Data Protection MCQ 60 Tests With Answers (2026)
PerfectNotes TeamUpdated: March 2026~15 min practice 60 Questions Β· 3 Levels 60 Questions Β· 3 Levels
Data Protection & Privacy MCQ practice questions are essential for preparing for competitive exams, certifications, and technical interviews. This comprehensive MCQ platform provides 60 carefully curated practice questions covering global privacy regulations (GDPR, CCPA, HIPAA), data classification, data loss prevention (DLP), PII handling, data subject rights, and privacy engineering frameworks.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering data minimization, PII vs. sensitive categories, valid consent under GDPR/CCPA, purpose and storage limitations, right to erasure, and transparency), Concepts (covering controller vs. processor duties, DPO roles, DPIA assessments, Privacy by Design, DSAR scoping, and cross-border adequacy decisions), and Advanced (covering scenario-based Schrems II impact, binding corporate rules, k-anonymity/l-diversity, differential privacy, homomorphic encryption, and IAB Europe TCF). Each question includes a verified, in-depth explanation to reinforce learning.
Practice in Study Mode to reveal answers and detailed explanations instantly, or use Exam Mode for timed testing and real-time scoring to simulate CIPP/E, CIPM, CISA, or CISSP conditions.
Contents
- 1.Basics (20 Questions)Data minimization Β· PII vs sensitive Β· consent Β· rights
- 2.Concepts (20 Questions)Controller vs processor Β· DPO role Β· DPIA Β· Privacy by Design
- 3.Advanced (20 Questions)Schrems II Β· transfer impact Β· k-anonymity Β· differential privacy
- 4.Conclusionsummary Β· next steps Β· study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept Β· definition Β· key fact table
- 7.FAQcommon questions answered
Data Protection & Privacy β Basics
1What is the core principle of "Data Minimization" in privacy frameworks?
CorrectB: Collecting and processing only the data strictly necessary for a specific, stated purpose
Data minimization (GDPR Article 5(1)(c)) requires that personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. Collecting surplus data creates unnecessary risk and regulatory liability.
IncorrectB: Collecting and processing only the data strictly necessary for a specific, stated purpose
Data minimization (GDPR Article 5(1)(c)) requires that personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. Collecting surplus data creates unnecessary risk and regulatory liability.
2In the context of global privacy laws, what does PII stand for?
CorrectD: Personally Identifiable Information
PII (Personally Identifiable Information) is any data that can be used on its own or in combination with other data to identify, contact, or locate a specific individual β such as name, SSN, email address, biometric records, or IP address.
IncorrectD: Personally Identifiable Information
PII (Personally Identifiable Information) is any data that can be used on its own or in combination with other data to identify, contact, or locate a specific individual β such as name, SSN, email address, biometric records, or IP address.
3What is the fundamental difference between Data Security and Data Privacy?
CorrectA: Security protects data from unauthorized access or breaches; privacy governs the authorized, ethical, and legal use of that data
Security and privacy are complementary but distinct disciplines. Security ensures data is protected against unauthorized access (confidentiality, integrity, availability). Privacy ensures data is used only in ways the subject expects and the law permits β even by authorized parties.
IncorrectA: Security protects data from unauthorized access or breaches; privacy governs the authorized, ethical, and legal use of that data
Security and privacy are complementary but distinct disciplines. Security ensures data is protected against unauthorized access (confidentiality, integrity, availability). Privacy ensures data is used only in ways the subject expects and the law permits β even by authorized parties.
4Which European regulation comprehensively governs data protection and privacy for individuals within the EU and the EEA?
CorrectC: General Data Protection Regulation (GDPR)
The GDPR (Regulation (EU) 2016/679), enforceable since May 2018, is the world's most comprehensive data protection law. It applies to any organization processing the personal data of EU/EEA residents, regardless of where the organization is based.
IncorrectC: General Data Protection Regulation (GDPR)
The GDPR (Regulation (EU) 2016/679), enforceable since May 2018, is the world's most comprehensive data protection law. It applies to any organization processing the personal data of EU/EEA residents, regardless of where the organization is based.
5Under modern privacy regulations, what constitutes "Valid Consent" from a data subject?
CorrectD: A freely given, specific, informed, and unambiguous indication of the user's wishes
GDPR Article 7 and Recital 32 define valid consent as freely given (no power imbalance), specific (per purpose), informed (clear disclosure), and unambiguous (requires an affirmative act β no pre-ticked boxes). Consent must also be as easy to withdraw as to give.
IncorrectD: A freely given, specific, informed, and unambiguous indication of the user's wishes
GDPR Article 7 and Recital 32 define valid consent as freely given (no power imbalance), specific (per purpose), informed (clear disclosure), and unambiguous (requires an affirmative act β no pre-ticked boxes). Consent must also be as easy to withdraw as to give.
6What is the primary purpose of a "Privacy Policy"?
CorrectA: To transparently disclose how an organization collects, uses, stores, and shares personal data
A privacy policy (or privacy notice) is a transparency document required by laws like GDPR (Articles 13β14) and CCPA. It must tell users what data is collected, the lawful basis for processing, how long it is retained, with whom it is shared, and how to exercise data subject rights.
IncorrectA: To transparently disclose how an organization collects, uses, stores, and shares personal data
A privacy policy (or privacy notice) is a transparency document required by laws like GDPR (Articles 13β14) and CCPA. It must tell users what data is collected, the lawful basis for processing, how long it is retained, with whom it is shared, and how to exercise data subject rights.
7Which of the following is generally considered "Sensitive Personal Data" (or Special Category Data) requiring higher protection?
CorrectB: Information revealing racial origin, political opinions, religious beliefs, or health status
GDPR Article 9 designates special categories of data β including racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and sexual orientation β as requiring explicit consent or another specific derogation to process lawfully.
IncorrectB: Information revealing racial origin, political opinions, religious beliefs, or health status
GDPR Article 9 designates special categories of data β including racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and sexual orientation β as requiring explicit consent or another specific derogation to process lawfully.
8What does the California Consumer Privacy Act (CCPA) primarily empower consumers to do?
CorrectC: Demand to know what personal data is collected and request that businesses stop selling their personal information
The CCPA (effective January 2020, strengthened by CPRA in 2023) grants California residents five core rights: to know, to delete, to opt-out of sale, to non-discrimination, and (under CPRA) to correct inaccurate data and limit use of sensitive personal information.
IncorrectC: Demand to know what personal data is collected and request that businesses stop selling their personal information
The CCPA (effective January 2020, strengthened by CPRA in 2023) grants California residents five core rights: to know, to delete, to opt-out of sale, to non-discrimination, and (under CPRA) to correct inaccurate data and limit use of sensitive personal information.
9What is the "Right to be Forgotten" (Right to Erasure)?
