1) Under the UK GDPR and the Data Protection Act 2018, which lawful basis best fits a retailer emailing e-receipts to customers immediately after a purchase where customers reasonably expect this use of their email? a) Legitimate interests b) Contract c) Consent d) Legal obligation  2) A company wants to use customer purchase history to train a recommendation algorithm for new product suggestions. What principle must they prioritize to avoid repurposing the data unlawfully? a) Purpose Limitation b) Accuracy c) Storage limitation d) Data minimisation 3) A data subject exercises their right of access. What must the organisation provide within the statutory timeframe? a) A copy of personal data and supplementary information about processing b) A summary of the dataset without individual-level details c) Only raw data records, excluding any contextual information d) Only data collected in the last 30 days 4) Which right allows individuals to receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller? a) Right to object b) Right to restriction c) Right to data portability d) Right to erasure 5) Under the UK GDPR penalty regime, what describes the upper-tier administrative fine for the most serious infringements (e.g., violating basic principles)? a) Up to £17.5 million or 4% of annual worldwide turnover, whichever is higher b) A fixed £1 million regardless of turnover c) Up to £8.7 million or 2% of annual worldwide turnover, whichever is higher d) Criminal penalties only, not administrative fines 6) A retailer plans to email past customers about a new product line. The list includes customers from the UK and several EU countries. Which approach best satisfies lawful basis and territorial scope? a) Use consent for EU recipients under GDPR, and legitimate interests for UK recipients under the UK GDPR/DPA 2018, with separate assessments b) Rely on legitimate interests for all recipients without further assessment c) Process under contract for all recipients because marketing improves customer experience d) Send emails to all customers because previous purchase implies consent 7) A health-tech startup wants to combine anonymized patient activity data with demographic data to improve a recommendation engine. What is the safest data strategy to remain outside GDPR/UK GDPR scope while preserving utility? a) Aggregate and anonymize using strong de-identification, risk assess re-identification, and keep a separation-of-duties control over keys b) Use pseudonymization and store a re-identification key with the analytics team for convenience c) Rely on user consent but keep raw identifiers for model retraining d) Hash all identifiers and treat the dataset as anonymous without further checks 8) A SaaS vendor processes UK customers’ HR data in an EU data center and uses a US-based sub-processor for email notifications. What is the most compliant transfer mechanism and governance package? a) Rely on adequacy for the EU and transfer to the US sub-processor without safeguards b) Use UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs, conduct a Transfer Risk Assessment, and implement supplementary measures c) Obtain employee consent for international transfers and rely on it as the main safeguard d) Classify all data as non-personal because only email addresses are used by the sub-processor 9) An individual asks your company to erase their account data, but financial records must be kept for statutory retention. What is the best response under GDPR/UK GDPR and DPA 2018? a) Keep all data but mark the account closed b) Delete everything immediately to honor the request fully c) Refuse the request entirely because of legal obligations d) Erase what is not legally required, restrict processing of retained records, and inform the individual of what was done and why 10) Your team wants to deploy facial recognition in a UK retail store to detect repeat shoplifting offenders. What is the most compliant approach before deployment? a) Store images indefinitely because they may be useful for future incidents b) Proceed under legitimate interests because it protects assets c) This choice reflects the need for a DPIA due to likely high risk to individuals’ rights and freedoms. You must identify a lawful basis (e.g., legitimate interests) and, because biometric data is special category when used to uniquely identify, meet an Article 9 condition such as substantial public interest with appropriate policy document under the DPA 2018, if applicable. Also apply signage, privacy notices, narrow watchlists, strict retention, accuracy checks, vendor due diligence, and regular reviews. Where residual high risk persists and cannot be mitigated, prior consultation with the ICO is required. d) Use implied consent via in-store signage 11) A data subject in France requests access to all data your UK company holds about them, including email content and profiling scores. What is your best next step? a) Provide a summary only, excluding emails as confidential b) Charge a standard fee to cover administrative costs c) Refuse because you are a UK company and the request is from the EU d) This option aligns with the right of access: verify identity to prevent unauthorized disclosure; search all relevant systems; provide a copy in a commonly used format; and include meaningful information about profiling logic, significance, and envisaged consequences. Apply exemptions proportionately, redact third-party data where necessary, and meet deadlines. Keep an audit trail for accountability. 12) Your analytics team proposes tracking precise location data of app users to personalize offers. Which compliance path best balances business aims and data protection? a) Collect precise location by default and let users opt out later b) Hash location coordinates so no further controls are needed c) Obtain opt-in consent for precise geolocation, provide granular controls, minimize data granularity and retention, and offer non-tracking alternatives d) Rely on contract necessity because personalization improves service quality 13) A vendor suffers a breach exposing encrypted customer data. The encryption keys are stored in the same environment. What is your immediate breach evaluation and notification stance? a) Assume the vendor is responsible and no controller obligations apply b) Treat as low risk because data is encrypted c) Assess risk as potentially high due to key exposure, contain the incident, evaluate likelihood of harm, and notify the ICO and affected individuals if thresholds are met d) Wait for the vendor’s final report before taking any action 14) Your UK company wants to repurpose customer support chat logs to train an internal AI assistant. What is the most defensible compliance path? a) Obtain consent for training, or if relying on legitimate interests, conduct an LIA, update privacy notices, allow objection, minimize and pseudonymize data, and implement retention and access controls b) Treat all data as anonymous after removing names c) Use the logs under legitimate interests without further steps d) Share logs with an external vendor for model training without additional measures because the vendor is a processor 15) An employee requests portability of their performance metrics and internal badges from your HR system to a third-party career platform. What data must you provide? a) Only data the employee entered directly b) Nothing, because portability does not apply to employment c) All data in the HR file, including manager notes and disciplinary investigations d) Personal data they provided or that was observed from their activities under a contract and processed by automated means, in a structured, commonly used, machine-readable format, excluding most inferred data and third-party data

Data Protection

I-Print kini
Embed

Leaderboard

Visual style

Mga Option

I-switch ang template

I-restore ang gi-autosave: ?