Which action aligns with PDP Law requirements regarding data retention periods?

Define retention periods aligned with legal obligations and justify any extensions

Keep “indefinite” if analytics could be useful in the future

Remove retention information from ROPA to avoid conflicts

Set all retention periods to 1 year regardless of purpose

A government agency processes citizen data for issuing ID cards. After contract fulfillment, what should the controller require the vendor to do with the data, according to PDP Law and ISO 27701?

Require deletion or anonymization after contract fulfillment, in line with PDP Law and ISO 27701

Allow storage if the vendor signs a non-disclosure agreement

Permit storage for vendor business continuity

Transfer data back to the agency after 5 years without checking storage security

If a company experiences a data breach involving encrypted files but the encryption key was compromised, what is the correct compliance action under PDP Law?

Notify the regulator and affected individuals within the legal timeframe

Skip notification since the files were encrypted

Delay notification until the investigation is complete, regardless of deadlines

Notify only affected individuals but not the regulator

Which improvement best aligns with SKKNI 103/2023 for privacy training when audit results show inconsistent compliance across departments?

Develop role-specific training and link PDP KPIs to departmental objectives

Keep uniform training for simplicity

Rely on department heads to brief their teams without formal training

Reduce information for training for simplicity

A global HR software provider offers a new analytics tool to your company, promising predictive insights into employee turnover. The tool requires uploading detailed personnel files to their cloud in another jurisdiction. Which is the safest compliant approach?

Conduct a cross-border risk assessment, ensure contractual safeguards, and pseudonymize sensitive fields before transfer

Upload the files immediately to test functionality, then review compliance later

Encrypt the files before upload and rely on the vendor’s privacy policy

Request regulator pre-approval before any cross-border processing, regardless of safeguards

A university research lab collaborates with a foreign partner on a joint study involving personal data of minors. The partner requests full access to the raw dataset. Which condition must be met first?

Execute a joint controller agreement detailing roles, responsibilities, and safeguards

Transfer the data as soon as encryption is applied

Remove direct identifiers and share without formal agreement

Provide access under a verbal mutual understanding

A telecom operator wants to use historical location data to improve network performance. Compliance notes that some data could reveal sensitive personal patterns. Which is the best course of action?

Conduct a DPIA, apply aggregation or anonymization, and limit retention

Proceed with processing but exclude sensitive areas from the analysis

Use the data under legitimate interest without additional safeguards

Delete all location data older than one year before analysis

A bank contracts a vendor to handle loan application scoring. During review, you find the vendor uses the data to train unrelated AI models. What should be the immediate action?

Require cessation of unrelated use, update the processing contract, and assess past misuse impact

Allow continued processing as long as the AI is accurate

Request the vendor anonymize the training data without further changes

Continue but include the new purpose in your privacy notice retroactively

A startup’s privacy notice states it may “share data with trusted partners” without specifying categories or purposes. Which is the most compliant revision?

Specify partner categories, purposes, data types, and legal basis for sharing

Keep the statement vague to allow operational flexibility

Remove the sharing clause entirely to avoid compliance checks

State that sharing is subject to internal policy without public disclosure

A logistics company receives a data access request from a customer but suspects fraud because the email domain doesn’t match records. What is the best approach?

Verify the requester’s identity through additional authentication before responding

Reject the request outright as suspicious

Fulfill the request partially to avoid delays

Request consent from all other customers before fulfilling

During a merger, your company is asked to share the entire customer database with the acquiring entity before deal closure. Which is the safest compliant path?

Share the database after obtaining customer consent or ensuring another lawful basis and safeguards

Provide unrestricted access as part of due diligence

Share only anonymized data without any safeguards

Share the database immediately to expedite the merger process

A government contractor is required to store classified personal data in-country. A foreign-owned vendor offers cheaper cloud hosting abroad. Which factor should drive your decision?

Legal restrictions on data localization for classified data

Cost savings from offshore hosting

Encryption strength offered by the foreign vendor

Availability of multi-factor authentication

Your company’s ROPA lists a purpose as “business optimization” for processing employee emails. Why is this problematic?

