confirm that organisational data protection guidelines and policies comply with data
protection regulations.

41. Data Protection by Design and Default

• Question: Your organisation is working on a new data processing IT system for the billing process. When
should data protection by design and default be implemented in development?

o a. After the system has been in operation for a few weeks.

o b. During the planning stages of the project.

o c. If requested to by the supervisory authority.

o d. If a customer makes a complaint about the new system.

• Correct Answer: b. During the planning stages of the project.

42. Data Protection Impact Assessment (DPIA)

• Question: Which one of the following data processing activities require organisations to carry out a data
protection impact assessment?

o a. Processing anonymised data on a large scale using new technology.

o b. Processing special categories of personal data on a large scale.

o c. Processing small amounts of personal data in a secure environment.

o d. Processing personal data using existing systems and procedures.

 • Correct Answer: b. Processing special categories of personal data on a large scale.

o Explanation: A Data Protection Impact Assessment (DPIA) is an assessment that organizations may
be required to carry out for certain data processing activities, especially those involving high risk to
data subjects' rights and freedoms.

43. Responsibility for Minimising Data Processing Risks

• Question: Which one of the following is responsible for ensuring that risks to personal data from data
processing are minimised through the use of appropriate organisational measures?

o a. Data subjects.

o b. Employees.

o c. Supervisory authorities.

o d. Management.

• Correct Answer: d. Management.

44. Technique to Protect Identity (No Longer Personal Data)

• Question: Which one of the following is a technique used in data processing to protect the identity of data
subjects by changing their personal data so it is no longer considered personal data?

o a. Portability.

o b. Pseudonymisation.

o c. Anonymisation.

o d. Automation.

• Correct Answer: c. Anonymisation.

o Explanation: Anonymisation is a technique used in data processing to protect the identity of data
subjects by changing their personal data so it is no longer considered personal data.
Pseudonymisation also protects identity but still allows re-identification with the use of additional
information.

45. Timeframe for Reporting Data Breaches

• Question: With regard to the time frame for reporting breaches of personal data, the data controller must
report to the supervisory authority:

o a. At the end of every year.

o b. Within 12 hours of the breach occurring.

o c. As soon as possible and, where possible, within 72 hours.

o d. Within 7 days of the breach occurring.

• Correct Answer: c. As soon as possible and, where possible, within 72 hours.

46. Jurisdiction for Legal Action Against Data Processor

• Question: Which one of the following is the jurisdiction where a data subject may take legal action against a
data processor?

o a. Only in the data subject's country of residence.

o b. Only in the data processor's country of establishment.

 o c. In any European country.

o d. Either where the data processor is established or where the data subject resides.

• Correct Answer: d. Either where the data processor is established or where the data subject resides.