Free PECB GDPR Actual Exam Questions
The questions for this exam were last updated on January 7, 2026
Dumps Box (DumpsBox) offers up-to-date practice exam questions for GDPR certification exam which are developed and validated by PECB subject domain experts certified in PECB GDPR . These practice questions are update regularly as we keep an eye on any recent changes in GDPR syllabus, and when there is update our team quickly adjusts the questions. This commitment to providing the best quality exam prep material to certification aspirants is what makes DumpsBox.com the best certification exam prep website. On top of that, our strong, yet strictly moderated, community based feedback keeps the content clean and current. Each question has helpful community discussion that provides it extra perspective and introduces helpful resources for better exam preparation. This also saves students from other outdated practice questions or illicit exam dumps that can have adverse affects on career. Browse through our PECB GDPR exam questions and pass your exam on first try.
Question No. 1
Questio n:
What is the role of the DPO in a DPIA?
What is the role of the DPO in a DPIA?
Select one option, then reveal solution.
Question No. 2
Scenario:
A clinical research organization collects and processes sensitive personal data of individuals for
medical research purposes. The data is encrypted and stored in a central database using a one-way
hashing function (bcrypt). The organization conducted a risk assessment to identify and mitigate
risks.
Questio n:
Should a DPIA be conducted in this case?
A clinical research organization collects and processes sensitive personal data of individuals for
medical research purposes. The data is encrypted and stored in a central database using a one-way
hashing function (bcrypt). The organization conducted a risk assessment to identify and mitigate
risks.
Questio n:
Should a DPIA be conducted in this case?
Select one option, then reveal solution.
Question No. 3
Which statement below regarding the difference between anonymization and pseudonymization is
correct?
correct?
Select one option, then reveal solution.
Question No. 4
Bus Spot is one of the largest bus operators in Spain. The company operates in local transport and
bus rental since 2009. The success of Bus Spot can be attributed to the digitization of the bus
ticketing system, through which clients can easily book tickets and stay up to date on any changes to
their arrival or departure time. In recent years, due to the large number of passengers transported
daily. Bus Spot has dealt with different incidents including vandalism, assaults on staff, and
fraudulent injury claims. Considering the severity of these incidents, the need for having strong
security measures had become crucial. Last month, the company decided to install a CCTV system
across its network of buses. This security measure was taken to monitor the behavior of the
company's employees and passengers, enabling crime prevention and ensuring safety and security.
Following this decision, Bus Spot initiated a data protection impact assessment (DPIA). The outcome
of each step of the DPIA was documented as follows: Step 1: In all 150 buses, two CCTV cameras will
be installed. Only individuals authorized by Bus Spot will have access to the information generated
by the CCTV system. CCTV cameras capture images only when the Bus Spot's buses are being used.
The CCTV cameras will record images and sound. The information is transmitted to a video recorder
and stored for 20 days. In case of incidents, CCTV recordings may be stored for more than 40 days
and disclosed to a law enforcement body. Data collected through the CCTV system will be processed
bv another organization. The purpose of processing this tvoe of information is to increase the
security and safety of individuals and prevent criminal activity. Step 2: All employees of Bus Spot
were informed for the installation of a CCTV system. As the data controller, Bus Spot will have the
ultimate responsibility to conduct the DPI
bus rental since 2009. The success of Bus Spot can be attributed to the digitization of the bus
ticketing system, through which clients can easily book tickets and stay up to date on any changes to
their arrival or departure time. In recent years, due to the large number of passengers transported
daily. Bus Spot has dealt with different incidents including vandalism, assaults on staff, and
fraudulent injury claims. Considering the severity of these incidents, the need for having strong
security measures had become crucial. Last month, the company decided to install a CCTV system
across its network of buses. This security measure was taken to monitor the behavior of the
company's employees and passengers, enabling crime prevention and ensuring safety and security.