CorrectB: The right of a data subject to request the deletion of their personal data when it is no longer necessary or consent is withdrawn
GDPR Article 17 grants data subjects the right to request erasure of their personal data under specific circumstances: the data is no longer necessary, consent is withdrawn, the data was unlawfully processed, or there is a legal obligation to erase. The right is not absolute β it must be balanced against other rights like freedom of expression.
IncorrectB: The right of a data subject to request the deletion of their personal data when it is no longer necessary or consent is withdrawn
GDPR Article 17 grants data subjects the right to request erasure of their personal data under specific circumstances: the data is no longer necessary, consent is withdrawn, the data was unlawfully processed, or there is a legal obligation to erase. The right is not absolute β it must be balanced against other rights like freedom of expression.
10In privacy terminology, what is a "Data Subject"?
CorrectA: The identified or identifiable living individual to whom the personal data relates
Under GDPR Article 4, a data subject is an identified or identifiable natural person. Identifiable means the person can be singled out directly or indirectly β by name, ID number, location data, online identifier, or physical, genetic, mental, economic, cultural, or social factors.
IncorrectA: The identified or identifiable living individual to whom the personal data relates
Under GDPR Article 4, a data subject is an identified or identifiable natural person. Identifiable means the person can be singled out directly or indirectly β by name, ID number, location data, online identifier, or physical, genetic, mental, economic, cultural, or social factors.
11Which fundamental privacy concept ensures that data collected for one purpose cannot be used for a completely different, incompatible purpose?
CorrectC: Purpose Limitation
Purpose limitation (GDPR Article 5(1)(b)) requires that personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Secondary use requires a compatible purpose or a new legal basis.
IncorrectC: Purpose Limitation
Purpose limitation (GDPR Article 5(1)(b)) requires that personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Secondary use requires a compatible purpose or a new legal basis.
12What does "Data Portability" guarantee to users?
CorrectC: The right to receive their personal data in a structured, commonly used, and machine-readable format to transfer to another provider
GDPR Article 20 grants data subjects the right to data portability β to receive their personal data in a structured, commonly used, machine-readable format (e.g., JSON, CSV), and to transmit it to another controller without hindrance. This right applies when processing is based on consent or contract and is carried out by automated means.
IncorrectC: The right to receive their personal data in a structured, commonly used, and machine-readable format to transfer to another provider
GDPR Article 20 grants data subjects the right to data portability β to receive their personal data in a structured, commonly used, machine-readable format (e.g., JSON, CSV), and to transmit it to another controller without hindrance. This right applies when processing is based on consent or contract and is carried out by automated means.
13What is the most common reason organizations implement automated data retention and disposal policies?
CorrectB: To ensure personal data is not kept longer than strictly necessary for its intended purpose, complying with storage limitation principles
Storage limitation (GDPR Article 5(1)(e)) requires that personal data is kept in a form that permits identification of data subjects for no longer than necessary. Automated retention schedules reduce regulatory risk, minimize the data footprint exposed in a breach, and limit the scope of DSAR responses.
IncorrectB: To ensure personal data is not kept longer than strictly necessary for its intended purpose, complying with storage limitation principles
Storage limitation (GDPR Article 5(1)(e)) requires that personal data is kept in a form that permits identification of data subjects for no longer than necessary. Automated retention schedules reduce regulatory risk, minimize the data footprint exposed in a breach, and limit the scope of DSAR responses.
14Which of the following best defines "Opt-In" versus "Opt-Out" consent?
CorrectB: Opt-In requires the user to take a positive, active step to permit data processing; Opt-Out assumes permission until the user actively withdraws it
Opt-In (explicit/affirmative consent) requires the user to actively agree before processing begins β required by GDPR for consent-based processing. Opt-Out (assumed consent) treats silence as permission and places the burden on the user to stop processing β a model GDPR explicitly prohibits for consent as the lawful basis.
IncorrectB: Opt-In requires the user to take a positive, active step to permit data processing; Opt-Out assumes permission until the user actively withdraws it
Opt-In (explicit/affirmative consent) requires the user to actively agree before processing begins β required by GDPR for consent-based processing. Opt-Out (assumed consent) treats silence as permission and places the burden on the user to stop processing β a model GDPR explicitly prohibits for consent as the lawful basis.
15What is the primary function of a "Cookie Banner" on a website?
CorrectC: To inform visitors about the use of trackers and obtain their legally valid consent before setting non-essential cookies
Under the ePrivacy Directive (Cookie Law) and GDPR, non-essential cookies (advertising, analytics, tracking) require prior, informed consent. A legally compliant Consent Management Platform (CMP) must present clear choices, not use dark patterns, and record consent signals β reject-all must be as easy as accept-all.
IncorrectC: To inform visitors about the use of trackers and obtain their legally valid consent before setting non-essential cookies
Under the ePrivacy Directive (Cookie Law) and GDPR, non-essential cookies (advertising, analytics, tracking) require prior, informed consent. A legally compliant Consent Management Platform (CMP) must present clear choices, not use dark patterns, and record consent signals β reject-all must be as easy as accept-all.
16Which data protection principle dictates that personal data must be accurate and, where necessary, kept up to date?
CorrectA: Accuracy
The accuracy principle (GDPR Article 5(1)(d)) requires organizations to take reasonable steps to ensure personal data is correct and up to date, erasing or rectifying inaccurate data without delay. Inaccurate data can cause serious harm β for example, a wrongful credit denial or a misdiagnosis.
IncorrectA: Accuracy
The accuracy principle (GDPR Article 5(1)(d)) requires organizations to take reasonable steps to ensure personal data is correct and up to date, erasing or rectifying inaccurate data without delay. Inaccurate data can cause serious harm β for example, a wrongful credit denial or a misdiagnosis.
17Why is employee training considered a critical component of data protection?
CorrectB: Because human error (e.g., misdirected emails, phishing) remains the leading cause of data breaches and privacy violations
The Verizon DBIR and ICO enforcement actions consistently show that human error β including phishing susceptibility, misconfigured cloud storage, and misdirected emails β is responsible for the majority of reportable data breaches. Technical controls are essential, but so is the human layer of defense.
IncorrectB: Because human error (e.g., misdirected emails, phishing) remains the leading cause of data breaches and privacy violations
The Verizon DBIR and ICO enforcement actions consistently show that human error β including phishing susceptibility, misconfigured cloud storage, and misdirected emails β is responsible for the majority of reportable data breaches. Technical controls are essential, but so is the human layer of defense.
18What does "Transparency" mean in the context of data privacy?
CorrectD: Providing clear, easily understandable, and accessible information to users about how their data is being processed
Transparency (GDPR Article 5(1)(a) and Articles 12β14) requires data controllers to provide privacy information in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. This includes information on purpose, retention, recipients, and data subject rights.
