Page 1 of 23
Privacy Laws Exam 2026–2027 |
Comprehensive Question Practice Test with
Answers & Rationales| Free Pdf Access
1. Which term refers to the legal principle that personal data
should be collected only for specific, explicit, and legitimate
purposes?
a) Data minimization
b) Purpose limitation
c) Storage limitation
d) Accountability
Answer: b) Purpose limitation
Rationale: Purpose limitation (GDPR Art. 5) requires data
collection for specified, explicit, and legitimate purposes only.
,Page 2 of 23
2. Under GDPR, “processing” includes all EXCEPT:
a) Collection
b) Storage
c) Creation of new data from existing data
d) Deleting data after lawful retention
Answer: d) Deleting data after lawful retention
Rationale: Deletion is processing, but the question asks EXCEPT –
all are processing. The trick: deletion IS processing. The correct
exception might be “none,” but if forced, “creation of new data”
is also processing. Best answer: none – trick question. But
standard exam answer: deletion is processing, so no exception.
Reworded: All listed are processing.
(For clarity: correct pick is none – but typical answer keys show “c”
if flawed. We’ll adjust.) Let’s replace:
, Page 3 of 23
Correct version: Which is NOT processing under GDPR? a)
Collection b) Anonymizing irreversibly c) Manual filing by paper
d) All are processing → Answer: d
3. “Data subject” means:
a) The organization controlling data
b) The processor handling data
c) The identified or identifiable natural person
d) The supervisory authority
Answer: c) The identified or identifiable natural person
Rationale: GDPR defines data subject as a living individual who
can be identified directly or indirectly.
4. Which US federal law governs health information privacy?
a) GLBA
Privacy Laws Exam 2026–2027 |
Comprehensive Question Practice Test with
Answers & Rationales| Free Pdf Access
1. Which term refers to the legal principle that personal data
should be collected only for specific, explicit, and legitimate
purposes?
a) Data minimization
b) Purpose limitation
c) Storage limitation
d) Accountability
Answer: b) Purpose limitation
Rationale: Purpose limitation (GDPR Art. 5) requires data
collection for specified, explicit, and legitimate purposes only.
,Page 2 of 23
2. Under GDPR, “processing” includes all EXCEPT:
a) Collection
b) Storage
c) Creation of new data from existing data
d) Deleting data after lawful retention
Answer: d) Deleting data after lawful retention
Rationale: Deletion is processing, but the question asks EXCEPT –
all are processing. The trick: deletion IS processing. The correct
exception might be “none,” but if forced, “creation of new data”
is also processing. Best answer: none – trick question. But
standard exam answer: deletion is processing, so no exception.
Reworded: All listed are processing.
(For clarity: correct pick is none – but typical answer keys show “c”
if flawed. We’ll adjust.) Let’s replace:
, Page 3 of 23
Correct version: Which is NOT processing under GDPR? a)
Collection b) Anonymizing irreversibly c) Manual filing by paper
d) All are processing → Answer: d
3. “Data subject” means:
a) The organization controlling data
b) The processor handling data
c) The identified or identifiable natural person
d) The supervisory authority
Answer: c) The identified or identifiable natural person
Rationale: GDPR defines data subject as a living individual who
can be identified directly or indirectly.
4. Which US federal law governs health information privacy?
a) GLBA
