Data Privacy & GDPR Compliance: 2026
Legal Prep
Privacy Law & Digital Ethics (100 Questions)
1. What is the primary purpose of the GDPR (General Data Protection Regulation)?
A) To collect more taxes from digital companies
B) To protect the fundamental rights and freedoms of individuals regarding their personal data
C) To make the internet slower in Europe
D) To allow companies to sell data more easily
Correct Answer: B) To protect the fundamental rights and freedoms of individuals
regarding their personal data
2. In 2026, "Personal Data" is defined as:
A) Only a person's full name and home address
B) Any information relating to an identified or identifiable natural person (IP, cookies,
biometrics, etc.)
C) Only information that is stored in paper files
D) Only a person's bank account details
Correct Answer: B) Any information relating to an identified or identifiable natural person
(IP, cookies, biometrics, etc.)
3. Who is a "Data Subject"?
A) The company that owns the data
B) The individual to whom the personal data belongs
C) The government official checking the data
D) A computer program that processes data
Correct Answer: B) The individual to whom the personal data belongs
,4. What is the role of a "Data Controller"?
A) The person who types data into the system
B) The entity that determines the purposes and means of processing personal data
C) The company that provides the cloud storage only
D) The user who browses the website
Correct Answer: B) The entity that determines the purposes and means of processing
personal data
5. What is the role of a "Data Processor"?
A) The entity that processes data on behalf of the controller (e.g., a cloud provider)
B) The person who owns the data
C) The lawyer who writes the privacy policy
D) The hardware that stores the data
Correct Answer: A) The entity that processes data on behalf of the controller (e.g., a
cloud provider)
6. The "Right to be Forgotten" (Right to Erasure) allows a user to:
A) Delete their memory of using the app
B) Request the deletion of their personal data without undue delay under certain conditions
C) Stop paying for a service they forgot they had
D) Change their name legally
Correct Answer: B) Request the deletion of their personal data without undue delay
under certain conditions
7. "Consent" under GDPR must be:
A) Assumed if the user doesn't say no
B) Freely given, specific, informed, and unambiguous
C) Hidden in long terms and conditions
D) Obtained only once every 10 years
, Correct Answer: B) Freely given, specific, informed, and unambiguous
8. What is "Privacy by Design"?
A) Designing a beautiful privacy policy page
B) Integrating data protection into the development of products and services from the start
C) Hiding the design from competitors
D) Making the app's interface dark and private
Correct Answer: B) Integrating data protection into the development of products and
services from the start
9. A "Data Protection Impact Assessment" (DPIA) is required when:
A) A company hires a new designer
B) Processing is likely to result in a high risk to the rights and freedoms of individuals
C) The company moves to a new office
D) The website gets more than 100 visitors
Correct Answer: B) Processing is likely to result in a high risk to the rights and freedoms
of individuals
10. "DPO" stands for:
A) Digital Privacy Officer
B) Data Protection Officer
C) Department of Personal Operations
) Data Processing Owner
Correct Answer: B) Data Protection Officer
11. What is the maximum fine for a serious GDPR infringement?
A) €10,000
B) Up to €20 million or 4% of the total worldwide annual turnover, whichever is higher
C) €1 million
Legal Prep
Privacy Law & Digital Ethics (100 Questions)
1. What is the primary purpose of the GDPR (General Data Protection Regulation)?
A) To collect more taxes from digital companies
B) To protect the fundamental rights and freedoms of individuals regarding their personal data
C) To make the internet slower in Europe
D) To allow companies to sell data more easily
Correct Answer: B) To protect the fundamental rights and freedoms of individuals
regarding their personal data
2. In 2026, "Personal Data" is defined as:
A) Only a person's full name and home address
B) Any information relating to an identified or identifiable natural person (IP, cookies,
biometrics, etc.)
C) Only information that is stored in paper files
D) Only a person's bank account details
Correct Answer: B) Any information relating to an identified or identifiable natural person
(IP, cookies, biometrics, etc.)
3. Who is a "Data Subject"?
A) The company that owns the data
B) The individual to whom the personal data belongs
C) The government official checking the data
D) A computer program that processes data
Correct Answer: B) The individual to whom the personal data belongs
,4. What is the role of a "Data Controller"?
A) The person who types data into the system
B) The entity that determines the purposes and means of processing personal data
C) The company that provides the cloud storage only
D) The user who browses the website
Correct Answer: B) The entity that determines the purposes and means of processing
personal data
5. What is the role of a "Data Processor"?
A) The entity that processes data on behalf of the controller (e.g., a cloud provider)
B) The person who owns the data
C) The lawyer who writes the privacy policy
D) The hardware that stores the data
Correct Answer: A) The entity that processes data on behalf of the controller (e.g., a
cloud provider)
6. The "Right to be Forgotten" (Right to Erasure) allows a user to:
A) Delete their memory of using the app
B) Request the deletion of their personal data without undue delay under certain conditions
C) Stop paying for a service they forgot they had
D) Change their name legally
Correct Answer: B) Request the deletion of their personal data without undue delay
under certain conditions
7. "Consent" under GDPR must be:
A) Assumed if the user doesn't say no
B) Freely given, specific, informed, and unambiguous
C) Hidden in long terms and conditions
D) Obtained only once every 10 years
, Correct Answer: B) Freely given, specific, informed, and unambiguous
8. What is "Privacy by Design"?
A) Designing a beautiful privacy policy page
B) Integrating data protection into the development of products and services from the start
C) Hiding the design from competitors
D) Making the app's interface dark and private
Correct Answer: B) Integrating data protection into the development of products and
services from the start
9. A "Data Protection Impact Assessment" (DPIA) is required when:
A) A company hires a new designer
B) Processing is likely to result in a high risk to the rights and freedoms of individuals
C) The company moves to a new office
D) The website gets more than 100 visitors
Correct Answer: B) Processing is likely to result in a high risk to the rights and freedoms
of individuals
10. "DPO" stands for:
A) Digital Privacy Officer
B) Data Protection Officer
C) Department of Personal Operations
) Data Processing Owner
Correct Answer: B) Data Protection Officer
11. What is the maximum fine for a serious GDPR infringement?
A) €10,000
B) Up to €20 million or 4% of the total worldwide annual turnover, whichever is higher
C) €1 million