IncorrectD: Providing clear, easily understandable, and accessible information to users about how their data is being processed
Transparency (GDPR Article 5(1)(a) and Articles 12β14) requires data controllers to provide privacy information in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. This includes information on purpose, retention, recipients, and data subject rights.
19Which entity is considered a highly sensitive class of data subjects under laws like COPPA (Children's Online Privacy Protection Act)?
CorrectD: Children under the age of 13
COPPA (15 U.S.C. Β§ 6501β6506) imposes strict requirements on websites and online services directed to children under 13: verifiable parental consent must be obtained before collecting any personal information, with the FTC empowered to levy substantial civil penalties for violations.
IncorrectD: Children under the age of 13
COPPA (15 U.S.C. Β§ 6501β6506) imposes strict requirements on websites and online services directed to children under 13: verifiable parental consent must be obtained before collecting any personal information, with the FTC empowered to levy substantial civil penalties for violations.
20What is the primary focus of "Data Mapping" (or Data Inventory) in a privacy program?
CorrectA: Identifying and documenting what personal data an organization collects, where it resides, how it flows, and who has access to it
A data map (or Record of Processing Activities) is foundational to every privacy program. Without knowing what data exists, where it is stored, how it flows between systems and third parties, and who can access it, an organization cannot respond to DSARs, manage breaches, execute retention policies, or demonstrate GDPR Article 30 compliance.
IncorrectA: Identifying and documenting what personal data an organization collects, where it resides, how it flows, and who has access to it
A data map (or Record of Processing Activities) is foundational to every privacy program. Without knowing what data exists, where it is stored, how it flows between systems and third parties, and who can access it, an organization cannot respond to DSARs, manage breaches, execute retention policies, or demonstrate GDPR Article 30 compliance.
Data Protection & Privacy β Concepts
1In the GDPR framework, what is the fundamental difference between a "Data Controller" and a "Data Processor"?
CorrectD: The Controller determines the purposes and means of processing; the Processor simply processes the data on behalf of the Controller
GDPR Article 4 defines the Controller as the entity that determines the "why" and "how" of processing. The Processor acts only on the Controller's documented instructions. Controllers bear primary GDPR obligations; Processors have specific duties under Article 28 and may face direct liability under Article 82.
IncorrectD: The Controller determines the purposes and means of processing; the Processor simply processes the data on behalf of the Controller
GDPR Article 4 defines the Controller as the entity that determines the "why" and "how" of processing. The Processor acts only on the Controller's documented instructions. Controllers bear primary GDPR obligations; Processors have specific duties under Article 28 and may face direct liability under Article 82.
2What is the purpose of a Data Protection Impact Assessment (DPIA)?
CorrectB: To systematically identify and mitigate the privacy risks associated with new projects or processing activities that are likely to result in high risk to individuals
GDPR Article 35 mandates DPIAs before undertaking processing that is likely to result in high risk β such as large-scale profiling, systematic monitoring of public areas, or processing special category data. The DPIA documents the assessment of necessity, proportionality, risks, and mitigating measures.
IncorrectB: To systematically identify and mitigate the privacy risks associated with new projects or processing activities that are likely to result in high risk to individuals
GDPR Article 35 mandates DPIAs before undertaking processing that is likely to result in high risk β such as large-scale profiling, systematic monitoring of public areas, or processing special category data. The DPIA documents the assessment of necessity, proportionality, risks, and mitigating measures.
3What is the core tenet of "Privacy by Design"?
CorrectC: Embedding data protection and privacy principles into the architecture of IT systems and business practices from the very beginning, rather than bolting them on later
Privacy by Design (PbD) was developed by Ann Cavoukian and is now mandated by GDPR Article 25. Its seven foundational principles require privacy to be proactive not reactive, privacy as the default, privacy embedded into design, full functionality (not zero-sum), end-to-end security, visibility and transparency, and respect for user privacy.
IncorrectC: Embedding data protection and privacy principles into the architecture of IT systems and business practices from the very beginning, rather than bolting them on later
Privacy by Design (PbD) was developed by Ann Cavoukian and is now mandated by GDPR Article 25. Its seven foundational principles require privacy to be proactive not reactive, privacy as the default, privacy embedded into design, full functionality (not zero-sum), end-to-end security, visibility and transparency, and respect for user privacy.
4How does "Pseudonymization" differ from "Anonymization"?
CorrectB: Pseudonymization replaces direct identifiers with artificial identifiers, but the data can still be re-identified with an external key; Anonymization irreversibly destroys any ability to identify the subject
GDPR Recital 26 draws a clear line: pseudonymized data is still personal data (the key enabling re-identification must be kept separately and securely). Truly anonymized data falls outside the GDPR entirely. Tokenization and hashing are common pseudonymization techniques; differential privacy and data generalization are anonymization approaches.
IncorrectB: Pseudonymization replaces direct identifiers with artificial identifiers, but the data can still be re-identified with an external key; Anonymization irreversibly destroys any ability to identify the subject
GDPR Recital 26 draws a clear line: pseudonymized data is still personal data (the key enabling re-identification must be kept separately and securely). Truly anonymized data falls outside the GDPR entirely. Tokenization and hashing are common pseudonymization techniques; differential privacy and data generalization are anonymization approaches.
5What is the role of a Data Protection Officer (DPO)?
CorrectD: To independently oversee data protection strategy, advise on compliance, and act as the liaison with supervisory authorities
GDPR Articles 37β39 establish the DPO role. A DPO must have expert knowledge of data protection law, operate independently without conflict of interest, advise on DPIAs, monitor compliance, and act as the contact point for data subjects and the supervisory authority. Certain organizations are legally mandated to appoint one.
IncorrectD: To independently oversee data protection strategy, advise on compliance, and act as the liaison with supervisory authorities
GDPR Articles 37β39 establish the DPO role. A DPO must have expert knowledge of data protection law, operate independently without conflict of interest, advise on DPIAs, monitor compliance, and act as the contact point for data subjects and the supervisory authority. Certain organizations are legally mandated to appoint one.
6Under GDPR Article 32, organizations are required to implement "appropriate technical and organizational measures." Which of the following is explicitly suggested?
CorrectB: The pseudonymization and encryption of personal data
GDPR Article 32(1) explicitly lists pseudonymization and encryption as appropriate technical measures. It also requires the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems, and the ability to restore data after an incident.
IncorrectB: The pseudonymization and encryption of personal data
GDPR Article 32(1) explicitly lists pseudonymization and encryption as appropriate technical measures. It also requires the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems, and the ability to restore data after an incident.
7What is a Data Subject Access Request (DSAR)?
CorrectC: A legal request made by an individual to an organization asking for a copy of all the personal data the organization holds about them
GDPR Article 15 grants data subjects the right of access. A DSAR entitles the individual to receive a copy of their personal data, information about how it is being processed, retention periods, recipients, and data subject rights. Organizations must respond within one calendar month (extendable by two months for complex requests).