Following this decision, Bus Spot initiated a data protection impact assessment (DPIA). The outcome
of each step of the DPIA was documented as follows: Step 1: In all 150 buses, two CCTV cameras will
be installed. Only individuals authorized by Bus Spot will have access to the information generated
by the CCTV system. CCTV cameras capture images only when the Bus Spot's buses are being used.
The CCTV cameras will record images and sound. The information is transmitted to a video recorder
and stored for 20 days. In case of incidents, CCTV recordings may be stored for more than 40 days
and disclosed to a law enforcement body. Data collected through the CCTV system will be processed
bv another organization. The purpose of processing this tvoe of information is to increase the
security and safety of individuals and prevent criminal activity. Step 2: All employees of Bus Spot
were informed for the installation of a CCTV system. As the data controller, Bus Spot will have the
ultimate responsibility to conduct the DPI
Select one option, then reveal solution.
Question No. 5
Questio n:
Under GDPR, the controller must demonstrate that data subjects have consented to the processing
of their personal data, and the consent must be freely given.
What is the role of the DPO in ensuring compliance with this requirement?
Under GDPR, the controller must demonstrate that data subjects have consented to the processing
of their personal data, and the consent must be freely given.
What is the role of the DPO in ensuring compliance with this requirement?
Select one option, then reveal solution.
Question No. 6
Scenario 1:
MED is a healthcare provider located in Norway. It provides high-quality and affordable healthcare
services, including disease prevention, diagnosis, and treatment. Founded in 1995, MED is one of the
largest health organizations in the private sector. The company has constantly evolved in response to
patients' needs.
Patients that schedule an appointment in MED's medical centers initially need to provide their
personal information, including name, surname, address, phone number, and date of birth. Further
checkups or admission require additional information, including previous medical history and genetic
dat
a. When providing their personal data, patients are informed that the data is used for personalizing
treatments and improving communication with MED's doctors. Medical data of patients, including
children, are stored in the database of MED's health information system. MED allows patients who
are at least 16 years old to use the system and provide their personal information independently. For
children below the age of 16, MED requires consent from the holder of parental responsibility before
processing their data.
MED uses a cloud-based application that allows patients and doctors to upload and access
information. Patients can save all personal medical data, including test results, doctor visits,
diagnosis history, and medicine prescriptions, as well as review and track them at any time. Doctors,
on the other hand, can access their patients' data through the application and can add information as
needed.
Patients who decide to continue their treatment at another health institution can request MED to
transfer their data. However, even if patients decide to continue their treatment elsewhere, their
personal data is still used by MED. Patients’ requests to stop data processing are rejected. This
decision was made by MED’s top management to retain the information of everyone registered in
their databases.
The company also shares medical data with InsHealth, a health insurance company. MED's data helps
InsHealth create health insurance plans that meet the needs of individuals and families.
MED believes that it is its responsibility to ensure the security and accuracy of patients’ personal
data. Based on the identified risks associated with data processing activities, MED has implemented
appropriate security measures to ensure that data is securely stored and processed.
Since personal data of patients is stored and transmitted over the internet, MED uses encryption to
avoid unauthorized processing, accidental loss, or destruction of data. The company has established
a security policy to define the levels of protection required for each type of information and
processing activity. MED has communicated the policy and other procedures to personnel and
provided customized training to ensure proper handling of data processing.
Questio n:
Considering the nature of data processing activities described in scenario 1, is GDPR applicable to
MED?
MED is a healthcare provider located in Norway. It provides high-quality and affordable healthcare
services, including disease prevention, diagnosis, and treatment. Founded in 1995, MED is one of the
largest health organizations in the private sector. The company has constantly evolved in response to
patients' needs.
Patients that schedule an appointment in MED's medical centers initially need to provide their
personal information, including name, surname, address, phone number, and date of birth. Further
checkups or admission require additional information, including previous medical history and genetic
dat
a. When providing their personal data, patients are informed that the data is used for personalizing
treatments and improving communication with MED's doctors. Medical data of patients, including
children, are stored in the database of MED's health information system. MED allows patients who
are at least 16 years old to use the system and provide their personal information independently. For
children below the age of 16, MED requires consent from the holder of parental responsibility before
processing their data.
