Question #1
Who is entitled to a private life by law in the UK?
- A . All individuals.
- B . All individuals save for Members of Parliament
- C . Private individuals who do not conduct their business on public platforms (such as professional
sports people and actors - D . Nobody
Correct Answer: A
A
Explanation:
The right to a private life is a fundamental human right that is protected by law in the UK. Article 8 of the European Convention on Human Rights (ECHR), which is incorporated into UK law by the Human Rights Act 1998, states that “Everyone has the right to respect for his private and family life, his home and his correspondence”. This right applies to all individuals, regardless of their status, profession, or public exposure. The right to a private life covers aspects such as personal identity, personal relationships, physical and mental well-being, personal data, and correspondence. However, this right is not absolute and can be limited or interfered with by the state or other parties in certain circumstances, such as for the protection of national security, public safety, health, morals, or the rights and freedoms of others.
Reference:
Article 8 of the ECHR1
Human Rights Act 19982
ICO Guide to Data Protection3
A
Explanation:
The right to a private life is a fundamental human right that is protected by law in the UK. Article 8 of the European Convention on Human Rights (ECHR), which is incorporated into UK law by the Human Rights Act 1998, states that “Everyone has the right to respect for his private and family life, his home and his correspondence”. This right applies to all individuals, regardless of their status, profession, or public exposure. The right to a private life covers aspects such as personal identity, personal relationships, physical and mental well-being, personal data, and correspondence. However, this right is not absolute and can be limited or interfered with by the state or other parties in certain circumstances, such as for the protection of national security, public safety, health, morals, or the rights and freedoms of others.
Reference:
Article 8 of the ECHR1
Human Rights Act 19982
ICO Guide to Data Protection3
Question #2
When were data protection rights first introduced into UK law’?
- A . 2000 (Data Protection Act 1998)
- B . 1992 (Data Protection Act 1992).
- C . 1984 (Data Protection Act 1984).
- D . 2018 (Data Protection Act 2018)
Correct Answer: C
C
Explanation:
Data protection rights were first introduced into UK law by the Data Protection Act 1984, which was enacted to implement the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 1981. The Data Protection Act 1984 established a set of principles for the processing of personal data by data users, such as obtaining consent, ensuring accuracy, and limiting retention. It also created a system of registration for data users and a Data Protection Registrar (later renamed as the Information Commissioner) to oversee and enforce the law. The Data Protection Act 1984 was replaced by the Data Protection Act 1998, which transposed the EU Data Protection Directive 1995 into UK law and extended the scope of data protection to cover manual as well as automated processing of personal data. The Data Protection Act 1998 was further amended by the Data Protection Act 2018, which incorporated the EU General Data Protection Regulation (GDPR) and the Law Enforcement Directive into UK law and made provisions for specific processing situations, such as national security, immigration, and journalism.
Reference:
Data Protection Act 19844
Council of Europe Convention 1085
Data Protection Act 19986
Data Protection Act 20187
C
Explanation:
Data protection rights were first introduced into UK law by the Data Protection Act 1984, which was enacted to implement the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 1981. The Data Protection Act 1984 established a set of principles for the processing of personal data by data users, such as obtaining consent, ensuring accuracy, and limiting retention. It also created a system of registration for data users and a Data Protection Registrar (later renamed as the Information Commissioner) to oversee and enforce the law. The Data Protection Act 1984 was replaced by the Data Protection Act 1998, which transposed the EU Data Protection Directive 1995 into UK law and extended the scope of data protection to cover manual as well as automated processing of personal data. The Data Protection Act 1998 was further amended by the Data Protection Act 2018, which incorporated the EU General Data Protection Regulation (GDPR) and the Law Enforcement Directive into UK law and made provisions for specific processing situations, such as national security, immigration, and journalism.