IncorrectC: A legal request made by an individual to an organization asking for a copy of all the personal data the organization holds about them
GDPR Article 15 grants data subjects the right of access. A DSAR entitles the individual to receive a copy of their personal data, information about how it is being processed, retention periods, recipients, and data subject rights. Organizations must respond within one calendar month (extendable by two months for complex requests).
8In the context of HIPAA (Health Insurance Portability and Accountability Act), what is PHI?
CorrectB: Protected Health Information
PHI (Protected Health Information) is individually identifiable health information held or transmitted by a HIPAA-covered entity or business associate. The HIPAA Privacy Rule lists 18 identifiers that must be removed to de-identify health data. PHI includes past, present, or future physical or mental health, healthcare provision, or payment information.
IncorrectB: Protected Health Information
PHI (Protected Health Information) is individually identifiable health information held or transmitted by a HIPAA-covered entity or business associate. The HIPAA Privacy Rule lists 18 identifiers that must be removed to de-identify health data. PHI includes past, present, or future physical or mental health, healthcare provision, or payment information.
9Which legal mechanism governs the specific terms under which a Data Processor handles data for a Data Controller?
CorrectA: A Data Processing Agreement (DPA)
GDPR Article 28(3) mandates a written Data Processing Agreement (DPA) between every controller and processor. The DPA must specify the subject matter, duration, nature and purpose of processing, type of personal data, categories of data subjects, and the controller's obligations and rights β including sub-processor authorization terms.
IncorrectA: A Data Processing Agreement (DPA)
GDPR Article 28(3) mandates a written Data Processing Agreement (DPA) between every controller and processor. The DPA must specify the subject matter, duration, nature and purpose of processing, type of personal data, categories of data subjects, and the controller's obligations and rights β including sub-processor authorization terms.
10What does "Lawful Basis" mean in EU privacy law?
CorrectD: The legal justification required (e.g., consent, legitimate interest, contract) before an organization can legally process personal data
GDPR Article 6 lists six lawful bases: (1) Consent, (2) Contract, (3) Legal obligation, (4) Vital interests, (5) Public task, and (6) Legitimate interests. Controllers must identify and document their lawful basis before initiating processing. Without a lawful basis, processing is unlawful regardless of technical safeguards.
IncorrectD: The legal justification required (e.g., consent, legitimate interest, contract) before an organization can legally process personal data
GDPR Article 6 lists six lawful bases: (1) Consent, (2) Contract, (3) Legal obligation, (4) Vital interests, (5) Public task, and (6) Legitimate interests. Controllers must identify and document their lawful basis before initiating processing. Without a lawful basis, processing is unlawful regardless of technical safeguards.
11What is the "Legitimate Interests" lawful basis?
CorrectB: Processing data because the organization has a genuine, valid reason that is not overridden by the fundamental rights and freedoms of the data subject
GDPR Article 6(1)(f) β Legitimate Interests β requires a three-part test: (1) Is there a legitimate interest? (2) Is processing necessary to achieve it? (3) Is the interest overridden by the data subject's rights and freedoms? A Legitimate Interests Assessment (LIA) must be documented. It cannot override children's data or special category data without additional grounds.
IncorrectB: Processing data because the organization has a genuine, valid reason that is not overridden by the fundamental rights and freedoms of the data subject
GDPR Article 6(1)(f) β Legitimate Interests β requires a three-part test: (1) Is there a legitimate interest? (2) Is processing necessary to achieve it? (3) Is the interest overridden by the data subject's rights and freedoms? A Legitimate Interests Assessment (LIA) must be documented. It cannot override children's data or special category data without additional grounds.
12In cross-border data transfers, what does an "Adequacy Decision" signify?
CorrectD: A formal determination by the European Commission that a non-EU country offers a level of data protection equivalent to that provided within the EU
GDPR Article 45 enables data transfers to third countries only when the European Commission has issued an adequacy decision. Countries with adequacy include UK, Switzerland, Japan, Canada (partially), and Israel. Absent an adequacy decision, transfers require appropriate safeguards such as SCCs, BCRs, or specific derogations.
IncorrectD: A formal determination by the European Commission that a non-EU country offers a level of data protection equivalent to that provided within the EU
GDPR Article 45 enables data transfers to third countries only when the European Commission has issued an adequacy decision. Countries with adequacy include UK, Switzerland, Japan, Canada (partially), and Israel. Absent an adequacy decision, transfers require appropriate safeguards such as SCCs, BCRs, or specific derogations.
13What is "Privacy by Default"?
CorrectC: Ensuring that, out of the box, the strictest privacy settings automatically apply without any manual intervention from the user
Privacy by Default (GDPR Article 25(2)) requires that only personal data that is necessary for the specific purpose is processed by default. For example, optional profile fields should default to private, not public; data collection should be minimum by default, with users actively opting in to share more.
IncorrectC: Ensuring that, out of the box, the strictest privacy settings automatically apply without any manual intervention from the user
Privacy by Default (GDPR Article 25(2)) requires that only personal data that is necessary for the specific purpose is processed by default. For example, optional profile fields should default to private, not public; data collection should be minimum by default, with users actively opting in to share more.
14Why is "Data Discovery" a critical prerequisite for responding to a DSAR?
CorrectA: An organization cannot provide a copy of a user's data or delete it if they do not comprehensively know where all instances of that data are stored
DSAR responses require locating every instance of a data subject's information across all systems β CRMs, email archives, backups, third-party processors, and shadow IT. Organizations without a data map risk incomplete responses (regulatory violation), over-sharing (privacy violation), or failing to locate data at all.
IncorrectA: An organization cannot provide a copy of a user's data or delete it if they do not comprehensively know where all instances of that data are stored
DSAR responses require locating every instance of a data subject's information across all systems β CRMs, email archives, backups, third-party processors, and shadow IT. Organizations without a data map risk incomplete responses (regulatory violation), over-sharing (privacy violation), or failing to locate data at all.
15What is the primary purpose of the PCI-DSS (Payment Card Industry Data Security Standard) framework?
CorrectB: To ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment to protect cardholder data
PCI-DSS is a contractual security standard developed by the Payment Card Industry Security Standards Council. It applies to all entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD). Non-compliance can result in fines, card brand penalties, and loss of payment processing privileges.
IncorrectB: To ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment to protect cardholder data
PCI-DSS is a contractual security standard developed by the Payment Card Industry Security Standards Council. It applies to all entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD). Non-compliance can result in fines, card brand penalties, and loss of payment processing privileges.
16How does the concept of "Data Sovereignty" impact cloud computing?