MED uses a cloud-based application that allows patients and doctors to upload and access
information. Patients can save all personal medical data, including test results, doctor visits,
diagnosis history, and medicine prescriptions, as well as review and track them at any time. Doctors,
on the other hand, can access their patients' data through the application and can add information as
needed.
Patients who decide to continue their treatment at another health institution can request MED to
transfer their data. However, even if patients decide to continue their treatment elsewhere, their
personal data is still used by MED. Patients’ requests to stop data processing are rejected. This
decision was made by MED’s top management to retain the information of everyone registered in
their databases.
The company also shares medical data with InsHealth, a health insurance company. MED's data helps
InsHealth create health insurance plans that meet the needs of individuals and families.
MED believes that it is its responsibility to ensure the security and accuracy of patients’ personal
data. Based on the identified risks associated with data processing activities, MED has implemented
appropriate security measures to ensure that data is securely stored and processed.
Since personal data of patients is stored and transmitted over the internet, MED uses encryption to
avoid unauthorized processing, accidental loss, or destruction of data. The company has established
a security policy to define the levels of protection required for each type of information and
processing activity. MED has communicated the policy and other procedures to personnel and
provided customized training to ensure proper handling of data processing.
Questio n:
Considering the nature of data processing activities described in scenario 1, is GDPR applicable to
MED?
Select one option, then reveal solution.
Question No. 7
Scenario:
PickFood is an online food delivery service that allows customers to order food online and pay by
credit card. The payment service is provided by PaySmart, which processes the transactions.
Questio n:
According to Article 30 of GDPR, what type of information should PaySmart NOT maintain when
recording online transaction processing activity?
PickFood is an online food delivery service that allows customers to order food online and pay by
credit card. The payment service is provided by PaySmart, which processes the transactions.
Questio n:
According to Article 30 of GDPR, what type of information should PaySmart NOT maintain when
recording online transaction processing activity?
Select one option, then reveal solution.
Question No. 8
An organization suffered a personal data breach. The attackers gained access to their database
through a user account that had unlimited access to dat
a. What should the DPO advise the organization to do in order to prevent the recurrence of similar
scenarios?
through a user account that had unlimited access to dat
a. What should the DPO advise the organization to do in order to prevent the recurrence of similar
scenarios?
Select one option, then reveal solution.
Question No. 9
Why should the controller implement appropriate technical and organizational measures?
Select one option, then reveal solution.
Question No. 10
Scenario:
An organization has been using a storage transfer service to import market-sensitive data, including
email addresses and contact details, into a cloud storage system. This change has affected the
registration process and has helped the organization appropriately collect and store data.
Questio n:
Based on this scenario, what should the DPO monitor in the data processing register?
An organization has been using a storage transfer service to import market-sensitive data, including
email addresses and contact details, into a cloud storage system. This change has affected the
registration process and has helped the organization appropriately collect and store data.
Questio n:
Based on this scenario, what should the DPO monitor in the data processing register?
Select one option, then reveal solution.
Question No. 11
Scenario:
Bankbio is a financial institution that handles personal data of its customers. Its data processing
activities involve processing that is necessary for the legitimate interests pursued by the institution.
In such cases, Bankbio processes personal data without obtaining consent from data subjects.
Questio n:
Is the data processing lawful under GDPR?
Bankbio is a financial institution that handles personal data of its customers. Its data processing
activities involve processing that is necessary for the legitimate interests pursued by the institution.
In such cases, Bankbio processes personal data without obtaining consent from data subjects.
Questio n:
Is the data processing lawful under GDPR?
Select one option, then reveal solution.
Question No. 12
Questio n:
According to the principle of data minimization, data must be:
According to the principle of data minimization, data must be:
Select one option, then reveal solution.
