Free Preparation Discussions
MENU
BCS PDP9 Exam Questions
- Topic 1: Define the following key items of terminology/ Identify the accountability and data governance obligation
- Topic 2: Identify how the use of cookies and digital technologies is governed by data protection law
- Topic 3: Explain the rules for processing criminal offence data/ Demonstrate the process of conducting a DPIA
- Topic 4: Explain how a data protection complaint should be handled/ Analyse the impact of AI on the principles and concepts of data protection
- Topic 5: Demonstrate how to adopt a ‘data protection by design and by default’ approach
- Topic 6: Identify the role of tribunal and judicial courts/ Analyse the benefits versus the risks of AI for individuals and organisations
- Topic 7: Demonstrate a detailed knowledge of the key rights granted to individuals/ Describe the act of processing under the authority of a controller or processor
- Topic 8: Explain how data protection legislation applies to children/ Recognise the data protection implications of the Employment Practices Code
- Topic 9: Explain when the obligations arise to report breaches of personal data/ Describe the restrictions and exemptions that may affect data subject rights
- Topic 10: Explain the role of the Information Commissioner’s Office (ICO)/ Express awareness of the following rights in addition to the above
Free BCS PDP9 Exam Actual Questions
Note: Premium Questions for PDP9 were last updated On Apr. 06, 2025 (see below)
When were data protection rights first introduced into UK law'?
Data protection rights were first introduced into UK law by the Data Protection Act 1984, which was enacted to implement the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 1981. The Data Protection Act 1984 established a set of principles for the processing of personal data by data users, such as obtaining consent, ensuring accuracy, and limiting retention. It also created a system of registration for data users and a Data Protection Registrar (later renamed as the Information Commissioner) to oversee and enforce the law. The Data Protection Act 1984 was replaced by the Data Protection Act 1998, which transposed the EU Data Protection Directive 1995 into UK law and extended the scope of data protection to cover manual as well as automated processing of personal data. The Data Protection Act 1998 was further amended by the Data Protection Act 2018, which incorporated the EU General Data Protection Regulation (GDPR) and the Law Enforcement Directive into UK law and made provisions for specific processing situations, such as national security, immigration, and journalism.Reference:
Council of Europe Convention 1085
Which of the below would be the BEST example of processing that could utilise the Public Interest Task lawful basis?
The public interest task lawful basis applies to the processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The relevant task or authority must have a clear basis in domestic law, such as a statutory power, a common law duty, or a function of the Crown, central or local government. The processing must also be necessary, meaning that there is no reasonable and less intrusive way to achieve the same purpose. The public interest task lawful basis is most relevant to public authorities, but it can also apply to any organisation that exercises official authority or carries out tasks in the public interest. In scenario C, a local authority processing the personal information of the person responsible for paying council tax is likely to rely on the public interest task lawful basis, as it is performing a task in the public interest that is laid down by law, namely the Local Government Finance Act 1992, and the processing is necessary for the collection and administration of council tax. In contrast, scenarios A, B and D are less likely to qualify for the public interest task lawful basis, as they do not involve a clear task or authority that is set out in law, or that serves the public interest. For example, a health authority processing the personal information of its staff in order to record all training undertaken may have a different lawful basis, such as legitimate interests or contractual necessity. A debt collection agency processing information relating to unpaid fines for misuse of community council car parking may not have any official authority or public interest justification for its processing. A tax authority dropping cookies on the devices of visitors to its website may not be able to demonstrate that the processing is necessary for its official functions, and may also need to comply with the Privacy and Electronic Communications Regulations (PECR) for the use of cookies.Reference:
UK GDPR, Article 6 (1) (e) and (3)8
ICO Guide to Data Protection, Public Task9
Local Government Finance Act 199210
Of the following options which is NOT a purpose of carrying out a Data Protection Impact Assessment (DPIA)?
A DPIA is not required to fulfil the requirement that all DPIAs are submitted to the ICO, because this is not a requirement under the GDPR. The GDPR only requires that the controller consults the ICO before carrying out processing that is likely to result in a high risk to individuals, if the controller cannot mitigate that risk. This means that not all DPIAs need to be submitted to the ICO, only those that identify a high residual risk that cannot be reduced. The other options are valid purposes of carrying out a DPIA, as they help the controller to comply with the GDPR, ensure data protection by design and by default, and identify and mitigate the main risks to individuals' rights and freedoms.Reference:
Article 35 and 36 of the GDPR3
Under the Privacy and Electronic Communications Regulations, organisations must NOT make marketing telephone calls to which of the following?
The Privacy and Electronic Communications Regulations (PECR) are a set of rules that regulate the use of electronic communications for marketing purposes, such as phone calls, texts, emails and faxes. One of the rules is that organisations must not make unsolicited marketing calls to individuals who have registered their numbers with the Telephone Preference Service (TPS), unless they have given their prior consent to receive such calls from that organisation. The TPS is a free service that allows individuals to opt out of receiving any marketing calls. It is a legal requirement for organisations to check the TPS before making any marketing calls and to respect the preferences of the individuals registered on it. If an organisation fails to comply with this rule, it may face enforcement action from the Information Commissioner's Office (ICO), which is the UK's data protection authority and the regulator of PECR.Reference:
In the terms of their relevance under data protection legislation, how can CCTV images recorded in a supermarket BEST be described'?
CCTV images recorded in a supermarket are personal data as they can be used to identify living human beings, either directly or indirectly, by their physical appearance, clothing, accessories, or other distinctive features. Personal data is defined in Article 4(1) of the GDPR as ''any information relating to an identified or identifiable natural person''. The GDPR applies to the processing of personal data by automated means, such as CCTV cameras, or by non-automated means that form part of a filing system, such as paper records. The other options are incorrect because:
CCTV images are not special category data as they do not reveal any of the sensitive information listed in Article 9(1) of the GDPR, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, or biometric or genetic data. Special category data is subject to stricter conditions and safeguards under the GDPR, as it poses a higher risk to the rights and freedoms of individuals.
CCTV images are not biometric data in the terms of the definition stipulated in the GDPR. Biometric data is defined in Article 4(14) of the GDPR as ''personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data''. CCTV images do not result from specific technical processing, nor do they allow or confirm the unique identification of a natural person, unless they are combined with other data or identifiers.
The GDPR is not only engaged where CCTV images are accompanied by text or other identifier. The GDPR applies to any information that relates to an identified or identifiable natural person, regardless of whether it is accompanied by text or other identifier. CCTV images can relate to an identifiable natural person even if they do not contain any text or other identifier, as long as there is a possibility to single out or link the person to other data or factors.Reference:
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Elke
26 days agoFrancisca
2 months agoMendy
3 months agoFabiola
3 months agoViola
4 months agoMatt
4 months agoIvette
4 months agoLemuel
5 months agoAngelica
5 months agoLauran
5 months agoDominque
6 months agoAileen
6 months agoVirgina
6 months agoViola
7 months agoDerick
7 months agoJules
7 months agoHubert
7 months agoEdison
7 months agoNa
8 months agoBrianne
8 months agoMonroe
9 months agoPatria
10 months agoArlyne
10 months agoMadonna
10 months agoTruman
11 months agoEmile
11 months agoMerlyn
11 months agoCarli
1 years ago