This multiple choice assessment focuses on the new General Data Protection Regulation (GDPR).

The purpose of the assessment is to enable you to assess the extent and depth of your knowledge of the Data Protection Law in preparation for the DPL.

Format: Multiple Choice

Time: 90 minutes

The result will be provided immediately, with details on all questions.

1) Under which circumstances may a data subject request be refused:

2) When processing personal data under the authority of the controller or processor, a processor may process data on instructions from the controller and also:

3) What is the purpose of Pseudonymisation?

4) Company X is looking to carry out new clinical trials and is considering using study subjects from another research that they previously carried out.

Identify the MOST appropriate lawful basis for processing:

5) A data subject makes a subject access request (SAR) to an online retail company for their personal data. The data subject states that they are making a SAR in accordance with the GDPR; however, if the company credits the data subject’s online account with a specified sum of money, the data subject will withdraw their request. The company has not had any previous access requests by other individuals. Which of the following would be legitimate grounds for the company to refuse to comply with the access request?

6) Which of the following Article 9 (GDPR) conditions of processing may be used to store health data after the completion of the study?

7) What does Data Minimisation mean?

8) "It's not enough to just follow the Regulation, you also need to PROVE that you're following the Regulation". Which Principle of the GDPR does this apply to?

10) Based on Article 5(1)(b) of the GDPR, what is the impact of the interpretation of the word 'incompatible'?

9) A research company has an email subscription scheme which allows study subjects to provide their name and email address in order to receive news about a study. Unknown to the subjects the company also sells this data to other organisations who develop medical apps. This is a breach of which Principle of the GDPR?