Reference:
Data Protection Act 19844
Council of Europe Convention 1085
Data Protection Act 19986
Data Protection Act 20187
Question #3
A company has twenty retail outlets in France and thirty retail outlets in Belgium. The payroll department and the Data Protection Officer are based in Poland. The Company Board and administrative functions are based in Germany. Determine where the company’s ‘main establishment’ would be
- A . Belgium
- B . France
- C . Germany
- D . Poland
Correct Answer: C
C
Explanation:
The main establishment of a controller or a processor in the EU is the place where the decisions on the purposes and means of the processing of personal data are taken and implemented. According to Recital 36 of the GDPR, the main establishment of a controller with establishments in more than one Member State should be the place of its central administration in the EU, unless the decisions on the processing are taken in another establishment of the controller in the EU and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions should be considered to be the main establishment. Similarly, the main establishment of a processor with establishments in more than one Member State should be the place of its central administration in the EU, or, if the processor has no central administration in the EU, the establishment of the processor in the EU where the main processing activities take place to the extent that the processor is subject to specific obligations under the GDPR. The main establishment is relevant for determining the lead supervisory authority, the applicable law, and the jurisdiction of the courts for cross-border processing of personal data. In this case, the company’s main establishment would be Germany, as it is the place where the company board and administrative functions are based and where the decisions on the processing of personal data are likely to be taken and implemented.
Reference: Recital 36 of the GDPR8
Article 4(16) of the GDPR9
Article 56 of the GDPR
C
Explanation:
The main establishment of a controller or a processor in the EU is the place where the decisions on the purposes and means of the processing of personal data are taken and implemented. According to Recital 36 of the GDPR, the main establishment of a controller with establishments in more than one Member State should be the place of its central administration in the EU, unless the decisions on the processing are taken in another establishment of the controller in the EU and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions should be considered to be the main establishment. Similarly, the main establishment of a processor with establishments in more than one Member State should be the place of its central administration in the EU, or, if the processor has no central administration in the EU, the establishment of the processor in the EU where the main processing activities take place to the extent that the processor is subject to specific obligations under the GDPR. The main establishment is relevant for determining the lead supervisory authority, the applicable law, and the jurisdiction of the courts for cross-border processing of personal data. In this case, the company’s main establishment would be Germany, as it is the place where the company board and administrative functions are based and where the decisions on the processing of personal data are likely to be taken and implemented.
Reference: Recital 36 of the GDPR8
Article 4(16) of the GDPR9
Article 56 of the GDPR
Question #4
Under which circumstances can the ‘domestic purposes’ exemption be used to justify non-compliance with the Data Protection Act 2018?
A) An individual sells make up products for commission and uses social media to promote products to friends and family
B) A couple are planning their daughter’s wedding and use excel to store contact details and dietary needs of the guests
C) An individual employs a babysitter and stores her bank details in an encrypted document in order to make payments
D) A pansh council keeps a spreadsheet to manage bookings of the village hall, it contains only contact information and time slots
E) A group of students are arranging a house party and using social media to invite people that they do and do not know
- A . A, B, C, and E.
- B . B. C. D, and E
- C . B, and C
- D . A, B, C, and D
Correct Answer: C
C
Explanation:
The domestic purposes exemption applies to personal data processed by an individual only for the purposes of their personal, family or household affairs. This means that the processing has no connection to any professional or commercial activity. Examples of such processing include writing to friends and family, taking pictures for personal enjoyment, or keeping an address book. However, the exemption does not apply if the individual processes personal data outside the reasonable expectations of the data subject, or if the processing causes unwarranted harm to the data subject’s interests. Therefore, the exemption can be used to justify non-compliance with the Data Protection Act 2018 in scenarios B and C, where the processing is purely personal and does not affect the rights and freedoms of others. However, the exemption cannot be used in scenarios A, D and E, where the processing has a professional or commercial element, or involves sharing personal data with third parties without consent or legitimate interest.
Reference: Data Protection Act 2018, Schedule 2, Part 1, Paragraph 21 ICO Guide to Data Protection, Domestic Purposes2 ICO Guide to Data Protection, Exemptions3
C
Explanation:
The domestic purposes exemption applies to personal data processed by an individual only for the purposes of their personal, family or household affairs. This means that the processing has no connection to any professional or commercial activity. Examples of such processing include writing to friends and family, taking pictures for personal enjoyment, or keeping an address book. However, the exemption does not apply if the individual processes personal data outside the reasonable expectations of the data subject, or if the processing causes unwarranted harm to the data subject’s interests. Therefore, the exemption can be used to justify non-compliance with the Data Protection Act 2018 in scenarios B and C, where the processing is purely personal and does not affect the rights and freedoms of others. However, the exemption cannot be used in scenarios A, D and E, where the processing has a professional or commercial element, or involves sharing personal data with third parties without consent or legitimate interest.
Reference: Data Protection Act 2018, Schedule 2, Part 1, Paragraph 21 ICO Guide to Data Protection, Domestic Purposes2 ICO Guide to Data Protection, Exemptions3
Question #5
What is the meaning of storage limitation in relation to UK GDPR Article 5 (1)(e)?
