Skip to content
Last updated: 2026-04-06

Knowledge Assessment

Test your understanding of privacy principles and compliance requirements.

Section 1: Privacy Fundamentals

Question 1: Which GDPR principle requires collecting only the personal data necessary for your stated purposes?

  • A) Lawfulness, fairness, and transparency
  • B) Data minimization
  • C) Purpose limitation
  • D) Accountability

Question 2: Under GDPR, what is the standard timeframe for responding to a data subject access request?

  • A) 14 days
  • B) 30 days
  • C) One month
  • D) Two months

Question 3: Which of the following requires explicit consent under GDPR?

  • A) Processing for contract performance
  • B) Processing special category data (health, religion, etc.)
  • C) Processing for legal compliance
  • D) Processing for legitimate interests

Section 2: Data Subject Rights

Question 4: A customer requests deletion of their personal data. What should you do first?

  • A) Immediately delete all data
  • B) Verify the customer's identity
  • C) Check if you have legal obligations to retain the data
  • D) Both B and C

Question 5: Which right allows individuals to receive their personal data in a machine-readable format for transfer to another service?

  • A) Right of access
  • B) Right to rectification
  • C) Right to data portability
  • D) Right to restrict processing

Section 3: Incident Response

Question 6: You accidentally send customer data to the wrong email address. What should you do?

  • A) Delete the email from your sent folder and hope they do not notice
  • B) Immediately notify your Data Protection Officer or manager
  • C) Wait to see if the recipient responds
  • D) Correct the error by sending to the right person

Question 7: Under GDPR, how long do you have to notify supervisory authorities of a personal data breach (when notification is required)?

  • A) 24 hours
  • B) 48 hours
  • C) 72 hours
  • D) One week

Section 4: Practical Application

Question 8: Your marketing team wants to send promotional emails to all customers. What must you verify first?

  • A) Customer email addresses are valid
  • B) You have a legal basis for marketing communications
  • C) The email content is approved by legal
  • D) The timing is appropriate

Question 9: Where should details about how and why you process personal data be documented for external users?

  • A) Terms of service
  • B) Privacy notice/policy
  • C) Cookie policy
  • D) Employee handbook

Question 10: When transferring personal data to a third-party vendor, what must you ensure?

  • A) The vendor has appropriate security measures
  • B) There is a Data Processing Agreement in place
  • C) International transfer requirements are met (if applicable)
  • D) All of the above

Question 11: Under GDPR, which is NOT a valid legal basis for processing personal data?

  • A) The processing is necessary for contract performance
  • B) The data subject has consented
  • C) The processing is convenient for business operations
  • D) The processing is required by law

Question 12: If you rely on consent as your legal basis, which of the following must be true?

  • A) Consent can be bundled with agreement to terms of service
  • B) Withdrawing consent must be as easy as giving it
  • C) Consent can be assumed from continued use of the service
  • D) Consent only needs to cover broad categories of processing

Answer Key

  1. B - Data minimization

  2. Data minimization (Article 5(1)©) requires collecting only data that is necessary for specified purposes.

  3. C - One month

  4. GDPR Article 12(3) specifies one month from receipt of the request. This can be extended by two months for complex requests, with notification to the data subject.

  5. B - Processing special category data

  6. Special category data (Article 9) includes health, race, religion, political opinions, etc. Processing requires explicit consent or another specific legal basis.

  7. D - Both B and C

  8. Before deleting data, you must verify the requester's identity and check whether legal obligations (tax records, legal claims) require retention.

  9. C - Right to data portability

  10. Data portability (Article 20) allows individuals to receive their data in a structured, machine-readable format for transfer to another controller.

  11. B - Immediately notify your Data Protection Officer or manager

  12. All potential breaches should be reported internally immediately. Speed is critical for assessing and responding to incidents.

  13. C - 72 hours

  14. GDPR Article 33 requires notification to supervisory authorities within 72 hours of becoming aware of a breach likely to result in risk to individuals.

  15. B - You have a legal basis for marketing communications

  16. Marketing typically requires consent (or legitimate interest with opt-out in some jurisdictions). This must be verified before sending.

  17. B - Privacy notice/policy

  18. Privacy notices (Articles 13-14) are the required mechanism for informing individuals about data processing.

  19. D - All of the above

    • Vendor relationships require security verification, contractual protections (DPAs), and compliance with transfer rules.

  20. C - The processing is convenient for business operations

    • Convenience is not a legal basis. Processing must have a specific legal basis such as consent, contract, legal obligation, vital interests, public task, or legitimate interests.

  21. B - Withdrawing consent must be as easy as giving it

    • GDPR Article 7(3) requires that withdrawing consent be as easy as giving it. Bundled consent, assumed consent, and overly broad consent are not valid.

Scoring Guide

Score Interpretation
10-12 correct Strong understanding of privacy principles
7-9 correct Good grasp with some areas for review
4-6 correct Review the training materials and retake
Below 4 Complete the full training program

For questions about any answers, contact your Data Protection Officer or privacy team.

Next: Training Reinforcement