Question No. 13
Scenario 1:
MED is a healthcare provider located in Norway. It provides high-quality and affordable healthcare
services, including disease prevention, diagnosis, and treatment. Founded in 1995, MED is one of the
largest health organizations in the private sector. The company has constantly evolved in response to
patients' needs.
Patients that schedule an appointment in MED's medical centers initially need to provide their
personal information, including name, surname, address, phone number, and date of birth. Further
checkups or admission require additional information, including previous medical history and genetic
dat
a. When providing their personal data, patients are informed that the data is used for personalizing
treatments and improving communication with MED's doctors. Medical data of patients, including
children, are stored in the database of MED's health information system. MED allows patients who
are at least 16 years old to use the system and provide their personal information independently. For
children below the age of 16, MED requires consent from the holder of parental responsibility before
processing their data.
MED uses a cloud-based application that allows patients and doctors to upload and access
information. Patients can save all personal medical data, including test results, doctor visits,
diagnosis history, and medicine prescriptions, as well as review and track them at any time. Doctors,
on the other hand, can access their patients' data through the application and can add information as
needed.
Patients who decide to continue their treatment at another health institution can request MED to
transfer their data. However, even if patients decide to continue their treatment elsewhere, their
personal data is still used by MED. Patients’ requests to stop data processing are rejected. This
decision was made by MED’s top management to retain the information of everyone registered in
their databases.
The company also shares medical data with InsHealth, a health insurance company. MED's data helps
InsHealth create health insurance plans that meet the needs of individuals and families.
MED believes that it is its responsibility to ensure the security and accuracy of patients’ personal
data. Based on the identified risks associated with data processing activities, MED has implemented
appropriate security measures to ensure that data is securely stored and processed.
Since personal data of patients is stored and transmitted over the internet, MED uses encryption to
avoid unauthorized processing, accidental loss, or destruction of data. The company has established
a security policy to define the levels of protection required for each type of information and
processing activity. MED has communicated the policy and other procedures to personnel and
provided customized training to ensure proper handling of data processing.
Questio n:
If a patient requests MED to permanently erase their data, MED should:
MED is a healthcare provider located in Norway. It provides high-quality and affordable healthcare
services, including disease prevention, diagnosis, and treatment. Founded in 1995, MED is one of the
largest health organizations in the private sector. The company has constantly evolved in response to
patients' needs.
Patients that schedule an appointment in MED's medical centers initially need to provide their
personal information, including name, surname, address, phone number, and date of birth. Further
checkups or admission require additional information, including previous medical history and genetic
dat
a. When providing their personal data, patients are informed that the data is used for personalizing
treatments and improving communication with MED's doctors. Medical data of patients, including
children, are stored in the database of MED's health information system. MED allows patients who
are at least 16 years old to use the system and provide their personal information independently. For
children below the age of 16, MED requires consent from the holder of parental responsibility before
processing their data.
MED uses a cloud-based application that allows patients and doctors to upload and access
information. Patients can save all personal medical data, including test results, doctor visits,
diagnosis history, and medicine prescriptions, as well as review and track them at any time. Doctors,
on the other hand, can access their patients' data through the application and can add information as
needed.
Patients who decide to continue their treatment at another health institution can request MED to
transfer their data. However, even if patients decide to continue their treatment elsewhere, their
personal data is still used by MED. Patients’ requests to stop data processing are rejected. This
decision was made by MED’s top management to retain the information of everyone registered in
their databases.
The company also shares medical data with InsHealth, a health insurance company. MED's data helps
InsHealth create health insurance plans that meet the needs of individuals and families.
MED believes that it is its responsibility to ensure the security and accuracy of patients’ personal
data. Based on the identified risks associated with data processing activities, MED has implemented
appropriate security measures to ensure that data is securely stored and processed.
Since personal data of patients is stored and transmitted over the internet, MED uses encryption to
avoid unauthorized processing, accidental loss, or destruction of data. The company has established
a security policy to define the levels of protection required for each type of information and
processing activity. MED has communicated the policy and other procedures to personnel and
provided customized training to ensure proper handling of data processing.