- A . Keeping identifiable personal data for no longer than is necessary for the intended processing
- B . Storing data in a secure format only permitting access to those with a business need
- C . Only storing data in locations within the EU. except where there is an adequacy decision.
- D . Limiting the number of records stored in any single repository to minimise risk surface.
Correct Answer: A
A
Explanation:
Storage limitation is one of the principles of data protection under the UK GDPR. It means that personal data should not be kept in a form that allows identification of data subjects for longer than is necessary for the purposes for which the data are processed. The UK GDPR does not specify any fixed time limits for different types of data, but rather requires data controllers to determine and justify the appropriate retention periods for their processing activities, taking into account factors such as the nature, scope, context and purposes of the processing, the risks to the rights and freedoms of data subjects, and the legal obligations and expectations of the data controller. Data controllers should also have a policy setting out standard retention periods where possible, and review the data they hold regularly to ensure that it is erased or anonymised when it is no longer needed. Data subjects have the right to request the erasure of their personal data if the data controller no longer has a lawful basis or a legitimate interest for keeping it. The UK GDPR allows for some exceptions to the storage limitation principle, such as when the personal data is processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to appropriate safeguards for the rights and freedoms of data subjects.
Reference:
UK GDPR, Article 5 (1) (e) and (2)4
UK GDPR, Article 175
UK GDPR, Article 896
ICO Guide to Data Protection, Storage Limitation7
A
Explanation:
Storage limitation is one of the principles of data protection under the UK GDPR. It means that personal data should not be kept in a form that allows identification of data subjects for longer than is necessary for the purposes for which the data are processed. The UK GDPR does not specify any fixed time limits for different types of data, but rather requires data controllers to determine and justify the appropriate retention periods for their processing activities, taking into account factors such as the nature, scope, context and purposes of the processing, the risks to the rights and freedoms of data subjects, and the legal obligations and expectations of the data controller. Data controllers should also have a policy setting out standard retention periods where possible, and review the data they hold regularly to ensure that it is erased or anonymised when it is no longer needed. Data subjects have the right to request the erasure of their personal data if the data controller no longer has a lawful basis or a legitimate interest for keeping it. The UK GDPR allows for some exceptions to the storage limitation principle, such as when the personal data is processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to appropriate safeguards for the rights and freedoms of data subjects.
Reference:
UK GDPR, Article 5 (1) (e) and (2)4
UK GDPR, Article 175
UK GDPR, Article 896
ICO Guide to Data Protection, Storage Limitation7
Question #6
Which of the below would be the BEST example of processing that could utilise the Public Interest Task lawful basis?
- A . A health authority processing the personal information of its staff in order to record all training undertaken
- B . A debt collection agency processing information relating to unpaid fines for misuse of community council car parking.
- C . A local authority processing the personal information of the person responsible for paying council tax
- D . A tax authority drops cookies on the devices of visitors to its website
Correct Answer: C
C
Explanation:
The public interest task lawful basis applies to the processing of personal data that is necessary for
the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The relevant task or authority must have a clear basis in domestic law, such as a statutory power, a common law duty, or a function of the Crown, central or local government. The processing must also be necessary, meaning that there is no reasonable and less intrusive way to achieve the same purpose. The public interest task lawful basis is most relevant to public authorities, but it can also apply to any organisation that exercises official authority or carries out tasks in the public interest. In scenario C, a local authority processing the personal information of the person responsible for paying council tax is likely to rely on the public interest task lawful basis, as it is performing a task in the public interest that is laid down by law, namely the Local Government Finance Act 1992, and the processing is necessary for the collection and administration of council tax. In contrast, scenarios A, B and D are less likely to qualify for the public interest task lawful basis, as they do not involve a clear task or authority that is set out in law, or that serves the public interest. For example, a health authority processing the personal information of its staff in order to record all training undertaken may have a different lawful basis, such as legitimate interests or contractual necessity. A debt collection agency processing information relating to unpaid fines for misuse of community council car parking may not have any official authority or public interest justification for its processing. A tax authority dropping cookies on the devices of visitors to its website may not be able to demonstrate that the processing is necessary for its official functions, and may also need to comply with the Privacy and Electronic Communications Regulations (PECR) for the use of cookies.
