GDPR exam

10 practice questions for the GDPR Exam

Fb Logo Uk Wheel Rgb 200Px
Sarah Morgan
10 January, 2023

General Data Protection Regulation (GDPR) came into effect in May 2018 and is vital to running a business.

What is GDPR?

GDPR builds on the current Data Protection Act (DPA), extending individual rights and forcing organisations to adhere to clear policies and procedures that protect the data of EU citizens.

The regulations affect all aspects of your business, including how IT security teams safely store this data and effectively re-engineer breach detection. Plus, a lack of compliance with the GDPR can lead to severe fines.

How can it impact my business?

Any business that stores the data of EU citizens, regardless of whether they’re in the EU, is affected by GDPR.

To help you prepare for your GDPR Practitioner Exam and give you an idea of the complexities of GDPR regulation, we’ve included 10 official exam sample questions that could be included in our course:

1. Which of the following controller/processing scenarios in principle CAN use the Public Interest legal basis?

  1. A vehicle licensing agency selling owner names and contact details to the private sector in exchange for money
  2. A company director credit checking agency republishing the contents of a Mandatory Public Register of directors which is already in the public domain publishing the names and addresses of directors on the internet
  3. A registered and regulated charity receiving information from any public sector body as part of a lawful Data Sharing Agreement
  4. None of the above

2. Where the data subject is a child, what steps must controllers take in respect of consent, within the constraints of available technology?

  1. Controllers must make best efforts to verify the consent
  2. Controllers must make reasonable efforts to verify the consent
  3. Controllers must make their best efforts to request consent in clear and plain language, in the context of the age of the child
  4. Controllers must make reasonable efforts to request consent in clear and plain language, in the context of the age of the child

3. "While implementing certain data subject rights the controller is NOT obliged by Article 19 to inform each third-party recipient of the personal data" For which of the following rights is that statement TRUE?

  1. "Non-profiling" under Article 22
  2. Rectification under Article 16
  3. Erasure / "right to be forgotten" under Article 17
  4. Restriction under Article 18

4. For purposes of a data protection impact assessment, when must the controller seek the views of data subjects or their representatives on the intended processing?

  1. Always
  2. Never
  3. When appropriate
  4. When the supervisory authority requests it

5. Regarding data subjects protected by the GDPR, which of the following statements is true?

  1. The GDPR protects only people who are physically located in the EU 
  2. The GDPR protects only EU citizens
  3. The GDPR protects only EU residents 
  4. The GDPR protects only EU domiciliaries

6. Regarding the non-profit representation of data subjects, which of the following statements is FALSE?
  1. For a not-for-profit body or organisation to execute a mandate on behalf of a data subject, it must have been properly constituted in accordance with the law of a Member State. 
  2. Member State laws may provide that not-for-profit bodies may bring complaints under Articles 77, 78, and 79 in the absence of mandates from affected data subjects. 
  3. Any data subject has the right to mandate any not-for-profit body, organisation or association to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf. 
  4. Unless a Member State's laws facilitate it, a not-for-profit body cannot exercise the right to receive compensation referred to in Article 82 on a data subject's behalf.

How did you do?

Highlight the text to see the answers:
  1. D
  2. B
  3. A
  4. C
  5. A
  6. C

GPDR exam questions from PECB

These practice exam questions relate to the GDPR Foundation certification and are great examples of what you might expect on an entry-level GDPR exam.


Question 1 (5 points): Please list at least five GDPR implementation advantages.

Possible answer:

Some of the advantages that organisations gain due to GDPR implementation include:
  1. More confidence in transactions between the data subjects and data processors 
  2. Following a single regulation 
  3. Setting a framework that provides reasonable assurance of privacy 
  4. Establishment of a trustworthy reputation in the global market 
  5. Maximising the possibilities to provide safe data processing services 

Question 2 (5 points): Considering that the aim of General Data Protection Regulation is to ensure a consistent level of protection for natural persons throughout the European Union and to prevent divergences hampering the free movement of personal data, please list at least five changes that an organisation can face due to its implementation. 

Possible answer:
Some of the changes that an organization can face due to GDPR implementation include:
  1. Appointment of a data protection officer 
  2. Drafting and establishing new policies regarding international data transfers 
  3. Drafting and establishing new policies regarding the notification of a data breach 
  4. Drafting and establishing new policies that require compliance with the principles of data processing activities 
  5. Drafting and establishing new policies that require compliance with data subject rights 
Question 3 (5 points): Organisations wanting to comply with the General Data Protection Regulation shall respect the data subject rights. Please provide at least one concrete action that would support an organisation in complying with the following rights. 

Right to data portability (Article 18)

Possible answer:
  • A documented policy that enables the data subject to request restriction of processing his/her personal data if such processing is unlawful 

Right to object (Article 21)

Possible answer:
  • Establishment of a policy that enables the data subject to object at any time processing of his/her personal data for marketing purposes

Question 4 (5 points): Please define what measures an organisation can implement to demonstrate compliance with the following:

Security of processing 

Possible answer:

  1. Establish a procedure that defines what technical and organisational measures shall be implemented to demonstrate compliance with the GDPR 
  2. Establish a system that assesses the appropriate level of security when processing activities are carried out

How to learn GDPR fast

Whether or not you got the answers right, upskill your team and prepare your business in only 3 days with our accelerated GDPR course Data Protection: Certified Data Protection Officer Training.

Looking to train your team? Check out our bespoke training solutions.