Questio n:
If a patient requests MED to permanently erase their data, MED should:
Select one option, then reveal solution.
Question No. 14
Scenario 4:
Berc is a pharmaceutical company headquartered in Paris, France, known for developing inexpensive
improved healthcare products. They want to expand to developing life-saving treatments. Berc has
been engaged in many medical researches and clinical trials over the years. These projects required
the processing of large amounts of data, including personal information. Since 2019, Berc has
pursued GDPR compliance to regulate data processing activities and ensure data protection. Berc
aims to positively impact human health through the use of technology and the power of
collaboration. They recently have created an innovative solution in participation with Unty, a
pharmaceutical company located in Switzerland. They want to enable patients to identify signs of
strokes or other health-related issues themselves. They wanted to create a medical wrist device that
continuously monitors patients' heart rate and notifies them about irregular heartbeats. The first
step of the project was to collect information from individuals aged between 50 and 65. The purpose
and means of processing were determined by both companies. The information collected included
age, sex, ethnicity, medical history, and current medical status. Other information included names,
dates of birth, and contact details. However, the individuals, who were mostly Berc's and Unty's
customers, were not aware that there was an arrangement between Berc and Unty and that both
companies have access to their personal data and share it between them. Berc outsourced the
marketing of their new product to an international marketing company located in a country that had
not adopted the adequacy decision from the EU commission. However, since they offered a good
marketing campaign, following the DPO's advice, Berc contracted it. The marketing campaign
included advertisement through telephone, emails, and social medi
a. Berc requested that Berc’s and Unty's clients be first informed about the product. They shared the
contact details of clients with the marketing company. Based on this scenario, answer the following
Questio n:
Questio n:
Based on scenario 4, Berc shared personal information of its clients with an international marketing
company even though an adequacy decision was absent. Which of the following is a valid reason to
do so?
Berc is a pharmaceutical company headquartered in Paris, France, known for developing inexpensive
improved healthcare products. They want to expand to developing life-saving treatments. Berc has
been engaged in many medical researches and clinical trials over the years. These projects required
the processing of large amounts of data, including personal information. Since 2019, Berc has
pursued GDPR compliance to regulate data processing activities and ensure data protection. Berc
aims to positively impact human health through the use of technology and the power of
collaboration. They recently have created an innovative solution in participation with Unty, a
pharmaceutical company located in Switzerland. They want to enable patients to identify signs of
strokes or other health-related issues themselves. They wanted to create a medical wrist device that
continuously monitors patients' heart rate and notifies them about irregular heartbeats. The first
step of the project was to collect information from individuals aged between 50 and 65. The purpose
and means of processing were determined by both companies. The information collected included
age, sex, ethnicity, medical history, and current medical status. Other information included names,
dates of birth, and contact details. However, the individuals, who were mostly Berc's and Unty's
customers, were not aware that there was an arrangement between Berc and Unty and that both
companies have access to their personal data and share it between them. Berc outsourced the
marketing of their new product to an international marketing company located in a country that had
not adopted the adequacy decision from the EU commission. However, since they offered a good
marketing campaign, following the DPO's advice, Berc contracted it. The marketing campaign
included advertisement through telephone, emails, and social medi
a. Berc requested that Berc’s and Unty's clients be first informed about the product. They shared the
contact details of clients with the marketing company. Based on this scenario, answer the following
Questio n:
Questio n:
Based on scenario 4, Berc shared personal information of its clients with an international marketing
company even though an adequacy decision was absent. Which of the following is a valid reason to
do so?
Select one option, then reveal solution.
Question No. 15
Scenario:
A shop owner decided to install a video surveillance system to protect the property against theft.
However, the cameras also capture a considerable part of the store next door.
Questio n:
Which statement below is correct in this case?
A shop owner decided to install a video surveillance system to protect the property against theft.
However, the cameras also capture a considerable part of the store next door.
Questio n:
Which statement below is correct in this case?
Select one option, then reveal solution.