This multiple choice assessment focuses on the new General Data Protection Regulation (GDPR).

The purpose of the assessment is to enable you to assess the extent and depth of your knowledge of the Data Protection Law in preparation for the DPL.

Format: Multiple Choice

Time: 90 minutes

The result will be provided immediately, with details on all questions.

1) Which BEST describes the purpose of a Data Protection Impact Assessment (DPIA)?

2) Which BEST describes data protection by ‘design and default’?

3) Which of the following statements regarding Data Protection Officers (DPOs) is FALSE?

4) Under which circumstances are personal data breaches NOT reportable to an independent supervisory authority?

Please use the following information to answer questions 5 - 7:

Michael is a member of the golf club, Potters Bar. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in Spain.

Michael lives in Derry, Northern Ireland (part of the U.K.), and commutes across the border to work in Lough Foyle, Ireland. Two years ago while on a business trip, Michael was photographed during a Potters Bar golf tournament in Stockholm, Sweden. At the time, Michael gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only.

Since then the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. However, the golf club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states.

As a result, Michael no longer feels comfortable with his photograph being associated with the golf club.

After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Michael sends a letter to Potters Bar requesting that his image be removed from the website and all promotional materials.

Months pass and Michael, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact Potters Bar through alternate channels, he decides to take action against the company.

Michael reports to a Data Protection Authority.

5) Under the cooperation mechanism, what should the lead authority do after it has formed its view on the matter?

6) Assuming that multiple Potters Bar branches across the UK and several EU countries are acting as separate data controllers, and that each of those branches were responsible for mishandling Michael's request, how may Michael proceed in order to seek compensation?

7) Which area of privacy is a lead supervisory authority's (SA) MAIN concern?

8) Along with the name and contact details of the data controller processing the personal data, what other information must be included in the records of processing to be maintained by the data controller under the GDPR?

9) If a multi-national company wanted to conduct background checks on all current and potential European-based employees, what key provision would the company have to follow?

10. In which of the following situations must a data protection impact assessment (DPIA) be used?