This multiple choice assessment focuses on the new General Data Protection Regulation (GDPR).

The purpose of the assessment is to enable you to assess the extent and depth of your knowledge of the Data Protection Law in preparation for the DPL.

Format: Multiple Choice

Time: 90 minutes

The result will be provided immediately, with details on all questions.

1) Which of the following describes a country which has similar data protection standards as the EU GDPR and has received approval from the European Commission?

2) Under which circumstances may a data subject request be refused:

3) What is a ‘layered' privacy notice’?

4) A company is hesitating between binding corporate rules and standard contractual clauses as a global data transfer solution. Which of the following statements would help the company make an effective decision?

5) A data subject makes a subject access request (SAR) to an online retail company for their personal data. The data subject states that they are making a SAR in accordance with the GDPR; however, if the company credits the data subject’s online account with a specified sum of money, the data subject will withdraw their request. The company has not had any previous access requests by other individuals. Which of the following would be legitimate grounds for the company to refuse to comply with the access request?

6) Why do Binding Corporate Rules (BCRs) prohibit the transfer of employee names to telecom providers within the same country in order to provide them with mobile phone services?

7) Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?

Please refer to the following scenario to answer questions 8 and 9:

Rob, a former employee of the Tea & Biscuits Corporation (a U.S.-based multi-national) has hand-delivered a letter to the Reception of the Irish Subsidiary, on May 1. Rob asked for a copy of all data that Tea & Biscuits Corporation holds about him from the start of his employment with them over 18 years ago, including all email correspondence about him from his past three managers, and anyone from the HR Department. Rob has included a copy of his passport, his old employee identification number, and his current address.

One of Rob's previous managers was made redundant at the same time as Rob; another has re-located to Tea & Biscuits Singapore office. The receptionist was not sure what to do with the letter, so she sent it via internal mail to the Facilities Manager who was out of the office on holiday until May 5. The Facilities Manager sent it to the HR Manager who is very busy on a new redundancy program. The HR Manager emailed the legal team to ask what he should do with the letter on May 21. The local Irish lawyers got back to the HR Manager on May 25 and suggested that the HR Manager get in touch with Rob immediately and tell him that his issue has been looked into.


8) What is the time period within which Tea & Biscuits Corporation needs to respond to the data subject?

9) What should Tea & Biscuits do before responding to Rob with the information he has requested?

10) Which of the following countries has had their commercial organisations deemed adequate by the European Commission?