BCS PDP9 BCS Practitioner Certificate in Data Protection Exam Practice Test

Page: 1 / 14
Total 40 questions
Question 1

Which of the following statements MOST accurately describes the potential impact of Al on the principle of transparency?



Question 2

Which of the following statements MOST accurately describes why a risk-based approach to the use of Al is necessary?



Question 3

How are data sharing practices governed by data protection law?



Question 4

How does the GDPR relate to cookies?



Answer : C

The GDPR and the Privacy and Electronic Communications Regulations (PECR) are two different but related legal frameworks that regulate the use of cookies and similar technologies. Cookies are small text files that are stored on the user's device when they visit a website or use an online service. Cookies can be used for various purposes, such as remembering user preferences, tracking user behaviour, delivering targeted advertising, or enabling online transactions. The GDPR applies to the processing of personal data by cookies and similar technologies, as they can be used to identify or single out individuals, either directly or indirectly. Personal data is any information relating to an identified or identifiable natural person, such as a name, an email address, a location data, or a cookie identifier. The GDPR requires data controllers to obtain the user's consent before using any cookies that are not strictly necessary for the functioning of the website or service, and to provide clear and transparent information about the purposes and legal basis of the processing, the categories and recipients of the personal data, the retention periods, and the rights of the data subjects. The GDPR also requires data controllers to implement appropriate technical and organisational measures to ensure the security and confidentiality of the personal data, and to comply with the principles of data protection by design and by default. The PECR are a set of UK-specific rules that implement the EU ePrivacy Directive, which is a complementary legislation to the GDPR that deals with the privacy and security of electronic communications. The PECR apply to the use of cookies and similar technologies, as well as to the sending of marketing communications by phone, email, text, or fax, and to the provision of public electronic communications services and networks. The PECR require data controllers to obtain the user's consent before using any cookies or similar technologies, except those that are strictly necessary for the provision of an information society service requested by the user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network. The PECR also require data controllers to provide clear and comprehensive information about the purposes of the cookies or similar technologies, and to offer the user a way to refuse or withdraw their consent. The PECR do not apply to the processing of personal data by cookies or similar technologies, as this is covered by the GDPR. Therefore, the correct answer is C, as where PECR is engaged only PECR will apply to the use of cookies or similar technologies, but not to the processing of personal data by them. The other options are incorrect because:

The GDPR does not only apply where a cookie processes personal data, but to any processing of personal data by any means, including cookies and similar technologies. The GDPR applies to the processing of personal data by cookies and similar technologies, regardless of whether they are strictly necessary or not, or whether they are first-party or third-party cookies. However, the GDPR does not apply to the use of cookies or similar technologies, as this is covered by the PECR.

The GDPR does not apply in all cases where cookies are used, but only in cases where cookies are used to process personal data. The GDPR does not apply to the use of cookies or similar technologies that do not process personal data, such as those that are strictly necessary for the functioning of the website or service, or those that do not identify or single out individuals. However, the PECR still apply to the use of cookies or similar technologies, regardless of whether they process personal data or not, except for some limited exemptions.

Websites do not only need an opt out of cookies if GDPR applies, but also if PECR applies. The GDPR and the PECR both require data controllers to obtain the user's consent before using any cookies or similar technologies that are not strictly necessary, and to offer the user a way to refuse or withdraw their consent. The opt out of cookies is a mechanism that allows the user to exercise their right to object to the use of cookies or similar technologies, and to prevent the processing of their personal data by them. Websites need to provide an opt out of cookies in all cases where the user's consent is required, regardless of whether the GDPR or the PECR applies.Reference:

GDPR, Article 4(1)5

GDPR, Article 6(1)(a)6

GDPR, Article 13 and 147

GDPR, Article 328

GDPR, Article 25

PECR, Regulation 6

PECR, Regulation 5


Question 5

In the terms of their relevance under data protection legislation, how can CCTV images recorded in a supermarket BEST be described'?



Answer : D

CCTV images recorded in a supermarket are personal data as they can be used to identify living human beings, either directly or indirectly, by their physical appearance, clothing, accessories, or other distinctive features. Personal data is defined in Article 4(1) of the GDPR as ''any information relating to an identified or identifiable natural person''. The GDPR applies to the processing of personal data by automated means, such as CCTV cameras, or by non-automated means that form part of a filing system, such as paper records. The other options are incorrect because:

CCTV images are not special category data as they do not reveal any of the sensitive information listed in Article 9(1) of the GDPR, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, or biometric or genetic data. Special category data is subject to stricter conditions and safeguards under the GDPR, as it poses a higher risk to the rights and freedoms of individuals.

CCTV images are not biometric data in the terms of the definition stipulated in the GDPR. Biometric data is defined in Article 4(14) of the GDPR as ''personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data''. CCTV images do not result from specific technical processing, nor do they allow or confirm the unique identification of a natural person, unless they are combined with other data or identifiers.

The GDPR is not only engaged where CCTV images are accompanied by text or other identifier. The GDPR applies to any information that relates to an identified or identifiable natural person, regardless of whether it is accompanied by text or other identifier. CCTV images can relate to an identifiable natural person even if they do not contain any text or other identifier, as long as there is a possibility to single out or link the person to other data or factors.Reference:

GDPR, Article 4(1)1

GDPR, Article 2(1)2

GDPR, Article 9(1)3

GDPR, Article 4(14)4


Question 6

What is the Employment Practices Code?



Answer : A

The Employment Practices Code is a guidance document issued by the ICO that provides recommendations on how to comply with the data protection principles and the rights of data subjects when processing personal data in the context of employment. The code covers various aspects of employment practices, such as recruitment and selection, employment records, monitoring at work, and information about workers' health. The code is not legally binding, but it reflects the ICO's interpretation of the Data Protection Act and the UK GDPR, and it may be used as evidence in legal proceedings or investigations. The code is intended to help employers balance their legitimate interests in managing their workforce with the privacy rights of their workers.Reference:

The Employment Practices Code

Quick Guide to the Employment Practices Code


Question 7

Under the Privacy and Electronic Communications Regulations, organisations must NOT make marketing telephone calls to which of the following?



Answer : B

The Privacy and Electronic Communications Regulations (PECR) are a set of rules that regulate the use of electronic communications for marketing purposes, such as phone calls, texts, emails and faxes. One of the rules is that organisations must not make unsolicited marketing calls to individuals who have registered their numbers with the Telephone Preference Service (TPS), unless they have given their prior consent to receive such calls from that organisation. The TPS is a free service that allows individuals to opt out of receiving any marketing calls. It is a legal requirement for organisations to check the TPS before making any marketing calls and to respect the preferences of the individuals registered on it. If an organisation fails to comply with this rule, it may face enforcement action from the Information Commissioner's Office (ICO), which is the UK's data protection authority and the regulator of PECR.Reference:

Telephone Preference Service

Marketing calls

Enforcement action


Page:    1 / 14   
Total 40 questions