CorrectA: It dictates that digital data is subject to the laws and regulations of the specific country in which it is physically stored
Data sovereignty means data stored in a given country is governed by that country's legal framework β including government access requests, cross-border transfer restrictions, and localization laws. This creates significant complexity for multinational cloud deployments, as data in France is governed by French/EU law, data in Russia by Russian law, etc.
IncorrectA: It dictates that digital data is subject to the laws and regulations of the specific country in which it is physically stored
Data sovereignty means data stored in a given country is governed by that country's legal framework β including government access requests, cross-border transfer restrictions, and localization laws. This creates significant complexity for multinational cloud deployments, as data in France is governed by French/EU law, data in Russia by Russian law, etc.
17Under CCPA (and CPRA), what specifically does the "Do Not Sell or Share My Personal Information" link achieve?
CorrectD: It allows users to opt-out of having their personal data sold to or shared with third parties for cross-context behavioral advertising
The CPRA (effective January 2023) expanded the CCPA opt-out to cover both "sale" and "sharing" β the latter capturing sharing for cross-context behavioral advertising (i.e., targeted ads) even when no money changes hands. The opt-out link must be clearly displayed on the homepage and act immediately upon submission.
IncorrectD: It allows users to opt-out of having their personal data sold to or shared with third parties for cross-context behavioral advertising
The CPRA (effective January 2023) expanded the CCPA opt-out to cover both "sale" and "sharing" β the latter capturing sharing for cross-context behavioral advertising (i.e., targeted ads) even when no money changes hands. The opt-out link must be clearly displayed on the homepage and act immediately upon submission.
18What is a typical consequence for an organization that fails to report a reportable GDPR data breach within the 72-hour window?
CorrectA: They may face severe administrative fines of up to β¬10 million or 2% of global annual turnover
GDPR Article 83(4) specifies fines of up to β¬10 million or 2% of total worldwide annual turnover for breaching Article 33 (breach notification to supervisory authority within 72 hours) or Article 34 (notification to affected data subjects without undue delay when high risk). More serious violations carry fines up to β¬20M/4%.
IncorrectA: They may face severe administrative fines of up to β¬10 million or 2% of global annual turnover
GDPR Article 83(4) specifies fines of up to β¬10 million or 2% of total worldwide annual turnover for breaching Article 33 (breach notification to supervisory authority within 72 hours) or Article 34 (notification to affected data subjects without undue delay when high risk). More serious violations carry fines up to β¬20M/4%.
19What does "Data Subject Rectification" refer to?
CorrectB: The right of an individual to have inaccurate or incomplete personal data corrected by the data controller
GDPR Article 16 grants data subjects the right to rectification without undue delay. This includes both correcting factual inaccuracies and completing incomplete data. Controllers must also notify any recipients (processors, third parties) to whom the data was disclosed, unless this proves impossible or disproportionate.
IncorrectB: The right of an individual to have inaccurate or incomplete personal data corrected by the data controller
GDPR Article 16 grants data subjects the right to rectification without undue delay. This includes both correcting factual inaccuracies and completing incomplete data. Controllers must also notify any recipients (processors, third parties) to whom the data was disclosed, unless this proves impossible or disproportionate.
20Which of the following is considered a "Privacy Enhancing Technology" (PET)?
CorrectD: Format-preserving encryption that allows databases to be queried without decrypting sensitive fields
PETs are technologies that minimize personal data use while maximizing data security. Format-preserving encryption (FPE) allows analytics and operations on encrypted data without exposing plaintext. Other PETs include differential privacy, homomorphic encryption, data clean rooms, zero-knowledge proofs, and secure multi-party computation.
IncorrectD: Format-preserving encryption that allows databases to be queried without decrypting sensitive fields
PETs are technologies that minimize personal data use while maximizing data security. Format-preserving encryption (FPE) allows analytics and operations on encrypted data without exposing plaintext. Other PETs include differential privacy, homomorphic encryption, data clean rooms, zero-knowledge proofs, and secure multi-party computation.
Data Protection & Privacy β Advanced
1What was the critical consequence of the "Schrems II" ruling by the Court of Justice of the European Union (CJEU)?
CorrectA: It invalidated the EU-US Privacy Shield, causing major disruption to transatlantic data flows and placing heavy reliance on Standard Contractual Clauses (SCCs)
The CJEU's Data Protection Commissioner v Facebook Ireland (C-311/18) judgment in July 2020 annulled the EU-US Privacy Shield framework due to US surveillance laws (FISA 702, EO 12333) lacking equivalent protections. It also placed new obligations on controllers using SCCs to conduct Transfer Impact Assessments β later addressed (partially) by the EU-US Data Privacy Framework in 2023.
IncorrectA: It invalidated the EU-US Privacy Shield, causing major disruption to transatlantic data flows and placing heavy reliance on Standard Contractual Clauses (SCCs)
The CJEU's Data Protection Commissioner v Facebook Ireland (C-311/18) judgment in July 2020 annulled the EU-US Privacy Shield framework due to US surveillance laws (FISA 702, EO 12333) lacking equivalent protections. It also placed new obligations on controllers using SCCs to conduct Transfer Impact Assessments β later addressed (partially) by the EU-US Data Privacy Framework in 2023.
2In the context of international data transfers, what are Binding Corporate Rules (BCRs)?
CorrectC: Internal rules adopted by multinational groups of companies to govern secure intra-organizational transfers of personal data across international borders
BCRs (GDPR Articles 46β47) are internal corporate codes of conduct approved by a Lead Supervisory Authority that allow multinational corporations to legitimize intra-group international data transfers without SCCs. They require demonstrating legally binding, enforceable rights for data subjects and accountability mechanisms across all group entities.
IncorrectC: Internal rules adopted by multinational groups of companies to govern secure intra-organizational transfers of personal data across international borders
BCRs (GDPR Articles 46β47) are internal corporate codes of conduct approved by a Lead Supervisory Authority that allow multinational corporations to legitimize intra-group international data transfers without SCCs. They require demonstrating legally binding, enforceable rights for data subjects and accountability mechanisms across all group entities.
3What does the concept of "k-anonymity" achieve in a dataset?
CorrectB: It ensures that any individual's data cannot be distinguished from at least k-1 other individuals within the same dataset, mitigating re-identification risks
k-anonymity (introduced by Latanya Sweeney) ensures each quasi-identifier combination in a dataset appears in at least k records. For example, 3-anonymity means at least 3 people share every combination of ZIP code, gender, and age group. Weaknesses include homogeneity attacks and background knowledge attacks, which led to l-diversity and t-closeness extensions.
IncorrectB: It ensures that any individual's data cannot be distinguished from at least k-1 other individuals within the same dataset, mitigating re-identification risks
k-anonymity (introduced by Latanya Sweeney) ensures each quasi-identifier combination in a dataset appears in at least k records. For example, 3-anonymity means at least 3 people share every combination of ZIP code, gender, and age group. Weaknesses include homogeneity attacks and background knowledge attacks, which led to l-diversity and t-closeness extensions.