The purpose is too broad and lacks specificity for compliance

ROPA should not include employee data

Employee consent is always required for processing

Optimization is never a valid purpose

A DPO finds that post-termination employee records are kept “indefinitely” for reference. Which is the best corrective action?

Set retention based on legal/regulatory requirements and securely delete data past that period

Keep indefinite retention for HR convenience

Store the data but limit access to HR managers only

Anonymize data immediately upon termination regardless of requirements

A hospital outsources transcription of medical consultations to an overseas provider. What additional safeguard should be prioritized?

Binding contractual clauses requiring deletion after service completion

Verbal agreement on confidentiality

Allowing the provider to keep data for future reference

Relying solely on provider’s internal policies

A ride-sharing company introduces in-app audio recording for rides to enhance safety. Which approach ensures compliance?

Obtain explicit consent from both driver and passenger, specify retention, and limit access to authorized staff

Enable recording by default without notice

Store recordings indefinitely for legal protection

Allow drivers to decide individually without policy

An educational app wants to analyze children’s usage data to improve learning outcomes. Which is the key requirement before analysis?

Parental consent and strict anonymization/pseudonymization of data

Using legitimate interest as the basis

Sharing raw data with education partners

Conducting analysis without retention limits

A social media platform uses automated decision-making to flag content for removal. A user contests a removal decision. Which step is required?

Provide human review and explain the reasoning behind the decision

Reject the contest automatically

Extend the decision deadline indefinitely

Remove the appeals process entirely

A processor discovers a data breach in a controller’s dataset. What’s the correct obligation under ISO 27701?

Notify the controller without undue delay and cooperate in remediation

Attempt to fix the breach silently

Wait for the next audit to disclose

Notify the regulator directly without informing the controller

Your organization wants to use facial recognition for employee building access. Which is the safest compliance path?

DPIA, explicit consent, minimal data storage, and secure biometric database

Enable system without notification

Store facial images indefinitely

Rely on CCTV policies instead of specific biometric policies

A financial company considers purchasing a marketing list with personal emails from a broker. Which is the safest approach?

Verify the source’s consent records and lawful basis before purchase

Purchase immediately for competitive advantage

Use the list once without further processing

Encrypt the list after buying to ensure compliance

A start-up allows customers to log in using their social media accounts. Which is a key compliance step?

Limit data requested to what is necessary for authentication

Request all available profile data for future marketing

Store all social media data indefinitely

Avoid informing users about data use

A company’s privacy policy is only available in English, but most customers speak a different language. Why is this a compliance issue?

Policies must be understandable to the target audience

English is never acceptable for privacy policies

Only legal teams need to understand it

A smart home device company plans to use audio data collected from voice assistants to improve its speech recognition AI. Which is the most compliant approach?

Obtain explicit consent, anonymize audio clips where possible, and limit retention to the training period

Use the data for AI training under legitimate interest without notifying customers

Keep all audio recordings indefinitely for potential product improvements

Share recordings with third parties for unrelated projects

An e-commerce company wants to profile customers’ purchase history to recommend high-margin products. Which factor is most critical in determining if this can be done under legitimate interest?

Whether profiling is necessary for a specific business objective and balanced against customer rights

Whether high-margin products generate more revenue

Whether the marketing department supports the initiative

Whether customers have purchased from the company before

A recruitment agency stores candidate CVs for more than five years after last contact. Which corrective action aligns with storage limitation principles?

Delete or anonymize CVs after the retention period unless a valid reason exists

Keep all CVs indefinitely for reference

Encrypt CVs but keep them forever

Transfer CVs to a third party without informing candidates

A travel booking app shares user itineraries with partner hotels. Which step is required to maintain compliance?

Disclose sharing in the privacy notice, specify purpose, and ensure contractual safeguards

Share itineraries without notice for operational speed

Use itineraries for unrelated marketing campaigns

Allow partners to sell itinerary data

An AI start-up buys a public dataset containing pseudonymized health records. Which risk should be addressed first?

