Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

Sign inSign in with Facebook
Sign inSign in with Google

GDPR Awareness Test: Check Your Data Protection Knowledge

10 data protection multiple choice questions. Instant results.

Editorial: Review CompletedCreated By: Olaleye Emmanuel SesanUpdated Aug 23, 2025
Difficulty: Moderate
Questions: 20
Learning OutcomesStudy Material
Colorful paper art depicting elements related to GDPR Compliance Quiz

This GDPR awareness test helps you check key data rights, lawful bases, consent, and breach reporting, so you can improve where it counts. For deeper practice, try the gdpr compliance test, explore the hipaa compliance quiz for health data scenarios, and build wider skills with the data literacy test.

What does GDPR stand for?
General Data Protection Regulation
Global Data Protection Requirement
General Data Privacy Rule
General Data Processing Regulation
It stands for General Data Protection Regulation, the EU law on data privacy. It establishes rules for processing personal data within the EU and for data exported outside the EU.
Which GDPR principle requires that personal data collected is limited to what is necessary in relation to the purposes for which it is processed?
Data minimisation
Integrity and confidentiality
Purpose limitation
Storage limitation
Data minimisation requires limiting data to what is necessary for the processing purpose. This principle helps reduce risk and ensure only relevant data is held.
Which of the following is a lawful basis under GDPR that requires explicit permission from the data subject?
Contractual necessity
Legal obligation
Consent
Legitimate interest
Only consent depends on explicit permission that is freely given by the data subject. Other lawful bases do not require this level of explicit agreement.
Which right under GDPR allows individuals to obtain confirmation and a copy of their personal data?
Right to erasure
Right to data portability
Right to rectification
Right of access
Right of access allows individuals to request confirmation of processing and to obtain copies of their personal data. It ensures transparency and empowers individuals to verify lawfulness of processing.
Within what timeframe must a personal data breach be reported to the supervisory authority under GDPR?
24 hours
One week
72 hours
Immediately
Article 33 of the GDPR mandates that a personal data breach must be reported to the supervisory authority within 72 hours of discovery. This time limit helps ensure swift action to protect data subjects.
What is the primary purpose of conducting a Data Protection Impact Assessment (DPIA)?
To audit financial records
To train employees on data handling
To identify and mitigate privacy risks arising from processing activities
To obtain consent from all data subjects
A DPIA identifies and mitigates privacy risks arising from processing activities. It is a proactive measure to protect the rights and freedoms of individuals before launching high-risk processing.
A company repurposes customer email addresses collected for order confirmations to send marketing newsletters without further consent. Which GDPR principle is violated?
Purpose limitation
Data minimisation
Lawfulness, fairness, and transparency
Data integrity
Purpose limitation prohibits using personal data for new purposes without appropriate consent or legal basis. Repurposing data for marketing without consent breaches this principle.
In a controller-processor relationship, who is primarily responsible for ensuring lawful processing of personal data under GDPR?
The data protection officer
The supervisory authority
The data processor
The data controller
The data controller determines the purposes and means of processing, making them legally responsible for compliance. Processors act on the controller's instructions but the controller holds primary accountability.
When transferring personal data to a non-EU country without an adequacy decision, which safeguard is acceptable under GDPR?
Standard Contractual Clauses
Local encryption only
Privacy Shield
Binding national laws
Standard Contractual Clauses are pre-approved contractual terms ensuring adequate protection for data transferred outside the EU. They provide legal safeguards when no adequacy decision exists.
After identifying a personal data breach, what should an organization do first under GDPR?
Contain and assess the breach
Notify all data subjects immediately
Update the privacy notice
Delete affected data
The first step is to contain and assess the breach to understand its scope and impact. This allows the organization to plan remediation and notification steps effectively.
Which GDPR right allows individuals to request the deletion of their personal data?
Right to portability
Right to rectification
Right to object
Right to erasure
Right to erasure, also known as the 'right to be forgotten', enables individuals to request deletion of their personal data. It applies when data is no longer necessary or consent is withdrawn.
How long does an organization have to respond to a subject access request under GDPR?
Immediately
One month
Two weeks
72 hours
GDPR mandates a one-month period for organizations to respond to subject access requests. A two-month extension is allowed in complex cases after notifying the requester.
If data processing is necessary to comply with a legal obligation, which lawful basis applies under GDPR?
Consent
Legal obligation
Vital interests
Legitimate interest
Processing that is required to meet legal obligations falls under the legal obligation lawful basis. This basis applies when laws or regulations mandate the processing activity.
Which GDPR principle ensures personal data is not kept longer than necessary for its original purpose?
Accountability
Storage limitation
Integrity and confidentiality
Accuracy
Storage limitation ensures personal data is retained only as long as necessary for the processing purposes. After that period, data must be deleted or anonymised to comply with GDPR.
Which of the following is NOT considered special category personal data under GDPR?
Religious beliefs
Email address
Health information
Ethnic origin
Email addresses are not classified as special category data because they are not inherently sensitive. Special categories include data like health status, racial or ethnic origin, and religious beliefs.
Which of the following best describes valid consent under GDPR?
A clear affirmative action freely given for specific purposes
A pre-ticked checkbox agreed at registration
Implied consent via website usage
Bundled consent included in general terms
GDPR requires consent to be a clear affirmative action, freely given for specific purposes. Pre-ticked boxes or bundled consent do not meet the GDPR standard for valid consent.
Which GDPR article requires the notification of personal data breaches to the supervisory authority?
Article 34
Article 32
Article 33
Article 35
Article 33 of the GDPR specifically mandates notification of personal data breaches to the supervisory authority within 72 hours of awareness. Notification must occur promptly unless the breach is unlikely to result in a risk to individuals' rights and freedoms.
What is the maximum administrative fine for infringements of GDPR's core processing principles?
Up to €10 million or 2% of global turnover
Up to €20 million or 4% of global turnover
Up to €50 million flat fee
Up to €5 million or 1% of turnover
Basic processing principle infringements can incur fines up to €10 million or 2% of annual global turnover. Higher-tier infringements of rights and obligations carry higher fines up to €20 million or 4% of turnover.
Which element must a Data Protection Impact Assessment (DPIA) include according to GDPR guidelines?
An assessment of processing necessity and risk mitigation measures
Employee training schedules
Marketing strategies
A full financial audit of the project
A DPIA must include an assessment of processing necessity, proportionality, and measures to mitigate identified risks. This structured evaluation ensures potential harms to data subjects are addressed.
Under GDPR, which obligation is mandatory for data processors?
Respond directly to data subject requests
Determine the purposes of the processing
Appoint a Data Protection Officer in all cases
Process personal data only on the controller's documented instructions
Article 28 of the GDPR mandates that processors only process personal data on the controller's documented instructions. This ensures processors cannot use data for purposes beyond what the controller has authorized.
0
{"name":"What does GDPR stand for?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"What does GDPR stand for?, Which GDPR principle requires that personal data collected is limited to what is necessary in relation to the purposes for which it is processed?, Which of the following is a lawful basis under GDPR that requires explicit permission from the data subject?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Learning Outcomes

