PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free EXIN PDPP Practice Questions

Pass your EXIN Privacy and Data Protection Practitioner (PDPP) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

An EU controller transfers data to an Indian IT service provider for back-office processing. India does not have an EU adequacy decision. The controller signs an Article 28 DPA with the Indian provider. Is this sufficient for GDPR transfer compliance?

A
B
C
D
to track
Same family resources

Explore More EXIN Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

EXIN Certified Data Centre Professional (CDCP)

Practice Questions1 video1 blog

EXIN Information Security Foundation (ISO/IEC 27001) ISFS

Practice Questions

EXIN Information Security Management Professional (ISMP)

Practice Questions

EXIN Privacy and Data Protection Foundation (PDPF)

Practice Questions

EXIN VeriSM Essentials

Practice Questions

EXIN VeriSM Foundation

Practice Questions

More From This Family

Videos and articles for deeper review.

VideoFREE EXIN CDCP Exam Guide 2026: Certified Data Centre ProfessionalArticleFREE EXIN CDCP Exam Guide 2026: Certified Data Centre Professional15 min read
2026 Statistics

Key Facts: EXIN PDPP Exam

40 MCQ / 120 min

Exam Format

EXIN

65%

Passing Score

EXIN

72 hours

GDPR Breach Notification Deadline (Article 33)

GDPR Article 33

Article 25

Privacy by Design and Default

GDPR

Advanced

Certification Level

EXIN

Mandatory

Accredited Training Requirement

EXIN

EXIN PDPP is a scenario-based, closed-book exam of 40 MCQs over 120 minutes with a 65% pass mark. Mandatory accredited training is required before sitting. The exam tests applied GDPR knowledge across six domains including DPIAs, controller-processor contracts, breach notification, international transfers, and data protection governance.

