If personal data is processed across borders, which of the
following criteria would be irrelevant for the lead supervisory
authority handling the Greek employee's complaint to identify
the location of the controller's main establishment?
A. Where the controller is registered as a company.
B. Where the processor is registered as a company.
C. Where decisions about the processing activities are made.
D. Where the director with responsibility for processing
activities is located.
1
�What type of privacy notice, initially supported by the Article 29
Working Party, is frequently advised for AI-based technologies
due to its method of delivering processing information at
particular stages of data collection?
A. Privacy dashboard notice.
B. Visualization notice.
C. Just-in-time notice.
D. Layered notice.
2
�Articles 13 and 14 of the GDPR outline that data controllers
must inform individuals when collecting their personal data.
However, both articles exempt this requirement if the individual
already possesses the information. What other condition in
Article 14 would relieve the data controller from this duty?
A. When providing the information would go against a police
order.
B. When providing the information would involve a
disproportionate effort.
C. When the personal data was obtained through multiple
source in the public domain.
D. When the personal data was obtained 5 years before the
entry into force of the GDPR.
3
�When does the GDPR classify the processing of photographs
as handling special categories of personal data?
A. When processed with the intent to publish information
regarding a natural person on publicly accessible media.
B. When processed with the intent to proceed to scientific or
historical research projects.
C. When processed with the intent to uniquely identify or
authenticate a natural person.
D. When processed with the intent to comply with a law.
4
�Which GDPR principle would a Spanish employer most likely
rely on to annually transfer the personal data of its employees
to the national tax authority?
A. The consent of the employees.
B. The legal obligation of the employer.
C. The legitimate interest of the public administration.
D. The protection of the vital interest of the employees.
5
�Given the diverse range of services oVered by an online
company, its privacy practices can diVer significantly. To
address concerns about the complexity of explaining all these
policies, what approach could most eVectively ensure clarity
and comprehensibility?
A. Use a layered privacy notice on its website and in its email
communications.
B. Identify uses of data in a privacy notice mailed to the data
subject.
C. Provide only general information about its processing
activities and oVer a toll-free number for more information.
D. Place a banner on its website stipulating that visitors agree
to its privacy policy and terms of use by visiting the site.
6
�Under the GDPR, controllers must provide data subjects with
comprehensive details regarding the processing of their
personal data. When data is collected directly from data
subjects, which of the following pieces of information is NOT
legally required to be provided?
A. The recipients or categories of recipients.
B. The categories of personal data concerned.
C. The rights of access, erasure, restriction, and portability.
D. The right to lodge a complaint with a supervisory authority.
7
�According to Article 14 of the GDPR, how long does a controller
have to provide a data subject with necessary privacy
information, if that subject's personal data has been obtained
from other sources?
A. As soon as possible after obtaining the personal data.
B. As soon as possible after the first communication with the
data subject.
C. Within a reasonable period after obtaining the personal
data, but no later than one month.
D. Within a reasonable period after obtaining the personal
data, but no later than eight weeks.
8
�Under what circumstances would a data subject be unable to
exercise their right to portability?
A. When the processing is necessary to perform a task in the
exercise of authority vested in the controller.
B. When the processing is carried out pursuant to a contract
with the data subject.
C. When the data was supplied to the controller by the data
subject.
D. When the processing is based on consent.
9
�In which of the following situations is an individual most likely
able to withdraw consent for processing?
A. When she is leaving her bank and moving to another bank.
B. When she has recently changed jobs and no longer works
for the same company.
C. When she disagrees with a diagnosis her doctor has
recorded on her records.
D. When she no longer wishes to be sent marketing materials
from an organization.
10
�Following the European Court of Justice's decision in Google v.
Spain, it is probable that search engines outside the EEA will
also be governed by the Regulation's right to be forgotten. This
applies if the operations of an EU subsidiary and its U.S. parent
are what?
A. Supervised by the same Data Protection Officer.
B. Consistent with Privacy Shield requirements
C. Bound by a standard contractual clause.
D. Inextricably linked in their businesses.
11
�A German individual was pranked in an embarrassing way 20
years ago. An article detailing the incident is still accessible on
a newspaper's website and appears as the top search result for
the person's name. The individual asks SearchCo to delist the
result, and SearchCo agrees, instructing its team to stop
scanning or indexing the article. What further actions should
SearchCo take?
A. Notify the newspaper that its article it is delisting the article.
B. Fully erase the URL to the content, as opposed to delist which is
mainly based on data subject's name.
C. Identify other controllers who are processing the same
information and inform them of the delisting request.
D. Prevent the article from being listed in search results no matter
what search terms are entered into the search engine.