  1. Identify key principles and requirements of GDPR compliance
  2. Analyse real-world scenarios for data privacy compliance
  3. Evaluate organizational policies against GDPR standards
  4. Apply best practices for data subject rights management
  5. Demonstrate proper data breach response procedures

Cheat Sheet

  1. Seven Key Principles of GDPR - The GDPR stands on seven awesome pillars - lawfulness, fairness & transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity & confidentiality; and accountability. Mastering these basics turns you into a data-protection superstar!
  2. Lawful Processing - Every data move you make needs a solid legal basis - like consent, contract needs, legal obligations, vital interests, public tasks, or legitimate interests. Ensuring lawfulness is your ticket to GDPR compliance fame.
  3. Data Minimization - Less is more! Only collect what you absolutely need for your project, and say goodbye to extra risk and clutter. Embracing minimalism makes privacy a breeze.
  4. Data Accuracy - Keep info fresh by regularly updating and correcting personal data - no more outdated or duplicate entries! Accurate data protects both you and your data subjects from mishaps.
  5. Storage Limitation - Retain personal data only as long as it serves its purpose, then let it go! Craft clear retention policies to avoid data hoarding.
  6. Integrity & Confidentiality - Armor up with strong security measures to shield data from unauthorized access, loss, or damage. Routine security checks keep you one step ahead of cyber mischief.
  7. Data Subjects' Rights - Respect rights like access, correction, erasure, processing restriction, portability, and objection - it's like granting data superheroes their superpowers! Upholding these rights is mandatory for true compliance.
  8. Breach Response Plan - Gear up with a clear, speedy breach-response plan to tackle data incidents head-on. Fast action can save the day and minimize damage!
  9. Data Protection Impact Assessments - Run DPIAs to spot and squash privacy risks before they blow up. Proactive risk checks build trust and keep your projects on the right side of the law.
  10. Accountability Culture - Document your compliance moves, train your team, and if required, appoint a Data Protection Officer. Showing you've got GDPR covered earns you credibility and confidence.
Powered by: Quiz Maker