Reference: UK GDPR, Article 6 (1) (e) and (3)8
ICO Guide to Data Protection, Public Task9
Local Government Finance Act 199210
C
Explanation:
The public interest task lawful basis applies to the processing of personal data that is necessary for
the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The relevant task or authority must have a clear basis in domestic law, such as a statutory power, a common law duty, or a function of the Crown, central or local government. The processing must also be necessary, meaning that there is no reasonable and less intrusive way to achieve the same purpose. The public interest task lawful basis is most relevant to public authorities, but it can also apply to any organisation that exercises official authority or carries out tasks in the public interest. In scenario C, a local authority processing the personal information of the person responsible for paying council tax is likely to rely on the public interest task lawful basis, as it is performing a task in the public interest that is laid down by law, namely the Local Government Finance Act 1992, and the processing is necessary for the collection and administration of council tax. In contrast, scenarios A, B and D are less likely to qualify for the public interest task lawful basis, as they do not involve a clear task or authority that is set out in law, or that serves the public interest. For example, a health authority processing the personal information of its staff in order to record all training undertaken may have a different lawful basis, such as legitimate interests or contractual necessity. A debt collection agency processing information relating to unpaid fines for misuse of community council car parking may not have any official authority or public interest justification for its processing. A tax authority dropping cookies on the devices of visitors to its website may not be able to demonstrate that the processing is necessary for its official functions, and may also need to comply with the Privacy and Electronic Communications Regulations (PECR) for the use of cookies.
Reference: UK GDPR, Article 6 (1) (e) and (3)8
ICO Guide to Data Protection, Public Task9
Local Government Finance Act 199210
Question #7
Article 9(2)(c) of UK GDPR condition of processing special category data in the vital interests of the data subject is only applicable in which of the following circumstances:
- A . When another lawful basis applies.
- B . When a data subject is incapacitated
- C . When the data subject is physically unable to be present
- D . When the data subject refuses to consent
Correct Answer: B
B
Explanation:
Article 9(2) © of UK GDPR allows the processing of special category data when it is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent. This means that the data subject is unable to exercise their right to consent or object to the processing, either because they are unconscious, in a coma, suffering from a severe mental disorder, or otherwise unable to communicate their wishes. This condition is intended to cover emergency situations, such as life-threatening medical interventions, where the data subject’s consent cannot be obtained in time. It does not apply when another lawful basis applies, when the data subject is physically absent but still capable of giving consent, or when the data subject refuses to consent.
Reference: Article 9(2)© of UK GDPR1
ICO guidance on special category data2
B
Explanation:
Article 9(2) © of UK GDPR allows the processing of special category data when it is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent. This means that the data subject is unable to exercise their right to consent or object to the processing, either because they are unconscious, in a coma, suffering from a severe mental disorder, or otherwise unable to communicate their wishes. This condition is intended to cover emergency situations, such as life-threatening medical interventions, where the data subject’s consent cannot be obtained in time. It does not apply when another lawful basis applies, when the data subject is physically absent but still capable of giving consent, or when the data subject refuses to consent.
Reference: Article 9(2)© of UK GDPR1
ICO guidance on special category data2
Question #8
What is the basis of the accountability and data governance obligation (Article 5 (2) of the GDPR)?
- A . The controller shall appoint a DPO before carrying out large scale processing
- B . The controller shall be responsible for. and be able to demonstrate compliance with the data protection principles.
- C . Controllers and Processors each have a responsibility to conduct legitimate interests balancing tests before processing data for direct marketing
- D . Processors have overarching responsibility to ensure their processing is compliant
Correct Answer: B
B
Explanation:
Article 5(2) of the GDPR introduces the principle of accountability, which requires that the controller is responsible for, and be able to demonstrate compliance with, the data protection principles set out in Article 5(1). These principles are: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and data protection by design and by default. The controller must implement appropriate technical and organizational measures to ensure and demonstrate compliance, such as policies, procedures, records, audits, reviews, and DPIAs. The controller must also cooperate with the supervisory authority and provide any information requested by it. The other options are not the basis of the accountability and data governance obligation, although they may be related to other obligations under the GDPR.
Reference: Article 5(2) of the GDPR3
ICO guidance on accountability and governance4
B
Explanation:
Article 5(2) of the GDPR introduces the principle of accountability, which requires that the controller is responsible for, and be able to demonstrate compliance with, the data protection principles set out in Article 5(1). These principles are: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and data protection by design and by default. The controller must implement appropriate technical and organizational measures to ensure and demonstrate compliance, such as policies, procedures, records, audits, reviews, and DPIAs. The controller must also cooperate with the supervisory authority and provide any information requested by it. The other options are not the basis of the accountability and data governance obligation, although they may be related to other obligations under the GDPR.