12
�What is the maximum fine for non-compliance with the EU
Artificial Intelligence Act (AI Act)?
A. The higher of up to 10 million Euro or up to 2% of the
entity's total worldwide turnover for the preceding
financial year.
B. The higher of up to 40 million Euro or up to 8% of the
entity's total worldwide turnover for the preceding
financial year.
C. The higher of up to 20 million Euro or up to 4% of the
entity's total worldwide turnover for the preceding
financial year.
D. The higher of up to 30 million Euro or up to 6% of the
entity's total worldwide turnover for the preceding
financial year.
13
�Which law must UK-based companies follow when handling
the personal data of EU residents post-Brexit?
A. The Privacy and Electronic Communications Regulations.
B. The EU General Data Protection Regulation.
C. The UK General Data Protection Regulation.
D. The UK Data Protection Act.
14
�How would you best describe the relationship between the
GDPR and the Digital Services Act, Data Governance Act, and
Digital Markets Act?
A. The aforementioned legal acts do not refer to (i.e., do not
mention) the GDPR.
B. The aforementioned legal acts apply without prejudice (ie,
in parallel) to the GDPR.
C. The aforementioned legal acts change specific provisions
(i.e., certain articles) of the GDPR.
D. The aforementioned legal acts contain some sector-
specific exemptions (i.e., only for certain businesses) from
the GDPR.
15
�All of the following will be established by the second Network
and Information Security Directive (”NIS2") EXCEPT?
A. Baseline cybersecurity measures that each covered entity
must address.
B. Powers to inspect, audit, or require information from
covered organizations.
C. A common controls framework that every organization must
adopt.
D. A new network for EU member states to cooperate on large-
scale breaches.
16
�“Guide to basic data anonymization techniques" recently
adopted by the Spanish Data Protection Agency, which of the
following is NOT a valid basic anonymization technique?
A. Swapping.
B. Generalization.
C. Data Adjustment.
D. Attribute Suppression.
17
�Which of the following practices does not align with the
principles in the EDPB's Guidelines 4/2019 on Article 25 Data
Protection by Design and by Default under EU data protection
law?
A. Data ownership allocation.
B. Access control management.
C. Frequent pseudonymization key rotation.
D. Error propagation avoidance along the processing chain.
18
�The European Data Protection Board stipulates that controllers
may deny a data subject's access request under certain
circumstances. Which of the following is NOT one of these
conditions?
A. If the data subject access request was sent to an employee
that is not involved in the processing of such requests.
B. If there is such a large amount of data that the controller
cannot identify the data subject of the request.
C. If the controller is unable to use end to end encrypted
emails for responding to such requests.
D. If the personal data was processed in the past but is no
longer at the controller's disposal at the time of the request.
19
�A senior employee's laptop bag, containing a laptop, ID card,
confidential company documents (including financial details
and board meeting minutes), company payment cards, and
authorization tokens, is stolen at a train station. As the Data
Protection OVicer, what should be your immediate step?
A. Inform the appropriate supervisory authority of the breach.
B. Verlfy whether the laptop contained personal data and, if
so, if it was encrypted.
C. Inform the meeting participants of the breach and provide
them with next steps to be taken.
D. Request deactivation of the authorization tokens to avoid
access to company data, and remotely wipe the laptop.
20
�As per the European Data Protection Board, when a controller
outside the EU but bound by the GDPR discovers a personal
data breach, which supervisory authority or authorities need to
be informed?
A. OnIy the supervisory authority of the EU member state in
which the controller's EU representative (pursuant to Article
27) is established.
B. OnIy one lead supervisory authority, as a controller benefits
from the one-stop shop mechanism under the GDPR's
enforcement regime.
C. Every supervisory authority of the EU member states where
the controller is offering goods or services.
D. Every supervisory authority for which affected data subjects
reside in their EU member state.
21
�What mechanism, implemented by the GDPR to guarantee both
adherence and openness, permits personal data transfers to
third countries according to Article 42?
A. Approved certifications.
B. Binding corporate rules.
C. Law enforcement requests.
D. Standard contractual clauses.
22
�A private company has branches in France, Poland, the UK, and
primarily Germany, where its headquarters is located. The
company provides global services, mostly designed in Germany
and supported elsewhere. However, one service, a SaaS
application, was created by the Polish branch and is also
supported internationally. Which is the lead supervisory
authority for the SaaS service?
A. The supervisory authority of Germany at federal level.
B. The supervisory authority of Germany at regional level.
C. The supervisory authority of the Republic of Poland.
D. The supervisory authority of the European Union.
23
