Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

OR
Sign inSign in with Facebook
Sign inSign in with Google
Quizzes > Computers & IT

GDPR Awareness Test: Check Your Data Protection Knowledge

10 data protection multiple choice questions. Instant results.

Editorial: Review CompletedCreated By: Olaleye Emmanuel SesanUpdated Aug 23, 2025
Difficulty: Moderate
Questions: 20
Learning OutcomesStudy Material
Colorful paper art depicting elements related to GDPR Compliance Quiz

This GDPR awareness test helps you check key data rights, lawful bases, consent, and breach reporting, so you can improve where it counts. For deeper practice, try the gdpr compliance test, explore the hipaa compliance quiz for health data scenarios, and build wider skills with the data literacy test.

What does GDPR stand for?
General Data Processing Regulation
General Data Protection Regulation
Global Data Protection Requirement
General Data Privacy Rule
It stands for General Data Protection Regulation, the EU law on data privacy. It establishes rules for processing personal data within the EU and for data exported outside the EU.
Which GDPR principle requires that personal data collected is limited to what is necessary in relation to the purposes for which it is processed?
Purpose limitation
Integrity and confidentiality
Data minimisation
Storage limitation
Data minimisation requires limiting data to what is necessary for the processing purpose. This principle helps reduce risk and ensure only relevant data is held.
Which of the following is a lawful basis under GDPR that requires explicit permission from the data subject?
Consent
Legitimate interest
Legal obligation
Contractual necessity
Only consent depends on explicit permission that is freely given by the data subject. Other lawful bases do not require this level of explicit agreement.
Which right under GDPR allows individuals to obtain confirmation and a copy of their personal data?
Right to rectification
Right of access
Right to erasure
Right to data portability
Right of access allows individuals to request confirmation of processing and to obtain copies of their personal data. It ensures transparency and empowers individuals to verify lawfulness of processing.
Within what timeframe must a personal data breach be reported to the supervisory authority under GDPR?
24 hours
72 hours
One week
Immediately
Article 33 of the GDPR mandates that a personal data breach must be reported to the supervisory authority within 72 hours of discovery. This time limit helps ensure swift action to protect data subjects.
What is the primary purpose of conducting a Data Protection Impact Assessment (DPIA)?
To identify and mitigate privacy risks arising from processing activities
To audit financial records
To obtain consent from all data subjects
To train employees on data handling
A DPIA identifies and mitigates privacy risks arising from processing activities. It is a proactive measure to protect the rights and freedoms of individuals before launching high-risk processing.
A company repurposes customer email addresses collected for order confirmations to send marketing newsletters without further consent. Which GDPR principle is violated?
Lawfulness, fairness, and transparency
Purpose limitation
Data minimisation
Data integrity
Purpose limitation prohibits using personal data for new purposes without appropriate consent or legal basis. Repurposing data for marketing without consent breaches this principle.
In a controller-processor relationship, who is primarily responsible for ensuring lawful processing of personal data under GDPR?
The supervisory authority
The data protection officer
The data controller
The data processor
The data controller determines the purposes and means of processing, making them legally responsible for compliance. Processors act on the controller's instructions but the controller holds primary accountability.
When transferring personal data to a non-EU country without an adequacy decision, which safeguard is acceptable under GDPR?
Privacy Shield
Standard Contractual Clauses
Binding national laws
Local encryption only
Standard Contractual Clauses are pre-approved contractual terms ensuring adequate protection for data transferred outside the EU. They provide legal safeguards when no adequacy decision exists.
After identifying a personal data breach, what should an organization do first under GDPR?
Contain and assess the breach
Update the privacy notice
Notify all data subjects immediately
Delete affected data
The first step is to contain and assess the breach to understand its scope and impact. This allows the organization to plan remediation and notification steps effectively.
Which GDPR right allows individuals to request the deletion of their personal data?
Right to erasure
Right to portability
Right to rectification
Right to object
Right to erasure, also known as the 'right to be forgotten', enables individuals to request deletion of their personal data. It applies when data is no longer necessary or consent is withdrawn.
How long does an organization have to respond to a subject access request under GDPR?
One month
72 hours
Two weeks
Immediately
GDPR mandates a one-month period for organizations to respond to subject access requests. A two-month extension is allowed in complex cases after notifying the requester.
If data processing is necessary to comply with a legal obligation, which lawful basis applies under GDPR?
Legitimate interest
Vital interests
Consent
Legal obligation
Processing that is required to meet legal obligations falls under the legal obligation lawful basis. This basis applies when laws or regulations mandate the processing activity.
Which GDPR principle ensures personal data is not kept longer than necessary for its original purpose?
Accountability
Storage limitation
Integrity and confidentiality
Accuracy
Storage limitation ensures personal data is retained only as long as necessary for the processing purposes. After that period, data must be deleted or anonymised to comply with GDPR.
Which of the following is NOT considered special category personal data under GDPR?
Email address
Religious beliefs
Ethnic origin
Health information
Email addresses are not classified as special category data because they are not inherently sensitive. Special categories include data like health status, racial or ethnic origin, and religious beliefs.
Which of the following best describes valid consent under GDPR?
A pre-ticked checkbox agreed at registration
A clear affirmative action freely given for specific purposes
Bundled consent included in general terms
Implied consent via website usage
GDPR requires consent to be a clear affirmative action, freely given for specific purposes. Pre-ticked boxes or bundled consent do not meet the GDPR standard for valid consent.
Which GDPR article requires the notification of personal data breaches to the supervisory authority?
Article 34
Article 33
Article 32
Article 35
Article 33 of the GDPR specifically mandates notification of personal data breaches to the supervisory authority within 72 hours of awareness. Notification must occur promptly unless the breach is unlikely to result in a risk to individuals' rights and freedoms.
What is the maximum administrative fine for infringements of GDPR's core processing principles?
Up to €50 million flat fee
Up to €20 million or 4% of global turnover
Up to €10 million or 2% of global turnover
Up to €5 million or 1% of turnover
Basic processing principle infringements can incur fines up to €10 million or 2% of annual global turnover. Higher-tier infringements of rights and obligations carry higher fines up to €20 million or 4% of turnover.
Which element must a Data Protection Impact Assessment (DPIA) include according to GDPR guidelines?
An assessment of processing necessity and risk mitigation measures
Marketing strategies
A full financial audit of the project
Employee training schedules
A DPIA must include an assessment of processing necessity, proportionality, and measures to mitigate identified risks. This structured evaluation ensures potential harms to data subjects are addressed.
Under GDPR, which obligation is mandatory for data processors?
Determine the purposes of the processing
Respond directly to data subject requests
Appoint a Data Protection Officer in all cases
Process personal data only on the controller's documented instructions
Article 28 of the GDPR mandates that processors only process personal data on the controller's documented instructions. This ensures processors cannot use data for purposes beyond what the controller has authorized.
0
{"name":"What does GDPR stand for?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"What does GDPR stand for?, Which GDPR principle requires that personal data collected is limited to what is necessary in relation to the purposes for which it is processed?, Which of the following is a lawful basis under GDPR that requires explicit permission from the data subject?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Learning Outcomes