Reference: Article 5(2) of the GDPR3
ICO guidance on accountability and governance4
Question #9
Of the following options which is NOT a purpose of carrying out a Data Protection Impact Assessment (DPIA)?
- A . It is necessary to fulfil the requirement that all DPIAs are submitted to the ICO
- B . It is key to the accountability element of the GDPR.
- C . It fulfils a requirement that data protection is carried out by design and default.
- D . It assists in identifying the main risks that may exist in any use of data, so that they can be mitigated
Correct Answer: A
A
Explanation:
A DPIA is not required to fulfil the requirement that all DPIAs are submitted to the ICO, because this is not a requirement under the GDPR. The GDPR only requires that the controller consults the ICO before carrying out processing that is likely to result in a high risk to individuals, if the controller cannot mitigate that risk. This means that not all DPIAs need to be submitted to the ICO, only those that identify a high residual risk that cannot be reduced. The other options are valid purposes of carrying out a DPIA, as they help the controller to comply with the GDPR, ensure data protection by design and by default, and identify and mitigate the main risks to individuals’ rights and freedoms.
Reference: Article 35 and 36 of the GDPR3
ICO guidance on DPIAs5
A
Explanation:
A DPIA is not required to fulfil the requirement that all DPIAs are submitted to the ICO, because this is not a requirement under the GDPR. The GDPR only requires that the controller consults the ICO before carrying out processing that is likely to result in a high risk to individuals, if the controller cannot mitigate that risk. This means that not all DPIAs need to be submitted to the ICO, only those that identify a high residual risk that cannot be reduced. The other options are valid purposes of carrying out a DPIA, as they help the controller to comply with the GDPR, ensure data protection by design and by default, and identify and mitigate the main risks to individuals’ rights and freedoms.
Reference: Article 35 and 36 of the GDPR3
ICO guidance on DPIAs5
Question #10
You are a consulting Data Protection Officer (DPO) for a holiday resort You have been asked to conduct a Data Protection Impact Assessment (DPIA) for them in advance of adopting a new HR management database.
While working through the DPIA, which of the following is NOT a requirement?
- A . Describe the processing
- B . Sign off and record outcomes.
- C . Identify measures to mitigate the risks
- D . Publish any potential risks in your information notice.
Correct Answer: D
D
Explanation:
A DPIA is a process to help identify and minimise the data protection risks of a project that is likely to result in a high risk to individuals. A DPIA must include the following elements, according to Article 35(7) of the UK GDPR1:
a description of the processing, including its purposes and legal basis;
an assessment of the necessity and proportionality of the processing in relation to its purposes; an assessment of the risks to the rights and freedoms of individuals; and the measures envisaged to address the risks and demonstrate compliance with the UK GDPR.
There is no requirement to publish any potential risks in the information notice, which is a document that provides individuals with information about how their personal data is processed, as required by Article 13 and 14 of the UK GDPR2. However, it may be good practice to do so, as well as to consult with individuals or their representatives, where appropriate, as part of the DPIA process. This can help to enhance transparency, trust and accountability, and to identify any additional risks or concerns from the perspective of the data subjects.
Reference: Article 35(7) of the UK GDPR1
Article 13 and 14 of the UK GDPR2
D
Explanation:
A DPIA is a process to help identify and minimise the data protection risks of a project that is likely to result in a high risk to individuals. A DPIA must include the following elements, according to Article 35(7) of the UK GDPR1:
a description of the processing, including its purposes and legal basis;
an assessment of the necessity and proportionality of the processing in relation to its purposes; an assessment of the risks to the rights and freedoms of individuals; and the measures envisaged to address the risks and demonstrate compliance with the UK GDPR.
There is no requirement to publish any potential risks in the information notice, which is a document that provides individuals with information about how their personal data is processed, as required by Article 13 and 14 of the UK GDPR2. However, it may be good practice to do so, as well as to consult with individuals or their representatives, where appropriate, as part of the DPIA process. This can help to enhance transparency, trust and accountability, and to identify any additional risks or concerns from the perspective of the data subjects.
Reference: Article 35(7) of the UK GDPR1
Article 13 and 14 of the UK GDPR2