PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free EXIN PDPF Practice Questions

Pass your EXIN Privacy and Data Protection Foundation (PDPF) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

How is 'profiling' defined under the GDPR?

A
B
C
D
to track
Same family resources

Explore More EXIN Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

EXIN Certified Data Centre Professional (CDCP)

Practice Questions1 video1 blog

EXIN Information Security Foundation (ISO/IEC 27001) ISFS

Practice Questions

EXIN Information Security Management Professional (ISMP)

Practice Questions

EXIN Privacy and Data Protection Practitioner (PDPP)

Practice Questions

EXIN VeriSM Essentials

Practice Questions

EXIN VeriSM Foundation

Practice Questions

More From This Family

Videos and articles for deeper review.

VideoFREE EXIN CDCP Exam Guide 2026: Certified Data Centre ProfessionalArticleFREE EXIN CDCP Exam Guide 2026: Certified Data Centre Professional15 min read
2026 Statistics

Key Facts: EXIN PDPF Exam

40

Exam Questions

EXIN Preparation Guide

60 min

Exam Duration

EXIN Preparation Guide

65% (26/40)

Passing Score

EXIN Preparation Guide

25 May 2018

GDPR Applicability Date

GDPR Official Journal

€20M / 4%

Maximum GDPR Fine (Article 83(5))

GDPR Article 83

72 hours

Breach Notification to Supervisory Authority

GDPR Article 33

The EXIN PDPF exam has 40 closed-book multiple-choice questions in 60 minutes with a 65% passing score (26 of 40). It tests foundational understanding of GDPR across six domains: data protection laws and introduction (15%), personal data types and special categories (20%), roles of controllers, processors, and DPO (20%), rights of data subjects (15%), data processing principles (15%), and data breaches and incident response (15%).

Sample EXIN PDPF Practice Questions

Try these sample questions to test your EXIN PDPF exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which regulation is the primary legal framework that the EXIN Privacy and Data Protection Foundation exam is based on?
A.The EU General Data Protection Regulation (GDPR)
B.The California Consumer Privacy Act (CCPA)
C.The Health Insurance Portability and Accountability Act (HIPAA)
D.The Personal Information Protection and Electronic Documents Act (PIPEDA)
Explanation: The EXIN PDPF exam is grounded in the EU General Data Protection Regulation (GDPR), which became directly applicable across all EU member states on 25 May 2018. GDPR replaced the 1995 Data Protection Directive and establishes a comprehensive framework for the protection of personal data.
2On what date did the GDPR become directly applicable in all EU member states?
A.25 January 2012
B.4 May 2016
C.25 May 2018
D.1 January 2020
Explanation: GDPR (Regulation 2016/679) entered into force on 24 May 2016 but became applicable on 25 May 2018 after a two-year transition period. This distinction between 'entry into force' and 'date of application' is a common exam point.
3Which previous EU legal instrument did the GDPR replace?
A.Directive 95/46/EC (Data Protection Directive)
B.Regulation (EU) 2018/1725
C.Directive 2002/58/EC (ePrivacy Directive)
D.Directive 2016/680 (Law Enforcement Directive)
Explanation: GDPR replaced the Data Protection Directive 95/46/EC, which had been in force since 1995. Unlike a directive, the GDPR is a regulation and is directly applicable without transposition into national law, creating a more uniform framework across member states.
4What is 'personal data' as defined under the GDPR?
A.Any information relating to an identified or identifiable natural person
B.Any data stored in a structured database by an organisation
C.Any information relating to a company or legal entity
D.Data that is encrypted and stored securely by a controller
Explanation: Article 4(1) GDPR defines personal data as 'any information relating to an identified or identifiable natural person ('data subject').' The definition is intentionally broad and covers any information — digital, paper, image, or audio — that can directly or indirectly identify a living individual.
5Under the GDPR, which of the following is an example of personal data?
A.The average temperature in a city over one year
B.A company's annual turnover figure
C.An individual's IP address
D.The total number of website visitors per day
Explanation: An IP address is personal data under the GDPR because it can be used to identify a natural person, either directly or in combination with other information held by the controller or a third party. Recital 30 GDPR explicitly mentions IP addresses and internet identifiers as potential personal data.
6Which of the following categories of personal data is explicitly classified as 'special category data' under Article 9 of the GDPR?
A.Email address and phone number
B.Employer name and job title
C.Genetic data and biometric data processed to uniquely identify a person
D.Postal address and date of birth
Explanation: Article 9 GDPR lists special categories of personal data that merit higher protection because of their sensitivity. These include data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data (processed for unique identification), health data, and data concerning a person's sex life or sexual orientation.
7Why does the GDPR apply stricter rules to special category data?
A.Because its misuse could cause significant harm or discrimination to individuals
B.Because it is always stored in encrypted format
C.Because it is only collected by government bodies
D.Because it is technically more complex to process than ordinary personal data
Explanation: Special category data (health, biometric, racial origin, religious beliefs, etc.) is given enhanced protection because processing it poses heightened risks. If misused or breached, it can lead to discrimination, stigma, reputational damage, or other serious harm to data subjects, justifying a higher processing bar.
8Under GDPR, data about criminal convictions and offences is subject to special rules. Which article governs this processing?
A.Article 6
B.Article 9
C.Article 10
D.Article 17
Explanation: Article 10 GDPR specifically addresses processing of personal data relating to criminal convictions and offences, requiring that such processing only takes place under the control of official authority or when authorised by EU or member state law. This is distinct from the Article 9 special categories.
9What is pseudonymisation as defined in the GDPR?
A.Processing personal data in such a way that it can no longer be attributed to a specific data subject without additional information held separately
B.The permanent deletion of all personal data so that it cannot be recovered
C.Encrypting data with a key managed solely by a third-party processor
D.Replacing names with unique codes that are publicly available
Explanation: Article 4(5) GDPR defines pseudonymisation as processing personal data so that it can no longer be attributed to a specific data subject without the use of additional information, provided that additional information is kept separately with technical and organisational measures to prevent re-identification. Pseudonymised data is still personal data.
10What distinguishes anonymised data from pseudonymised data under the GDPR?
A.Anonymised data cannot be re-identified by anyone using any means; pseudonymised data can be reversed with additional information
B.Anonymised data is processed by the controller; pseudonymised data is processed by the processor
C.Anonymised data must be encrypted; pseudonymised data does not require encryption
D.Anonymised data applies only to public authorities; pseudonymised data applies to private companies
Explanation: Truly anonymised data — from which all identifying information has been irreversibly removed — falls outside the GDPR's scope entirely. Pseudonymised data retains a link (via separate additional information) that permits re-identification, so it remains personal data subject to GDPR. The distinction is reversibility.