Potential re-identification when combined with other datasets

A retailer wants to install facial recognition cameras for loss prevention. Which is the best compliance strategy?

Conduct a DPIA, obtain necessary legal basis, and implement strict access controls for biometric data

Install cameras without customer notification

Keep footage indefinitely for evidence

Use biometric data for marketing purposes as well

A cloud service provider offers “data analytics as a service” to multiple clients using aggregated datasets. Which measure ensures compliance?

Aggregation and anonymization to prevent re-identification

Sharing raw datasets between clients

Retaining all client data indefinitely

Selling aggregated insights to competitors

A mobile app uses precise location data for targeted ads. Which step is critical for compliance?

Obtain explicit consent and allow revocation at any time

Enable tracking without consent

Share data with partners without restrictions

A law firm keeps all client files, including personal data, after cases close. Which practice is most compliant?

Define retention based on legal obligations and delete or anonymize after expiry

Keep files indefinitely for potential future reference

Store files offsite without encryption

Delete files immediately after closing a case regardless of requirements

A transport authority uses license plate recognition for toll collection. Which compliance step is essential?

Inform drivers about data processing, retention, and their rights

Use the data for unrelated traffic enforcement

A social media company offers a “download all my data” feature. Which improvement strengthens compliance?

Provide data in a structured, commonly used, machine-readable format

Only provide data in PDF format

Require payment for data requests

A bank uses behavioral biometrics for fraud detection. Which safeguard should be prioritized?

Conduct DPIA and ensure secure storage with minimal retention

Store data indefinitely for future analysis

Share behavioral data with unrelated third parties

Skip DPIA as fraud detection is a security purpose

A city government plans to publish open datasets that may contain personal data. Which is the safest approach?

Anonymize or aggregate data before publication and assess re-identification risk

Publish datasets as-is for transparency

Remove datasets after one year only if complaints arise

A delivery app tracks drivers in real-time for dispatching. Which compliance measure should be applied?

Limit tracking to working hours and inform drivers

Share live locations with all customers publicly

Retain tracking data indefinitely

A research firm collects survey data on political opinions. Which is the correct handling method?

Obtain explicit consent and anonymize results before sharing

Assume consent as participation implies agreement

Sell raw survey data to interested parties

Retain identifiable data indefinitely

A tech company develops an AI chatbot using real customer conversations for training. Which is the best safeguard?

Anonymize data before training and limit retention of raw transcripts

Train directly on raw data without changes

Store all transcripts indefinitely for reference

Share training data with external partners freely

A healthcare provider shares patient records with a research partner. Which element must be in place first?

Legal basis for sharing, documented in an agreement specifying scope and safeguards

Mutual understanding without documentation

Verbal permission from patients only

Unlimited sharing with partner institutions

A company uses automated screening for job applicants. An applicant requests human review. Which is the correct response?

Provide human intervention and explain the decision-making process

Refuse as the decision is final

Offer human review only for shortlisted candidates

A payment processor stores cardholder data for reconciliation. Which is the safest retention policy?

Retain only for the minimum period required by regulation and secure delete afterward

Store indefinitely for historical analysis

Keep all data in plain text for quick access

Retain until a customer requests deletion

A telecom company records customer service calls for training. Which compliance step is key?

Inform customers and staff about recording, purpose, and retention

Record without notice to improve natural responses

Use recordings for unrelated marketing

A marketing firm buys behavioral data from a broker. Which due diligence is critical?

Verify data collection was lawful and consent was obtained where required

Assume the broker handles compliance

Buy at lowest cost regardless of source

Encrypt data after purchase to ensure legality

Compliance and Data Protection Quiz

Authored by Robere Associates

Professional Development

Used 1+ times

AI Actions

Add similar questions

Adjust reading levels

Convert to real-world scenario

Translate activity

More...

Content View

Student View

68 questions

Show all answers

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A healthcare startup wants to deploy a new telemedicine platform that uses patient health data for AI-driven diagnosis. The CTO insists encryption is enough for compliance. Which approach best ensures legal, technical, and operational readiness?

