100% Free PECB GDPR Practice Test Questions

Question 1

Scenario: ChatBubble is a software company that stores personal data, including usernames, emails, and passwords. Last month, an attacker gained access to ChatBubbles system, but the personal data was encrypted, preventing unauthorized access. Should the data subjects be notified in this case?

A : Yes, the company shall communicate all incidents regarding personal data to the data subjects.

B : No, the company is not required to notify data subjects about a data breach that affects a large number of individuals.

C : No, the company is not required to notify data subjects when the personal data is protected with appropriate technical and organizational measures.

D : Yes, but only if the supervisory authority explicitly requests notification

Answer: C

Question 2

Under GDPR, the controller must demonstrate that data subjects have consented to the processing of their personal data, and the consent must be freely given. What is the role of the DPO in ensuring compliance with this requirement?

A : The DPO should ensure that the controller has informed data subjects about their right to withdraw consent.

B : The DPO should ensure that the controller has implemented procedures to provide evidence that consent has been obtained for all relevant personal data.

C : The DPO should personally record information such as who consented, when they consented, and how consent was given

D : The DPO should approve the legal basis for consent processing before the controller can collect personal data.

Answer: B

Question 3

According to the principle of data minimization, data must be:

A : In a form which permits the identification of data subjects for no longer than is necessary.

B : Acquired only for specified, explicit, and legitimate purposes.

C : Adequate, relevant, and limited to what is necessary in relation to the purposes of processing.

D : Stored for no more than five years from the date of collection.

Answer: C

Question 4

Scenario: ChatBubble is a software company that stores personal data, including usernames, emails, and passwords. Last month, an attacker gained access to ChatBubbles system, but the personal data was encrypted, preventing unauthorized access. Should the data subjects be notified in this case?

A : Yes, the company shall communicate all incidents regarding personal data to the data subjects.

B : No, the company is not required to notify data subjects about a data breach that affects a large number of individuals.

C : No, the company is not required to notify data subjects when the personal data is protected with appropriate technical and organizational measures.

D : Yes, but only if the supervisory authority explicitly requests notification

Answer: C

Question 5

Based on Article 58 of GDPR, what powers must the supervisory authority have?

A : To appoint a single DPO in a group of undertakings.

B : To obtain access to any premises of the controller and processor, including data processing equipment.

C : To assign the tasks of the controller or the processor and monitor their implementation.

D : To approve all privacy policies before they are implemented.

Answer: B

Free Practice PECB GDPR Exam Questions 2025