Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

OR
Sign inSign in with Facebook
Sign inSign in with Google
Quizzes > Quizzes for Business > Government

Take the GDPR Compliance Knowledge Test

Test Your Knowledge of EU Privacy Rules

Difficulty: Moderate
Questions: 20
Learning OutcomesStudy Material
Colorful paper art illustrating a GDPR Compliance Knowledge Test quiz

This GDPR compliance quiz helps you practice EU data protection rules with 15 quick, real‑world multiple‑choice questions. Scenarios cover core GDPR duties like consent, data rights, and breach steps. Use your score to spot gaps before training or an audit, or try a broader compliance assessment .

What is considered personal data under the GDPR?
Encrypted password hash
Website uptime metrics
Corporate revenue figures
User's name
Personal data is any information relating to an identifiable natural person. A user's name directly identifies an individual. Corporate revenue figures, website metrics, and encrypted hashes do not identify a natural person.
Which GDPR principle requires that personal data be collected for specified, explicit, and legitimate purposes?
Purpose limitation
Storage limitation
Data minimization
Lawfulness, fairness, and transparency
The purpose limitation principle requires that personal data be collected only for specified, explicit, and legitimate purposes. It prevents using data for incompatible reasons. Other principles address scope, retention, and transparency.
Which lawful basis requires a data subject's voluntary, specific, informed, and unambiguous indication of agreement to processing?
Vital interests
Contractual necessity
Legal obligation
Consent
Consent is the lawful basis that requires a clear, voluntary, specific, and informed agreement from the data subject. Other bases rely on necessity for contracts, legal obligations, or vital interests rather than explicit permission.
Under GDPR, which right allows individuals to obtain confirmation and access their personal data held by a controller?
Right to object
Right to data portability
Right to erasure
Right of access
The right of access allows individuals to request and receive a copy of their personal data held by a controller. The right to erasure is deletion, portability is transfer of data, and object is to stop processing.
Which principle mandates that organizations collect only the personal data that is adequate, relevant, and limited to what is necessary for processing purposes?
Data minimization
Integrity and confidentiality
Accuracy
Accountability
Data minimization mandates that organizations collect only data that is adequate, relevant, and limited to what is necessary. Accuracy relates to correctness, integrity and confidentiality to security, and accountability to oversight.
The right to data portability under GDPR allows data subjects to:
Have their personal data deleted immediately
Object to all processing of personal data
Transfer their personal data to another controller in a machine-readable format
Restrict processing while a dispute is resolved
The right to data portability enables data subjects to receive and transmit their personal data in a structured, commonly used machine-readable format. It does not cover deletion, objection, or restriction of processing.
What is the maximum period within which a controller must respond to a valid data subject access request?
Six months
14 days
72 hours
One month
GDPR requires controllers to respond to access requests without undue delay and at the latest within one month of receipt. Shorter periods apply to breach notification but not to access requests.
Which lawful basis allows processing personal data when it is necessary for the legitimate interests pursued by the controller or a third party?
Legal obligation
Consent
Legitimate interests
Public task
Legitimate interests as a lawful basis allows processing when it is necessary for the controller's or a third party's legitimate interests, provided the individual's rights do not override them. Other bases address public authority, legal duty, or consent.
Under GDPR, when is it required to conduct a Data Protection Impact Assessment (DPIA)?
When data retention exceeds one year
When processing any personal data
When transferring data outside the EU
When processing is likely to result in high risk to individuals' rights and freedoms
A DPIA is mandatory when processing is likely to result in a high risk to individuals' rights and freedoms, such as large-scale sensitive data processing. Routine or low-risk processing typically does not require a DPIA.
Who determines the purposes and means of processing personal data under GDPR?
Data Protection Officer
Data Processor
Supervisory Authority
Data Controller
The data controller is the entity that determines the purposes and means of processing personal data under GDPR. Processors act on behalf of controllers, DPOs advise, and supervisory authorities enforce compliance.
Which mechanism is commonly used to ensure lawful transfer of personal data from the EU to countries outside the European Economic Area?
Binding Corporate Rules
Data Protection Registration
EU - US Privacy Shield
Standard Contractual Clauses
Standard Contractual Clauses are pre-approved legal contracts by the European Commission to ensure data protection in transfers outside the EEA. Privacy Shield is invalidated, and Binding Corporate Rules apply within corporate groups.
What document must organizations maintain to demonstrate processing activities and compliance with GDPR obligations?
Privacy Policy
Records of Processing Activities
Data Protection Impact Assessment
Data Breach Register
Article 30 of GDPR requires organizations to maintain Records of Processing Activities documenting purposes, categories, and safeguards. A privacy policy communicates to data subjects, and DPIAs assess risk rather than log all processing.
Which data subject right allows individuals to stop their personal data being used for direct marketing and profiling?
Right to rectification
Right to restrict processing
Right to object
Right to erasure
The right to object allows individuals to stop processing of their personal data for direct marketing or profiling based on legitimate interests. Restriction, erasure, and rectification address different scenarios.
Under GDPR, what is the maximum administrative fine for infringements of basic data processing principles, such as data security or consent conditions?
€5 million
€10 million or 2% of global turnover
€20 million or 4% of global turnover
€1 million
GDPR imposes a maximum fine of €10 million or 2% of global annual turnover for violations of basic processing principles and consent conditions. Higher tiers apply to more severe infringements.
In the event of a personal data breach, within what timeframe must a controller notify the relevant supervisory authority under GDPR?
48 hours
7 days
72 hours
24 hours
Controllers must notify the relevant supervisory authority of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in risk. Other timelines do not apply.
Which condition must be met to legally process special category personal data under GDPR?
Explicit consent from the data subject
Automatic deletion after processing
Approval by the Data Protection Officer
Legitimate interest basis
Special category data such as health information requires explicit consent under Article 9 unless another specific condition applies. Legitimate interest and general consent do not meet the heightened requirement.
What type of contract between a controller and a processor is mandatory under GDPR to govern processing activities?
Data Protection Impact Assessment
Data Processing Agreement
Data Sharing Protocol
Data Retention Agreement
A Data Processing Agreement is mandatory between a controller and processor under GDPR to define processing scope, security measures, and compliance obligations. Other documents do not meet contractual requirements.
How can a data controller demonstrate compliance with the GDPR accountability principle?
By anonymizing all personal data
By documenting processing activities and implementing policies
By automatically deleting data after one year
By appointing a Data Protection Officer only
The GDPR accountability principle requires controllers to implement and document policies, procedures, and records demonstrating compliance. Appointing a DPO or anonymizing data alone are not sufficient without comprehensive documentation.
A data subject requests erasure of personal data that the organization must retain to comply with a legal obligation. What should the controller do?
Delete the data immediately
Refuse the request based on the legal obligation exception
Transfer the data to a third country
Seek additional consent to retain the data
The right to erasure has exceptions when data must be retained to comply with legal obligations. If the organization is legally required to keep the data, it must refuse the erasure request under GDPR rules.
An organization intends to use non-essential cookies for analytics. What must it obtain before placing these cookies?
Prior opt-in consent after providing clear information
Notification to the supervisory authority
Implied consent through site use
No consent, only a privacy policy notice
Non-essential cookies require prior opt-in consent after providing clear and comprehensive information to users. Updating a privacy policy or implied consent does not meet GDPR consent requirements for cookies.
0
{"name":"What is considered personal data under the GDPR?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"What is considered personal data under the GDPR?, Which GDPR principle requires that personal data be collected for specified, explicit, and legitimate purposes?, Which lawful basis requires a data subject's voluntary, specific, informed, and unambiguous indication of agreement to processing?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Learning Outcomes