4How does "Differential Privacy" fundamentally protect user data in statistical databases?
CorrectA: By injecting a calculated amount of mathematical "noise" into the dataset, allowing accurate aggregate patterns to be analyzed while making it impossible to identify specific individuals
Differential privacy (DP), formalized by Cynthia Dwork, provides a mathematical guarantee: the probability of any specific output is essentially unchanged whether or not any individual's data is included. The privacy budget (epsilon, Ξ΅) controls the trade-off between utility and privacy. Apple, Google, and the US Census Bureau use DP in production systems.
IncorrectA: By injecting a calculated amount of mathematical "noise" into the dataset, allowing accurate aggregate patterns to be analyzed while making it impossible to identify specific individuals
Differential privacy (DP), formalized by Cynthia Dwork, provides a mathematical guarantee: the probability of any specific output is essentially unchanged whether or not any individual's data is included. The privacy budget (epsilon, Ξ΅) controls the trade-off between utility and privacy. Apple, Google, and the US Census Bureau use DP in production systems.
5What is the primary function of "Homomorphic Encryption" in privacy-preserving computing?
CorrectC: To allow mathematical computations and analysis to be performed directly on ciphertext, generating an encrypted result without ever needing to expose the plaintext data
Fully Homomorphic Encryption (FHE) is the theoretical "holy grail" of privacy-preserving computation β enabling a cloud provider to compute on encrypted data and return an encrypted result, where only the data owner can decrypt. Partially (PHE) and leveled (LHE) homomorphic schemes are already in production use for specific operations like private information retrieval and private set intersection.
IncorrectC: To allow mathematical computations and analysis to be performed directly on ciphertext, generating an encrypted result without ever needing to expose the plaintext data
Fully Homomorphic Encryption (FHE) is the theoretical "holy grail" of privacy-preserving computation β enabling a cloud provider to compute on encrypted data and return an encrypted result, where only the data owner can decrypt. Partially (PHE) and leveled (LHE) homomorphic schemes are already in production use for specific operations like private information retrieval and private set intersection.
6In ad-tech privacy, what is the purpose of the IAB Europe Transparency and Consent Framework (TCF)?
CorrectD: To provide a standardized mechanism for publishers, ad-tech vendors, and CMPs to communicate user consent and legitimate interest states across the digital advertising supply chain
The IAB Europe TCF provides a technical standard (via the TC String) encoding user consent and legitimate interest signals that are passed in OpenRTB bid requests to hundreds of ad-tech vendors. The Belgian DPA's 2022 ruling found TCF itself non-compliant with GDPR, highlighting the tension between real-time bidding architectures and consent requirements.
IncorrectD: To provide a standardized mechanism for publishers, ad-tech vendors, and CMPs to communicate user consent and legitimate interest states across the digital advertising supply chain
The IAB Europe TCF provides a technical standard (via the TC String) encoding user consent and legitimate interest signals that are passed in OpenRTB bid requests to hundreds of ad-tech vendors. The Belgian DPA's 2022 ruling found TCF itself non-compliant with GDPR, highlighting the tension between real-time bidding architectures and consent requirements.
7Under the GDPR, what is a "Transfer Impact Assessment" (TIA)?
CorrectC: A mandatory assessment required after Schrems II to evaluate if the destination country's laws (like US surveillance laws) undermine the protections of Standard Contractual Clauses
Post-Schrems II, a TIA is required whenever SCCs are used for restricted transfers. It assesses the destination country's legal framework β particularly surveillance laws, government access rights, and judicial remedies β to determine whether SCCs can be effective or whether supplementary measures (encryption, pseudonymization) are needed to maintain equivalent EU protection.
IncorrectC: A mandatory assessment required after Schrems II to evaluate if the destination country's laws (like US surveillance laws) undermine the protections of Standard Contractual Clauses
Post-Schrems II, a TIA is required whenever SCCs are used for restricted transfers. It assesses the destination country's legal framework β particularly surveillance laws, government access rights, and judicial remedies β to determine whether SCCs can be effective or whether supplementary measures (encryption, pseudonymization) are needed to maintain equivalent EU protection.
8What is a "Zero-Knowledge Proof" (ZKP) in the context of privacy?
CorrectB: A cryptographic method by which one party can prove to another that a specific statement is true (e.g., "I am over 18") without conveying any additional underlying information (like their exact birthdate)
ZKPs are a foundational cryptographic primitive for privacy-preserving authentication and compliance. Interactive ZKPs (Schnorr protocol) and non-interactive variants (zk-SNARKs, zk-STARKs β used in blockchain systems like Zcash) allow proving possession of a credential or satisfaction of a condition without disclosing the underlying data itself.
IncorrectB: A cryptographic method by which one party can prove to another that a specific statement is true (e.g., "I am over 18") without conveying any additional underlying information (like their exact birthdate)
ZKPs are a foundational cryptographic primitive for privacy-preserving authentication and compliance. Interactive ZKPs (Schnorr protocol) and non-interactive variants (zk-SNARKs, zk-STARKs β used in blockchain systems like Zcash) allow proving possession of a credential or satisfaction of a condition without disclosing the underlying data itself.
9Which of the following best describes "Data Clean Rooms" in modern privacy-safe marketing?
CorrectC: Secure, isolated environments where multiple parties can pool and analyze first-party data without exposing the underlying, raw Personally Identifiable Information to each other
Data clean rooms (e.g., Google Ads Data Hub, Amazon Marketing Cloud, LiveRamp) enable advertisers and publishers to perform audience analysis and campaign measurement on combined datasets using privacy-preserving techniques β aggregation thresholds, noise injection, and access controls β without either party ever seeing the other's raw user PII.
IncorrectC: Secure, isolated environments where multiple parties can pool and analyze first-party data without exposing the underlying, raw Personally Identifiable Information to each other
Data clean rooms (e.g., Google Ads Data Hub, Amazon Marketing Cloud, LiveRamp) enable advertisers and publishers to perform audience analysis and campaign measurement on combined datasets using privacy-preserving techniques β aggregation thresholds, noise injection, and access controls β without either party ever seeing the other's raw user PII.
10In the context of GDPR Article 14, what is an organization's obligation if it obtains personal data from a source other than the data subject (e.g., purchasing a contact list)?
CorrectA: They must provide specific privacy information (a fair processing notice) to the data subject within a reasonable period, typically within one month
GDPR Article 14 requires controllers obtaining data indirectly (data brokers, third-party lists, web scraping) to proactively notify the data subject β within one month, or at first communication, or before disclosure to a third party (whichever comes first) β providing information on the source, purposes, legal basis, and data subject rights.
