PDP9 BCS Practitioner Certificate in Data Protection Free Practice Exam Questions (2025 Updated)

The principle of transparency requires that any processing of personal data is fair, lawful and transparent to the data subjects. This means that data subjects should be informed about the existence, nature, purpose and consequences of the processing, as well as their rights and choices regarding their data. Transparency is essential for ensuring accountability, trust and compliance in data processing. However, the use of AI can pose challenges to the principle of transparency, as AI can lead to invisible processing, with data subjects not being aware of its presence, or the logic, significance and implications of the processing. For example, AI can be used to profile, infer, predict or influence the behaviour, preferences, interests, emotions or personality of data subjects, without their knowledge or consent. AI can also be used to make automated decisions that affect data subjects, such as credit scoring, recruitment, health diagnosis or social benefits, without providing meaningful explanations or opportunities for human intervention. Therefore, it is important to ensure that data subjects are informed and empowered when AI is involved in the processing of their data, and that they can exercise their rights, such as the right to access, rectify, object, restrict, erase or port their data, or the right to challenge or contest automated decisions56. References:

Guidance on AI and data protection5

Explaining decisions made with AI6

Article 57 of the UK GDPR states that the tasks of the Commissioner include handling complaints raised by individuals/data subjects, providing general guidance to clarify the law, and advising UK Parliament on issues related to the protection of personal data, among other tasks. However, adopting consistency findings in cross-border data protection cases is not a task of the Commissioner, but of the European Data Protection Board (EDPB), which is an independent body composed of the heads of the supervisory authorities of the EU and EEA member states and the European Data Protection Supervisor. The EDPB is responsible for ensuring the consistent application of the EU GDPR across the EU and EEA, and for issuing opinions and decisions on matters of general application or affecting more than one member state. The UK is no longer part of the EU or the EEA, and therefore the EDPB does not have jurisdiction over the UK GDPR or the Commissioner. The UK has its own mechanism for ensuring consistency and cooperation with other countries, which involves the Commissioner and the Secretary of State. References:

Article 57 of the UK GDPR1

Article 63 and 64 of the EU GDPR4

ICO guidance on the UK GDPR and the EU GDPR5

Data sharing is the disclosure of personal data from one or more organisations to a third party organisation or organisations, or the sharing of personal data within an organisation. Data sharing practices are governed by data protection law, which includes the UK GDPR and the Data Protection Act 2018 (DPA 2018). The DPA 2018 contains specific provisions on data sharing, such as the power of the Information Commissioner’s Office (ICO) to issue a statutory Code of Practice on data sharing. The ICO has published a Data Sharing Code of Practice1 that provides practical guidance on how to share data in a fair, safe and transparent way, in compliance with the data protection principles and the rights of data subjects. The code is not legally binding, but it reflects the ICO’s interpretation of the law and it may be used as evidence in legal proceedings or investigations. The code also contains useful tools, case studies andexamples that can help organisations to share data effectively and responsibly. References:

Data Sharing Code of Practice1

The crime and taxation exemption in Schedule 2, Part 1, Paragraph 2 of the Data Protection Act 2018 (DPA 2018) provides an exemption from the UK GDPR’s transparency obligations and most individual rights, including the right of access, but only if complying with them would prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders. This means that the public authority does not need to disclose details of the investigation to the individual who submitted the subject access request, as doing so would be likely to hinder the investigation and enable the individual to evade justice. The public authority should assess the likelihood of prejudice on a case-by-case basis and document its reasons for relying on the exemption. The other options are incorrect because:

The legal and professional privilege exemption in Schedule 2, Part 1, Paragraph 19 of the DPA 2018 applies to personal data that is subject to an obligation of confidentiality arising from the provision of legal advice or legal representation, or from the conduct of legal proceedings. This exemption does not apply to the information held by the public authority about the investigation, as it is not related to any legal advice or representation, or any legal proceedings.

The term “criminal offence data” refers to personal data relating to criminal convictions and offences, or related security measures. This type of data is subject to specific rules under Article 10 of the UK GDPR and Part 3 of the DPA2018. However, this does not mean that there is no obligation to disclose criminal offence data in response to a subject access request. The public authority still needs to consider whether any of the exemptions in the DPA 2018 apply, such as the crime and taxation exemption, before disclosing or withholding the data.

