This multiple choice assessment focuses on the new General Data Protection Regulation (GDPR).

The purpose of the assessment is to enable you to assess the extent and depth of your knowledge of the Data Protection Law in preparation for the DPL.

Format: Multiple Choice

Time: 90 minutes

The result will be provided immediately, with details on all questions.

Which of the following is NOT one of the GDPR data protection principles?

Which of the following is used to best demonstrate transparency, by explaining how Company X uses personal data?

What is the purpose of Pseudonymisation?

Company X is looking to carry out new clinical trials and is considering using study subjects from another research that they previously carried out.

Identify the MOST appropriate lawful basis for processing:

Which of the following Article 9 (GDPR) conditions of processing may be used to store health data after the completion of the study?

Which BEST describes the purpose of a Data Protection Impact Assessment (DPIA)?

What does Data Minimisation mean?

Which BEST describes data protection by ‘design and default’?

9) Which of the following statements regarding Data Protection Officers (DPOs) is FALSE?

When processing personal data under the authority of the controller or processor, a processor may process data on instructions from the controller and also:

Which of the following describes a country which has similar data protection standards as the EU GDPR and has received approval from the European Commission?

Under which circumstances may a data subject request be refused:

"It's not enough to just follow the Regulation, you also need to PROVE that you're following the Regulation". Which Principle of the GDPR does this apply to?

Under which circumstances are personal data breaches NOT reportable to an independent supervisory authority?

Which of the following would not be defined as special category data, under the EU GDPR?

Please use the following information to answer the below question

Michael is a member of the golf club, Potters Bar. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in Spain.

Michael lives in Derry, Northern Ireland (part of the U.K.), and commutes across the border to work in Lough Foyle, Ireland. Two years ago while on a business trip, Michael was photographed during a Potters Bar golf tournament in Stockholm, Sweden. At the time, Michael gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only.

Since then the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. However, the golf club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states.

As a result, Michael no longer feels comfortable with his photograph being associated with the golf club.

After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Michael sends a letter to Potters Bar requesting that his image be removed from the website and all promotional materials.

Months pass and Michael, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact Potters Bar through alternate channels, he decides to take action against the company.

Michael reports to a Data Protection Authority.

Question:
Under the cooperation mechanism, what should the lead authority do after it has formed its view on the matter?

Please use the following information to answer the below question

Michael is a member of the golf club, Potters Bar. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in Spain.

Michael lives in Derry, Northern Ireland (part of the U.K.), and commutes across the border to work in Lough Foyle, Ireland. Two years ago while on a business trip, Michael was photographed during a Potters Bar golf tournament in Stockholm, Sweden. At the time, Michael gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only.

Since then the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. However, the golf club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states.

As a result, Michael no longer feels comfortable with his photograph being associated with the golf club.

After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Michael sends a letter to Potters Bar requesting that his image be removed from the website and all promotional materials.

Months pass and Michael, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact Potters Bar through alternate channels, he decides to take action against the company.

Michael reports to a Data Protection Authority.

Question: 
Assuming that multiple Potters Bar branches across the UK and several EU countries are acting as separate data controllers, and that each of those branches were responsible for mishandling Michael's request, how may Michael proceed in order to seek compensation?

Please use the following information to answer the below question

Michael is a member of the golf club, Potters Bar. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in Spain.

Michael lives in Derry, Northern Ireland (part of the U.K.), and commutes across the border to work in Lough Foyle, Ireland. Two years ago while on a business trip, Michael was photographed during a Potters Bar golf tournament in Stockholm, Sweden. At the time, Michael gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only.

Since then the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. However, the golf club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states.

As a result, Michael no longer feels comfortable with his photograph being associated with the golf club.

After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Michael sends a letter to Potters Bar requesting that his image be removed from the website and all promotional materials.

Months pass and Michael, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact Potters Bar through alternate channels, he decides to take action against the company.

Michael reports to a Data Protection Authority.

Question: 
Which area of privacy is a lead supervisory authority's (SA) MAIN concern?

19) A research company has an email subscription scheme which allows study subjects to provide their name and email address in order to receive news about a study. Unknown to the subjects the company also sells this data to other organisations who develop medical apps. This is a breach of which Principle of the GDPR?

20) Which of these is not Personal Data?