  1. Identify core principles of GDPR and their applications
  2. Analyse data subject rights under EU regulations
  3. Evaluate organizational responsibilities for data compliance
  4. Apply GDPR requirements to real-world scenarios
  5. Demonstrate awareness of lawful data processing conditions
  6. Master best practices for handling personal data securely

Cheat Sheet

  1. Understand the Seven Core Principles of GDPR - GDPR is built on nine golden rules like transparency, purpose limitation, and accountability that guide every step of data handling. Mastering these principles helps you become a privacy champion and ensures data stays in safe hands.
  2. Recognize Data Subject Rights - Individuals hold superpowers under GDPR, including the right to access, correct, erase, or even port their data. Knowing these rights inside out means you'll never be caught off guard and can keep everyone's privacy respected.
  3. Identify Lawful Bases for Processing - Whether it's consent, contractual necessity, or a legal obligation, every data activity needs a solid legal foothold. Picking the right basis is like choosing the right tool for the job - it keeps you compliant and avoids nasty surprises.
  4. Implement Data Protection by Design and Default - Bake privacy into your projects from day one by adopting habits like minimal data collection and secure defaults. This proactive strategy turns compliance into second nature and keeps risk gremlins at bay.
  5. Maintain Data Accuracy and Integrity - Outdated or incorrect info is a one-way ticket to compliance chaos. Set up easy update mechanisms so individuals can correct their data quickly, keeping your records fresh and trustworthy.
  6. Establish Data Retention Policies - Decide exactly how long each piece of data hangs around - no more, no less. Regular reviews and secure deletions ensure you're only holding what's necessary, reducing clutter and privacy risk.
  7. Ensure Data Security Measures - Lock down personal data with technical shields like encryption and firewalls, plus organizational armor like clear policies. Regular security check-ups help you stay ahead of evolving threats and sleep soundly.
  8. Understand the Role of Data Protection Officers (DPOs) - In some organizations, a DPO is your GDPR guardian, monitoring compliance and being the go-to person for authorities and individuals. Knowing when and how to appoint one ensures you meet important regulatory checkpoints.
  9. Prepare for Data Breach Response - Even the best guards can slip up, so have a breach plan ready! Practice detecting, reporting within 72 hours, and communicating with affected individuals to turn chaos into calm.
  10. Document Compliance Efforts - Keep a clear log of all data processing activities: purposes, categories, retention periods, and more. This transparent trail shows you've got your GDPR ducks in a row and makes audits a breeze.
Make a Quiz (FREE) Copy & Edit This Quiz Create a Quiz with AI

Government Quizzes

Powered by: Quiz Maker