The right to be informed does apply in relation to criminal acts, as the UK GDPR requires controllers to provide data subjects with information about the processing of their personal data, including the purposes and legal basis of the processing, unless an exemption applies. The fact that the information has not yet been passed to the police does not affect the applicability of the right to be informed or the right of access. References:

Data Protection Act 2018, Schedule 2, Part 1, Paragraph 21

ICO Guide to Data Protection, Crime and Taxation2

Data Protection Act 2018, Schedule 2, Part 1, Paragraph 193

UK GDPR, Article 104

Data Protection Act 2018, Part 35

UK GDPR, Article 13 and 146

Under Article 37 of the UK GDPR, a public authority or a public body must appoint a data protection officer (DPO) unless it is a court acting in its judicial capacity. This is the only exception for public authorities or bodies from the obligation to appoint a DPO. The other circumstances listed in the question, such as processing a large amount of personal data, processing special category data, or being defined as a public body in the Data Protection Act 2018, do not exempt a public authority or a public body from appointing a DPO. References:

Article 37 of the UK GDPR2

Data protection officers | ICO2

Article 33 of the UK GDPR requires controllers to notify the supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. This means that not all personal data breaches need to be reported to the supervisory authority, only those that pose a risk to individuals. The risk should be assessed in terms of the potential negative consequences for individuals, such as discrimination, identity theft, fraud, financial loss, damage to reputation, loss of confidentiality, or any other significant economic or social disadvantage. The UK GDPR also requires controllers to communicate the personal data breach to the affected data subjects without undue delay, where the breach is likely to result in a high risk to their rights and freedoms. The other options are incorrect because:

The UK GDPR does not require all personal data breaches to be reported to the supervisory authority, only those that pose a risk to individuals. However, controllers must document all personal data breaches, regardless of whether they are reported or not, as part of their accountability obligations.

The UK GDPR does not make a distinction between personal data and special category data when it comes to reporting personal data breaches. Special category data is a type of personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns health, sex life or sexual orientation, or biometric or genetic data for the purpose of uniquely identifying a natural person. The processing of special category data is subject to stricter conditions and safeguards under the UK GDPR, but the reporting of personal data breaches involving such data is subject to the same criteria as any other personal data breach, namely the risk to individuals.

The UK GDPR does not provide an exemption from reporting personal data breaches based on the controller’s right of freedom of expression. The right of freedom of expression is a fundamental right that is recognised and protected by the UK GDPR, but it is not an absolute right that overrides the rights and freedoms of data subjects. The UK GDPR allows Member States to provide for exemptions or derogations from certain provisions of the UK GDPR for the processing of personal data carried out for journalistic purposes or the purpose of academic, artistic or literary expression, where such exemptions or derogations are necessary to reconcile the right to the protection of personal data with the right to freedom of expression and information. However, these exemptions or derogations do not apply to the obligation to report personal databreaches to the supervisory authority, unless the Member State law specifies otherwise. References:

UK GDPR, Article 334

UK GDPR, Article 34

UK GDPR, Article 9

UK GDPR, Article 85

The GDPR and the Privacy and Electronic Communications Regulations (PECR) are two different but related legal frameworks that regulate the use of cookies and similar technologies. Cookies are small text files that are stored on the user’s device when they visit a website or use an online service. Cookies can be used for various purposes, such as remembering user preferences, tracking user behaviour, delivering targeted advertising, or enabling online transactions. The GDPR applies to the processing of personal data by cookies and similar technologies, as they can be used to identify or single out individuals, either directly or indirectly. Personal data is any information relating to an identified or identifiable natural person, such as a name, an email address, a location data, or a cookie identifier. The GDPR requires data controllers to obtain the user’s consent before using any cookies that are not strictly necessary for the functioning of the website or service, and to provide clear and transparent information about the purposes and legal basis of the processing, the categories and recipients of the personal data, the retention periods, and the rights of the data subjects. The GDPR also requires data controllers to implement appropriate technical and organisational measures to ensure the security and confidentiality of the personal data, and to comply with the principles of data protection by design and by default. The PECR are a set of UK-specific rules that implement the EU ePrivacy Directive, which is a complementary legislation to the GDPR that deals with the privacy and security of electronic communications. The PECR apply to the use of cookies and similar technologies, as well as to the sending of marketing communications by phone, email, text, or fax, and to the provision of public electronic communications services and networks. The PECR require data controllers to obtain the user’s consent before using any cookies or similar technologies, except those that are strictly necessary for the provision of an information society service requested by the user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network. The PECR also require data controllers to provide clear and comprehensive information about the purposes of the cookies or similar technologies, and to offer the user a way to refuse or withdraw their consent. The PECR do not apply to the processing of personal data by cookies or similar technologies, as this is covered by the GDPR. Therefore, the correct answer is C, as where PECR is engaged only PECR will apply to the use of cookies or similar technologies, but not to the processing of personal data by them. The other options are incorrect because:

The GDPR does not only apply where a cookie processes personal data, but to any processing of personal data by any means, including cookies and similar technologies. The GDPR applies to the processing of personal data by cookies and similar technologies, regardless of whether they are strictly necessary or not, or whether they are first-party or third-party cookies. However, the GDPR does not apply to the use of cookies or similar technologies, as this is covered by the PECR.