  1. Identify key principles and requirements of GDPR compliance
  2. Analyse real-world scenarios for data privacy compliance
  3. Evaluate organizational policies against GDPR standards
  4. Apply best practices for data subject rights management
  5. Demonstrate proper data breach response procedures

Cheat Sheet

  1. Seven Key Principles of GDPR - The GDPR stands on seven awesome pillars - lawfulness, fairness & transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity & confidentiality; and accountability. Mastering these basics turns you into a data-protection superstar!
  2. Lawful Processing - Every data move you make needs a solid legal basis - like consent, contract needs, legal obligations, vital interests, public tasks, or legitimate interests. Ensuring lawfulness is your ticket to GDPR compliance fame.
  3. Data Minimization - Less is more! Only collect what you absolutely need for your project, and say goodbye to extra risk and clutter. Embracing minimalism makes privacy a breeze.
  4. Data Accuracy - Keep info fresh by regularly updating and correcting personal data - no more outdated or duplicate entries! Accurate data protects both you and your data subjects from mishaps.
  5. Storage Limitation - Retain personal data only as long as it serves its purpose, then let it go! Craft clear retention policies to avoid data hoarding.
  6. Integrity & Confidentiality - Armor up with strong security measures to shield data from unauthorized access, loss, or damage. Routine security checks keep you one step ahead of cyber mischief.
  7. Data Subjects' Rights - Respect rights like access, correction, erasure, processing restriction, portability, and objection - it's like granting data superheroes their superpowers! Upholding these rights is mandatory for true compliance.
  8. Breach Response Plan - Gear up with a clear, speedy breach-response plan to tackle data incidents head-on. Fast action can save the day and minimize damage!
  9. Data Protection Impact Assessments - Run DPIAs to spot and squash privacy risks before they blow up. Proactive risk checks build trust and keep your projects on the right side of the law.
  10. Accountability Culture - Document your compliance moves, train your team, and if required, appoint a Data Protection Officer. Showing you've got GDPR covered earns you credibility and confidence.
Make a Quiz (FREE) Copy & Edit This Quiz Create a Quiz with AI

Government Quizzes

Powered by: Quiz Maker