About the EXIN PDPF Exam

The EXIN Privacy and Data Protection Foundation (PDPF) validates foundational knowledge of the EU General Data Protection Regulation (GDPR). It covers the legal framework and scope of GDPR, types of personal data and special categories, the roles of controllers, processors, and Data Protection Officers, all data subject rights, the seven data protection principles, lawful bases for processing, and the requirements for managing personal data breaches.

Questions

40 scored questions

Time Limit

60 minutes

Passing Score

65% (26 of 40)

Exam Fee

Varies by region and delivery route; often bundled with accredited EXIN training (EXIN)

EXIN PDPF Exam Content Outline

15%

Data Protection Laws & Introduction

GDPR history and applicability, territorial scope, supervisory authorities, EDPB, fines under Article 83, and international transfer mechanisms

20%

Personal Data — Types & Special Categories

Personal data definition, pseudonymisation, anonymisation, special categories (Article 9), criminal data (Article 10), genetic, biometric and health data, children's data

20%

Roles — Controllers, Processors & DPO

Controller and processor definitions, joint controllers, sub-processors, Article 28 DPAs, DPO designation and tasks, records of processing activities (Article 30)

15%

Rights of Data Subjects

Right of access, rectification, erasure, restriction, portability, object, automated decision-making, and right to complain to supervisory authority

15%

Data Processing Principles

Article 5 principles, Article 6 lawful bases, consent requirements, privacy by design and default, DPIA triggers and content

15%

Data Breaches & Incident Response

Personal data breach definition, processor-to-controller notification, 72-hour supervisory authority notification, high-risk data subject notification, and breach documentation

How to Pass the EXIN PDPF Exam

What You Need to Know

  • Passing score: 65% (26 of 40)
  • Exam length: 40 questions
  • Time limit: 60 minutes
  • Exam fee: Varies by region and delivery route; often bundled with accredited EXIN training

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

EXIN PDPF Study Tips from Top Performers

1Read Articles 4, 5, 6, 7, 9, 10, 12-22, 25, 28, 30, 33, 34, 35, 37, 38, 39, 83 of the GDPR — these directly drive exam questions
2Know the exact definitions in Article 4: personal data, processing, controller, processor, data subject, pseudonymisation, profiling, consent
3Memorise the seven Article 5 principles and match each to a practical scenario
4Understand the two-tier fine structure: Article 83(4) lower tier (€10M/2%) vs Article 83(5) higher tier (€20M/4%)
5Learn the breach notification chain: processor → controller (without undue delay) → supervisory authority (72h if risk) → data subjects (if high risk)
6Distinguish the Article 15 right of access from Article 20 data portability — access applies to all processing; portability only where consent or contract + automated processing
7Remember that Article 17 erasure has exceptions (Article 17(3)) — legal obligation and public interest are key exemptions

Frequently Asked Questions

What is the EXIN PDPF exam format?

The EXIN Privacy and Data Protection Foundation (PDPF) exam consists of 40 closed-book multiple-choice questions to be completed in 60 minutes. A score of 65% (26 correct out of 40) is required to pass. The exam is based on the EU General Data Protection Regulation (GDPR) and tests foundational knowledge across six domains.

Is the EXIN PDPF a good entry-level GDPR certification?

Yes. The EXIN PDPF is widely recognised as an accessible entry point for GDPR knowledge, suitable for anyone working with personal data — IT professionals, HR, legal, compliance, and management. It establishes foundational understanding before progression to the Practitioner level (PDPP) or to the IAPP CIPP/E for deeper expertise.

What GDPR topics are covered in the EXIN PDPF?

EXIN PDPF covers: GDPR history, scope, and fines (15%); personal data definitions, special categories, pseudonymisation and anonymisation (20%); controller, processor, DPO roles and Article 28 DPAs (20%); all data subject rights including access, erasure, portability, and object (15%); the seven Article 5 principles, lawful bases, and privacy by design (15%); and personal data breach notification requirements under Articles 33-34 (15%).

Do I need prior experience or certifications for EXIN PDPF?

No formal prerequisites exist. Basic familiarity with IT and business processes is helpful but not required. EXIN recommends accredited training for the best preparation. Many candidates with existing legal or compliance backgrounds pass with relatively little study time.

What is the difference between EXIN PDPF and PDPP?

EXIN PDPF (Foundation) tests conceptual knowledge of GDPR: definitions, roles, principles, rights, and breach rules. EXIN PDPP (Practitioner) tests applied competence through scenario-based questions covering DPIA implementation, controller-processor relationships, data breach management, and international transfers in practice. The Practitioner exam has 40 questions in 120 minutes and a 65% pass mark.