Sample EXIN PDPP Practice Questions

Try these sample questions to test your EXIN PDPP exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1A data protection policy must specify the organization's approach to handling personal data. Which element is MOST critical to include in such a policy to ensure GDPR compliance?
A.The legal bases for processing personal data and the purpose limitations
B.The names of all employees who handle personal data
C.A complete inventory of all IT systems used by the organization
D.The salary ranges of the data protection team
Explanation: A GDPR-compliant data protection policy must specify the legal bases for processing (Article 6 GDPR) and the purposes for which data is collected and used (purpose limitation principle, Article 5(1)(b)). These are foundational elements that govern all personal data processing activities within the organization.
2The principle of 'data protection by design and by default' is codified in which GDPR article?
A.Article 25
B.Article 24
C.Article 32
D.Article 35
Explanation: Article 25 GDPR specifically addresses data protection by design and by default. It requires controllers to implement appropriate technical and organisational measures at the design stage of processing systems, and to ensure that by default only personal data necessary for the specific purpose is processed.
3An organization is launching a new mobile health app that will collect users' heart rate data. According to the data protection by design principle, when should privacy controls be implemented?
A.After the app is launched and user complaints are received
B.During the testing phase before launch
C.At the earliest design stage, before development begins
D.Only when processing special category data
Explanation: Data protection by design (Article 25 GDPR) requires that privacy and data protection are embedded into processing activities from the earliest stage — i.e., at the design stage before development begins. Retrofitting privacy controls is more costly, less effective, and often leaves residual risks.
4Which of the following BEST describes the 'data protection by default' requirement under Article 25(2) GDPR?
A.Only personal data necessary for each specific purpose of processing shall be processed by default
B.All personal data must be encrypted by default
C.Personal data must be deleted after 30 days by default
D.Users must opt-in to all marketing communications by default
Explanation: Article 25(2) GDPR defines data protection by default as ensuring that, by default, only personal data which is necessary for each specific purpose of the processing is processed. This applies to the amount of data collected, the extent of processing, the period of storage, and the accessibility of data.
5A company's data protection policy contains a retention schedule stating customer data should be kept for 7 years post-contract. This schedule is directly derived from which GDPR principle?
A.Storage limitation
B.Integrity and confidentiality
C.Data minimisation
D.Accuracy
Explanation: The storage limitation principle (Article 5(1)(e) GDPR) requires that personal data be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it is processed. A retention schedule is the practical implementation of this principle, and any retention period should be justified by a legitimate purpose or legal obligation.
6A DPO reviews the organization's privacy notices and finds they do not mention the right to lodge a complaint with a supervisory authority. Under GDPR, this information must be provided under which article?
A.Article 13 and Article 14
B.Article 17
C.Article 28
D.Article 37
Explanation: Articles 13 and 14 GDPR specify the information that must be provided when collecting personal data directly (Article 13) or from other sources (Article 14). Both require informing data subjects of their right to lodge a complaint with a supervisory authority. Omitting this renders the privacy notice non-compliant.
7ISO/IEC 27701 extends ISO/IEC 27001 by providing requirements for a Privacy Information Management System (PIMS). Which role does ISO/IEC 27701 primarily address?
A.Only data controllers processing personal data
B.Only data processors handling personal data on behalf of controllers
C.Both data controllers and data processors
D.Solely supervisory authorities enforcing GDPR
Explanation: ISO/IEC 27701:2019 provides requirements and guidance for establishing, implementing, maintaining, and continually improving a PIMS for both data controllers and data processors. It contains separate annexes with specific controls and guidance for each role, making it applicable across the entire data processing ecosystem.
8An organization implements a Privacy Information Management System (PIMS). What is the primary purpose of a Statement of Applicability (SoA) within this framework?
A.To document which privacy controls are applicable, implemented, and their justification
B.To list all data subjects whose data is processed
C.To replace the Records of Processing Activities (RoPA) required under GDPR
D.To inform supervisory authorities of the organization's processing activities
Explanation: In a PIMS (per ISO/IEC 27701), the Statement of Applicability (SoA) documents the privacy controls selected from the standard's control set, explains which controls are applicable and why, and records how they have been implemented. It provides a traceable link between the organization's risk assessment, control selection, and actual implementation.
9Under GDPR, organisations must maintain Records of Processing Activities (RoPA). Which organisation is EXEMPT from this requirement under Article 30(5)?
A.A controller employing fewer than 250 employees whose processing is only occasional and poses no risk
B.A controller employing fewer than 250 employees that processes special category data
C.A processor with fewer than 250 employees that handles health data
D.Any public authority regardless of employee count
Explanation: Article 30(5) GDPR exempts organisations with fewer than 250 employees from the RoPA obligation ONLY if the processing is not likely to result in a risk to the rights and freedoms of data subjects, is only occasional, and does not include special category data (Article 9) or criminal conviction data (Article 10). All three conditions must be met simultaneously.
10A DPO is conducting a management review of the organisation's data protection programme. Which outcome would MOST directly demonstrate that data protection is embedded in business processes?
A.Integration of data protection objectives into the annual business plan with measurable KPIs
B.Completion of annual staff awareness training
C.Submission of a privacy audit report to the supervisory authority
D.A signed commitment from the DPO to uphold GDPR
Explanation: Genuine embedding of data protection into an organisation requires that data protection objectives be integrated into the wider business strategy with measurable indicators. This demonstrates leadership commitment (Article 26 principle of accountability) and ensures DP considerations influence business decisions — a core goal of a mature PIMS.

About the EXIN PDPP Exam

EXIN Privacy and Data Protection Practitioner (PDPP) is an advanced-level GDPR certification validating the ability to implement and manage data protection in practice. It covers DPIA methodology, controller-processor relationships, data breach response, international transfers, and data protection governance — all through applied, scenario-based questions.