IncorrectA: They must provide specific privacy information (a fair processing notice) to the data subject within a reasonable period, typically within one month
GDPR Article 14 requires controllers obtaining data indirectly (data brokers, third-party lists, web scraping) to proactively notify the data subject β within one month, or at first communication, or before disclosure to a third party (whichever comes first) β providing information on the source, purposes, legal basis, and data subject rights.
11What is the "Mosaic Effect" in data privacy and de-identification?
CorrectB: The risk that distinct, seemingly anonymized datasets can be combined and cross-referenced to successfully re-identify individuals
The Mosaic Effect demonstrates why "anonymization" is fragile: Latanya Sweeney showed that 87% of Americans can be uniquely re-identified by ZIP code, birth date, and sex alone. Netflix Prize de-anonymization, AOL search data re-identification, and NYT taxi data re-identification are landmark examples of the mosaic effect defeating claimed anonymization.
IncorrectB: The risk that distinct, seemingly anonymized datasets can be combined and cross-referenced to successfully re-identify individuals
The Mosaic Effect demonstrates why "anonymization" is fragile: Latanya Sweeney showed that 87% of Americans can be uniquely re-identified by ZIP code, birth date, and sex alone. Netflix Prize de-anonymization, AOL search data re-identification, and NYT taxi data re-identification are landmark examples of the mosaic effect defeating claimed anonymization.
12Under CCPA/CPRA, what does the concept of a "Dark Pattern" refer to?
CorrectD: A user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, making it difficult for consumers to decline consent or opt-out
The CPRA (effective 2023) and CPPA regulations explicitly prohibit dark patterns in consent UIs. Examples include: requiring multiple clicks to opt-out vs. one click to opt-in, using confusing double negatives ("Don't uncheck to not opt out"), hiding opt-out buttons, using misleading colors (red for privacy-protective choice, green for data-sharing), and nagging re-consent flows.
IncorrectD: A user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, making it difficult for consumers to decline consent or opt-out
The CPRA (effective 2023) and CPPA regulations explicitly prohibit dark patterns in consent UIs. Examples include: requiring multiple clicks to opt-out vs. one click to opt-in, using confusing double negatives ("Don't uncheck to not opt out"), hiding opt-out buttons, using misleading colors (red for privacy-protective choice, green for data-sharing), and nagging re-consent flows.
13What is the core mechanism of "Federated Learning" as a privacy-preserving AI technique?
CorrectC: Training a centralized machine learning model across multiple decentralized edge devices or servers holding local data samples, without exchanging the raw data itself
Federated Learning (introduced by Google in 2017 for Gboard) keeps training data on-device. Each device trains a local model update on its raw data, sends only the gradient updates (not raw data) to a central aggregator, which combines them into an improved global model. Combined with differential privacy and secure aggregation, it provides strong privacy guarantees for on-device ML.
IncorrectC: Training a centralized machine learning model across multiple decentralized edge devices or servers holding local data samples, without exchanging the raw data itself
Federated Learning (introduced by Google in 2017 for Gboard) keeps training data on-device. Each device trains a local model update on its raw data, sends only the gradient updates (not raw data) to a central aggregator, which combines them into an improved global model. Combined with differential privacy and secure aggregation, it provides strong privacy guarantees for on-device ML.
14In the realm of biometric privacy (e.g., under BIPA β Illinois Biometric Information Privacy Act), what is a primary strict liability requirement for organizations?
CorrectB: Organizations must obtain informed, written consent before collecting or capturing any biometric identifiers or information
BIPA (740 ILCS 14) requires: (1) a publicly available biometric data retention/destruction policy, (2) written notice to subjects, (3) written consent before collection, and (4) a ban on profiting from biometrics. Critically, BIPA creates a private right of action with statutory damages of $1,000β$5,000 per violation β leading to multi-billion-dollar class actions against Meta, Google, and others.
IncorrectB: Organizations must obtain informed, written consent before collecting or capturing any biometric identifiers or information
BIPA (740 ILCS 14) requires: (1) a publicly available biometric data retention/destruction policy, (2) written notice to subjects, (3) written consent before collection, and (4) a ban on profiting from biometrics. Critically, BIPA creates a private right of action with statutory damages of $1,000β$5,000 per violation β leading to multi-billion-dollar class actions against Meta, Google, and others.
15What does the term "Data Lineage" mean in advanced privacy operations?
CorrectD: The lifecycle of data β including its origin, what happens to it, and where it moves over time β vital for demonstrating compliance and executing data subject rights
Data lineage (or data provenance) tracks the full history of a data element: its source, transformations, storage locations, sharing relationships, and eventual deletion. In privacy operations, lineage enables accurate DSAR responses, breach impact assessment (which records were affected?), purpose limitation enforcement, and audit trail production for regulatory inspections.
IncorrectD: The lifecycle of data β including its origin, what happens to it, and where it moves over time β vital for demonstrating compliance and executing data subject rights
Data lineage (or data provenance) tracks the full history of a data element: its source, transformations, storage locations, sharing relationships, and eventual deletion. In privacy operations, lineage enables accurate DSAR responses, breach impact assessment (which records were affected?), purpose limitation enforcement, and audit trail production for regulatory inspections.
16How do "Global Privacy Control" (GPC) signals function?
CorrectC: As a browser-level technical signal communicating a user's choice to opt-out of the sale or sharing of their personal data universally across participating websites
GPC is a browser or extension-level HTTP header signal (Sec-GPC: 1) that communicates a user's universal opt-out preference. The California AG confirmed in 2022 that GPC is a valid opt-out mechanism under CCPA. Participating websites must honor it as equivalent to presenting a "Do Not Sell" request. Firefox, Brave, and DuckDuckGo natively support GPC.
IncorrectC: As a browser-level technical signal communicating a user's choice to opt-out of the sale or sharing of their personal data universally across participating websites
GPC is a browser or extension-level HTTP header signal (Sec-GPC: 1) that communicates a user's universal opt-out preference. The California AG confirmed in 2022 that GPC is a valid opt-out mechanism under CCPA. Participating websites must honor it as equivalent to presenting a "Do Not Sell" request. Firefox, Brave, and DuckDuckGo natively support GPC.
17In responding to a regulatory audit, what is the "Record of Processing Activities" (RoPA) under GDPR Article 30?
CorrectB: A comprehensive, written document maintained by controllers and processors detailing the categories of data processed, purposes, recipients, and retention schedules
GDPR Article 30 mandates that controllers with β₯250 employees (or those processing high-risk data regularly) maintain a written RoPA. It must document: the controller's name/contact, purposes of processing, categories of data subjects and data, recipients, third-country transfers, retention periods, and technical/organizational security measures. It must be provided to supervisory authorities on request.