The GDPR does not apply in all cases where cookies are used, but only in cases where cookies are used to process personal data. The GDPR does not apply to the use of cookies or similar technologies that do not process personal data, such as those that are strictly necessary for the functioning of the website orservice, or those that do not identify or single out individuals. However, the PECR still apply to the use of cookies or similar technologies, regardless of whether they process personal data or not, except for some limited exemptions.

Websites do not only need an opt out of cookies if GDPR applies, but also if PECR applies. The GDPR and the PECR both require data controllers to obtain the user’s consent before using any cookies or similar technologies that are not strictly necessary, and to offer the user a way to refuse or withdraw their consent. The opt out of cookies is a mechanism that allows the user to exercise their right to object to the use of cookies or similar technologies, and to prevent the processing of their personal data by them. Websites need to provide an opt out of cookies in all cases where the user’s consent is required, regardless of whether the GDPR or the PECR applies. References:

GDPR, Article 4(1)5

GDPR, Article 6(1)(a)6

GDPR, Article 13 and 147

GDPR, Article 328

GDPR, Article 25

PECR, Regulation 6

PECR, Regulation 5

Data protection rights were first introduced into UK law by the Data Protection Act 1984, which was enacted to implement the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 1981. The Data Protection Act 1984 established a set of principles for the processing of personal data by data users, such as obtaining consent, ensuring accuracy, and limiting retention. It also created a system of registration for data users and a Data Protection Registrar (later renamed as the Information Commissioner) to oversee and enforce the law. The Data Protection Act 1984 was replaced by the Data Protection Act 1998, which transposed the EU Data Protection Directive 1995 into UK law and extended the scope of data protection to cover manual as well as automated processing of personal data. The Data Protection Act 1998 was further amended by the Data Protection Act 2018, which incorporated the EU General Data Protection Regulation (GDPR) and the Law Enforcement Directive into UK law and made provisions for specific processing situations, such as national security, immigration, and journalism. References:

Data Protection Act 19844

Council of Europe Convention 1085

Data Protection Act 19986

Data Protection Act 20187

The definitions of “public authority” and “public body” for the purposes of the UK GDPR and the Data Protection Act 2018 are found in the Freedom of Information Act 2000 and the Data Protection Act 2018 respectively. Section 7 of the Data Protection Act 2018 provides that a public authority or a public body is one that is listed in Schedule 1 to the Freedom of Information Act 2000, or is designated by an order under section 5 of that Act. However, a court or tribunal acting in its judicial capacity is not considered a public authority or a public body under the Data Protection Act 2018. References:

Section 7 of the Data Protection Act 20181

Schedule 1 to the Freedom of Information Act 2000

Article 9(2)© of UK GDPR allows the processing of special category data when it is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent. This means that the data subject is unable to exercise their right to consent or object to the processing, either because they are unconscious, in a coma, suffering from a severe mental disorder, or otherwise unable to communicate their wishes. This condition is intended to cover emergency situations, such as life-threatening medical interventions, where the data subject’s consent cannot be obtained in time. It does not apply when another lawful basis applies, when the data subject is physically absent but still capable of giving consent, or when the data subject refuses to consent. References:

Article 9(2)© of UK GDPR1

ICO guidance on special category data2

Storage limitation is one of the principles of data protection under the UK GDPR. It means that personal data should not be kept in a form that allows identification of data subjects for longer than is necessary for the purposes for which the data are processed. The UK GDPR does not specify any fixed time limits for different types of data, but rather requires data controllers to determine and justify the appropriate retention periods for their processing activities, taking into account factors such as the nature, scope, context and purposes of the processing, the risks to the rights and freedoms of data subjects, and the legal obligations and expectations of the data controller. Data controllers should also have a policy setting out standard retention periods where possible, and review the data they hold regularly to ensure that it is erased or anonymised when it is no longer needed. Data subjects have the right to request the erasure of their personal data if the data controller no longer has a lawful basis or a legitimate interest for keeping it. The UK GDPR allows for some exceptions to the storage limitation principle, such as when the personal data is processed solely forarchiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to appropriate safeguards for the rights and freedoms of data subjects. References:

UK GDPR, Article 5 (1) (e) and (2)4

UK GDPR, Article 175

UK GDPR, Article 896

ICO Guide to Data Protection, Storage Limitation7