Questions

40 scored questions

Time Limit

120 minutes

Passing Score

65% (26/40)

Exam Fee

Contact EXIN or an accredited training provider (EXIN)

EXIN PDPP Exam Content Outline

15%

Data Protection Policy and Management

Organisational policies, privacy by design and default (Article 25), data minimisation, purpose limitation, accountability

20%

Organising Data Protection — Roles and Governance

PIMS (ISO 27701), DPO designation and independence (Articles 37-39), Records of Processing Activities (Article 30)

15%

Controller/Processor Relationships and Contracts

Data Processing Agreements (Article 28), joint controllers (Article 26), sub-processor authorisation, processor obligations

20%

DPIA — Assessment and Risk

DPIA triggers, four-step methodology, WP248 criteria, risk matrix, prior consultation with supervisory authority (Article 36)

15%

Data Breaches — Notification and Response

Breach definition (Article 4(12)), 72-hour notification (Article 33), data subject notification (Article 34), breach register

15%

International Transfers

Adequacy decisions (Article 45), SCCs (Article 46), BCRs (Article 47), Article 49 derogations, Schrems II TIA, EU-US DPF

How to Pass the EXIN PDPP Exam

What You Need to Know

  • Passing score: 65% (26/40)
  • Exam length: 40 questions
  • Time limit: 120 minutes
  • Exam fee: Contact EXIN or an accredited training provider

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

EXIN PDPP Study Tips from Top Performers

1Focus on DPIA methodology (Article 35): know the four steps, WP248 criteria, and when prior consultation (Article 36) is mandatory
2Master Article 28 DPA mandatory clauses: purpose, duration, nature, sub-processor authorisation, audit rights, and data deletion/return
3Understand the Schrems II Transfer Impact Assessment obligation before using SCCs for non-adequate third countries
4Know the 72-hour breach notification clock: it starts when the controller becomes aware, runs continuously including weekends, and phased notification is permitted under Article 33(4)
5Distinguish between anonymisation (outside GDPR scope) and pseudonymisation (still personal data) — this distinction appears in multiple question scenarios
6Study the DPO independence requirements: the DPO cannot receive instructions, cannot be dismissed for performing tasks, and must report to highest management

Frequently Asked Questions

What is the EXIN PDPP exam format?

The EXIN Privacy and Data Protection Practitioner (PDPP) exam consists of 40 multiple-choice questions with a 120-minute time limit. It is a closed-book exam with no electronic devices permitted. A score of 65% (26 correct answers) is required to pass. Mandatory accredited training must be completed before sitting the exam.

What GDPR topics does the EXIN PDPP exam cover?

The PDPP exam covers six domains: data protection policies and management; organising data protection roles and governance (including PIMS/ISO 27701 and the DPO role); controller/processor relationships and contracts; Data Protection Impact Assessments (DPIA); data breach notification and response; and international data transfers including SCCs, BCRs, and the Schrems II Transfer Impact Assessment.

Is EXIN PDPF required before taking PDPP?

EXIN strongly recommends passing the Privacy and Data Protection Foundation (PDPF) before attempting PDPP. PDPP is an advanced-level exam that assumes solid foundational GDPR knowledge. Mandatory accredited training is required, and PDPF topics are prerequisites within that training.

How does EXIN PDPP compare to IAPP CIPP/E?

Both are European data protection certifications, but they differ in approach. IAPP CIPP/E is a broader European privacy law exam covering regulatory frameworks beyond GDPR (ePrivacy, national laws). EXIN PDPP is more applied and process-focused — emphasising DPIA methodology, controller-processor management, and governance implementation. Many practitioners hold both certifications.

What is a Transfer Impact Assessment (TIA) and why is it tested in PDPP?

A Transfer Impact Assessment (TIA) is a mandatory evaluation required after the Schrems II CJEU ruling (2020). When transferring EU personal data to a third country using SCCs, the exporter must assess whether the destination country's law allows the importer to comply with the SCCs. If it does not, additional supplementary measures (e.g., encryption with keys held in the EU) must be applied or the transfer suspended. PDPP tests this applied GDPR transfer compliance knowledge.

Do I need to know specific GDPR article numbers for the PDPP exam?

The PDPP exam is scenario-based and applied rather than purely definitional. While you do not need to memorise every article number, you must understand the requirements of key articles including Articles 5, 13-14, 17, 20-22, 24-28, 30, 33-36, 37-40, 42-43, 45-47, and 49. Understanding what each article requires in practical situations is essential for answering case-based questions correctly.