Encrypt all patient data, rely on implied consent, and launch the system to test market adoption

Conduct a DPIA, obtain explicit consent, implement encryption and access control, and train staff before deployment

Limit data use to anonymized datasets and skip DPIA since anonymization removes risk

Draft a privacy notice after launch to reflect actual system use

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A retail bank uses a foreign vendor to process loan applications, storing applicant data overseas. The compliance officer wants to block the transfer until safeguards are in place, but operations argue delays will hurt business. Which option balances compliance and operational needs?

Proceed immediately and backdate compliance documentation

Require contractual clauses, conduct a transfer risk assessment, and encrypt data during transit and at rest

Encrypt data only and rely on the vendor’s privacy certification

Use anonymized data for processing and add identifiers later without notifying the regulator

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A marketing agency plans to re-use customer emails collected for service updates to promote a new product line. Which action is most compliant?

Send marketing emails immediately, assuming customers will unsubscribe if uninterested

Obtain separate, specific consent for marketing purposes and update the privacy notice

Add marketing terms to the existing service contract retroactively

Use a legitimate interest basis without offering an opt-out

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A multinational manufacturer’s HR system integrates with a third-party benefits provider. The provider subcontracts part of the processing without informing the manufacturer. Which is the most appropriate action?

Accept the subcontract if the provider guarantees data security

Suspend processing until the subcontract is reviewed, authorized, and added to the processing agreement

Ignore the subcontract as long as no breach occurs

Require staff to sign new consent forms for the same purpose

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A public university’s research team wants to collect ethnicity and health data from students to study wellness patterns. Time pressure means they suggest skipping the DPIA and anonymizing data later. Which is the best approach?

Proceed with collection under implied consent, anonymizing later

Conduct a DPIA before collection, obtain explicit consent, and design anonymization into the process

Skip consent since research is in the public interest

Anonymize data after publication only

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A fintech firm launches a feature allowing customers to share spending data with third-party budgeting apps. The legal team insists on controller-to-controller agreements. Which factor most strongly supports this requirement?

Data is being shared in aggregated format only

The budgeting apps independently decide purposes and means of processing

Customers voluntarily sign up for the apps

The fintech encrypts all data before sharing

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

During a privacy audit, you discover that ROPA entries for several processes list retention as “indefinite.” Operations says this is needed for analytics. Which is the most compliant response?

Accept indefinite retention for analytics purposes

Require defined retention periods based on necessity and legal requirements

Allow indefinite retention if data is encrypted

Permit indefinite retention if users are notified

Access all questions and much more by creating a free account

Create resources

Host any resource

Get auto-graded reports

Continue with Google

Continue with Email

Continue with Classlink

Continue with Clever

or continue with

Microsoft

Apple

Others

Already have an account?

Popular Resources on Wayground

15 questions

Fractions on a Number Line

Quiz

•

3rd Grade

14 questions

Boundaries & Healthy Relationships

Lesson

•

6th - 8th Grade

13 questions

SMS Cafeteria Expectations Quiz

Quiz

•

6th - 8th Grade

20 questions

Equivalent Fractions

Quiz

•

3rd Grade

25 questions

Multiplication Facts

Quiz

•

5th Grade

12 questions

SMS Restroom Expectations Quiz

Quiz

•

6th - 8th Grade

20 questions

Main Idea and Details

Quiz

•

5th Grade

10 questions

Pi Day Trivia!

Quiz

•

6th - 9th Grade

Discover more resources for Professional Development

20 questions

90s Cartoons

Quiz

•

Professional Development

5 questions

Workplace Documents Practice Test: Document 1

Quiz

•

Professional Development

5 questions

Workplace Documents Practice Test: Document 2

Quiz

•

Professional Development

10 questions

March Quiz

Quiz

•

Professional Development

5 questions

Copy of G5_U6_L8_22-23

Lesson

•

KG - Professional Dev...