IncorrectB: A comprehensive, written document maintained by controllers and processors detailing the categories of data processed, purposes, recipients, and retention schedules
GDPR Article 30 mandates that controllers with β₯250 employees (or those processing high-risk data regularly) maintain a written RoPA. It must document: the controller's name/contact, purposes of processing, categories of data subjects and data, recipients, third-country transfers, retention periods, and technical/organizational security measures. It must be provided to supervisory authorities on request.
18What is the privacy risk associated with "Device Fingerprinting"?
CorrectC: Tracking a user across the web by analyzing their unique browser attributes (fonts, screen resolution, OS), allowing profiling even if traditional cookies are blocked
Canvas fingerprinting, AudioContext fingerprinting, and WebGL fingerprinting exploit deterministic differences in how each device renders content to create a highly stable, cross-site identifier that persists across incognito mode, cookie deletion, and VPN usage. The CJEU (Case C-252/21, Meta Platforms) and ICO treat fingerprinting as personal data processing subject to GDPR and ePrivacy consent requirements.
IncorrectC: Tracking a user across the web by analyzing their unique browser attributes (fonts, screen resolution, OS), allowing profiling even if traditional cookies are blocked
Canvas fingerprinting, AudioContext fingerprinting, and WebGL fingerprinting exploit deterministic differences in how each device renders content to create a highly stable, cross-site identifier that persists across incognito mode, cookie deletion, and VPN usage. The CJEU (Case C-252/21, Meta Platforms) and ICO treat fingerprinting as personal data processing subject to GDPR and ePrivacy consent requirements.
19What distinguishes a "Joint Controller" relationship under GDPR?
CorrectA: Two or more controllers jointly determine the purposes and means of processing personal data, sharing the legal responsibilities and liabilities
GDPR Article 26 defines joint controllers as entities that together determine the purposes and means of processing. They must agree in a transparent arrangement (which may be public) on their respective responsibilities for fulfilling GDPR obligations β particularly data subject rights. The Facebook Fan Page case (C-210/16) established that Facebook and page administrators are joint controllers.
IncorrectA: Two or more controllers jointly determine the purposes and means of processing personal data, sharing the legal responsibilities and liabilities
GDPR Article 26 defines joint controllers as entities that together determine the purposes and means of processing. They must agree in a transparent arrangement (which may be public) on their respective responsibilities for fulfilling GDPR obligations β particularly data subject rights. The Facebook Fan Page case (C-210/16) established that Facebook and page administrators are joint controllers.
20What is "Contextual Integrity" in the theory of privacy?
CorrectA: The idea that privacy is violated when data is used or shared in a way that breaks the specific norms, expectations, and context in which it was originally collected
Contextual Integrity, developed by philosopher Helen Nissenbaum, argues that privacy is not about secrecy per se, but about appropriate information flow. A medical record shared with a treating physician respects context; the same record shared with an insurer or employer violates it. This framework underpins privacy by design and purpose limitation, and informs how regulators assess secondary data use.
IncorrectA: The idea that privacy is violated when data is used or shared in a way that breaks the specific norms, expectations, and context in which it was originally collected
Contextual Integrity, developed by philosopher Helen Nissenbaum, argues that privacy is not about secrecy per se, but about appropriate information flow. A medical record shared with a treating physician respects context; the same record shared with an insurer or employer violates it. This framework underpins privacy by design and purpose limitation, and informs how regulators assess secondary data use.
Conclusion: Mastering Data Protection & Privacy
Data protection and privacy law is no longer just a legal compliance checkbox β it is a core engineering concern. From implementing Privacy by Design in your architecture to correctly identifying lawful bases under GDPR, understanding CCPA opt-out flows, and executing on DSAR responses within 30 days, every developer and security professional needs fluency in the fundamentals.
The questions in this test map directly to domains assessed in certifications like CIPP/E, CIPM, CISSP, and CCSP. Understanding the implications of Schrems II for US data transfers, the distinction between pseudonymisation and anonymisation, and when a DPIA is mandatory will elevate your ability to advise on privacy-sensitive system design.
Revisit questions you missed and pair this practice test with the full Data Protection & Privacy Theory Guide and the Cyber Laws & Ethics MCQs for comprehensive exam preparation.
Key Takeaways β Data Protection & Privacy
- GDPR Lawful Bases β identify the most appropriate basis BEFORE collection; consent is the weakest and hardest to maintain β legitimate interests or contract are often more appropriate.
- Privacy by Design (Art. 25) β embed privacy controls into system architecture from day one; privacy-as-default means the most restrictive setting applies without user action.
- DPIA Triggers β mandatory for large-scale profiling, systematic public monitoring, or processing special category data; supervisory authority consultation required if high residual risk remains.
- Data Subject Rights β 8 rights under GDPR (Arts. 15β22); DSAR response deadline is 30 calendar days (extendable to 90 days for complex requests with notice).
- Schrems II β Privacy Shield invalidated; SCCs valid but require Transfer Impact Assessment per third country; Trans-Atlantic Data Privacy Framework (2023) faces ongoing legal challenges.
- Pseudonymisation β Anonymisation β pseudonymised data is STILL personal data under GDPR (re-identification possible with separate key); truly anonymised data falls outside GDPR scope.
- GDPR Max Penalty β up to β¬20 million OR 4% of global annual turnover (whichever is higher) for most serious violations; β¬10 million / 2% for lesser infringements.
Quick Review & Summary
Use this summary table to consolidate key mappings and definitions before or after attempting the questions.
| Regulation | Region | Key Rights / Scope | Max Penalty |
|---|---|---|---|
| GDPR | EU / EEA | Access, rectification, erasure, portability, objection, no automated decisions | β¬20M or 4% global turnover |
| CCPA / CPRA | California, USA | Right to know, delete, opt-out of sale, non-discrimination; sensitive data controls (CPRA) | $2,500 per violation / $7,500 intentional |
| HIPAA | USA | PHI access, amendment, accounting of disclosures; administrative/physical/technical safeguards | Up to $1.9M per violation category/year |
| COPPA | USA | Children <13: verifiable parental consent required before data collection | Up to $50,120 per violation |
| PIPEDA | Canada | 10 fair information principles; consent-based, covers private-sector commercial activity | Up to CAD $100,000 |
| LGPD | Brazil | GDPR-modeled; 10 lawful bases, data subject rights, DPO requirement, ANPD oversight | Up to 2% of Brazil revenue (max R$50M per violation) |
Frequently Asked Questions
Q. What are the six lawful bases for processing personal data under GDPR?
Q. What is Privacy by Design and what are its seven foundational principles?
Q. What is the difference between a DSAR and a DPIA?
Q. What rights do data subjects have under GDPR?
Q. What was the Schrems II ruling and how does it affect international data transfers?
Q. What is the difference between pseudonymisation and anonymisation under GDPR?
Struggling with some questions? Re-read the full Theory Guide: Data Protection & Privacy