Trusted Worldwide Questions & Answers
Most Recent BCS PDP9 Exam Dumps
Prepare for the BCS Practitioner Certificate in Data Protection exam with our extensive collection of questions and answers. These practice Q&A are updated according to the latest syllabus, providing you with the tools needed to review and test your knowledge.
QA4Exam focus on the latest syllabus and exam objectives, our practice Q&A are designed to help you identify key topics and solidify your understanding. By focusing on the core curriculum, These Questions & Answers helps you cover all the essential topics, ensuring you're well-prepared for every section of the exam. Each question comes with a detailed explanation, offering valuable insights and helping you to learn from your mistakes. Whether you're looking to assess your progress or dive deeper into complex topics, our updated Q&A will provide the support you need to confidently approach the BCS PDP9 exam and achieve success.
The questions for PDP9 were last updated on Apr 21, 2026.
- Viewing page 1 out of 8 pages.
- Viewing questions 1-5 out of 40 questions
Which of the following is NOT a role of the Information Commissioner's Office?
The Information Commissioner's Office (ICO) is the UK's independent authority for data protection, which is responsible for upholding the UK GDPR and the Data Protection Act 2018, as well as other related legislation. The ICO has various roles and tasks, such as monitoring and enforcing the application of the data protection law, promoting public awareness and understanding of the risks and rights related to processing, advising the Parliament and the government on legislative and administrative measures concerning data protection, encouraging the development of codes of conduct and certification schemes, and handling complaints and investigations. However, the ICO does not provide case by case advice on what retention period companies should use, as this is a matter for the companies themselves to determine, based on their own purposes, legal obligations, and risk assessments. The ICO only provides general guidance on the data minimisation and storage limitation principles, which require that personal data should be kept only for as long as necessary and no longer than that. The ICO also expects companies to have clear policies and procedures on how they retain and dispose of personal data, and to document their retention periods and the reasons for them.Reference:
ICO guidance on the role of the ICO2
ICO guidance on data minimisation and storage limitation3
A company has twenty retail outlets in France and thirty retail outlets in Belgium The payroll department and the Data Protection Officer are based in Poland. The Company Board and administrative functions are based in Germany. Determine where the company's 'main establishment' would be
The main establishment of a controller or a processor in the EU is the place where the decisions on the purposes and means of the processing of personal data are taken and implemented. According to Recital 36 of the GDPR, the main establishment of a controller with establishments in more than one Member State should be the place of its central administration in the EU, unless the decisions on the processing are taken in another establishment of the controller in the EU and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions should be considered to be the main establishment. Similarly, the main establishment of a processor with establishments in more than one Member State should be the place of its central administration in the EU, or, if the processor has no central administration in the EU, the establishment of the processor in the EU where the main processing activities take place to the extent that the processor is subject to specific obligations under the GDPR. The main establishment is relevant for determining the lead supervisory authority, the applicable law, and the jurisdiction of the courts for cross-border processing of personal data. In this case, the company's main establishment would be Germany, as it is the place where the company board and administrative functions are based and where the decisions on the processing of personal data are likely to be taken and implemented.Reference:
Article 56 of the GDPR
An individual applies for a job as a security guard The employer has had significant issues with the sickness record of past recruits They therefore decide to offer the position to the individual on the basis they request a copy of their medical record so that the employer can be assured that they are in a good state of health.
The Data Protection Officer has been asked to advise. What advice is MOST appropriate?
The Data Protection Act 2018 (DPA 2018) makes it a criminal offence for a person to require another person to make a subject access request for information about their health, convictions or cautions, or spent convictions, and to provide that information to the first person or a third person, as a condition of providing or offering to provide goods, facilities or services, or as a condition of entering into or continuing a contract. This is known as an enforced subject access request. The employer in this scenario is committing a criminal offence by offering the job to the individual on the condition that they request a copy of their medical record and provide it to the employer. The employer is also breaching the data protection principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, and storage limitation, as they are processing health data, which is a special category of personal data, without a valid legal basis, without informing the individual of the purpose and legal basis of the processing, and without limiting the processing to what is necessary and relevant for the employment relationship. The employer should instead obtain the individual's explicit consent to request the health information directly from the relevant health professional, and only request the information that is necessary and proportionate for the specific role of a security guard.Reference:
ICO guidance on enforced subject access requests4
ICO guidance on special category data5
In which of the following circumstances does a public authority NOT need to appoint a Data Protection Officer?
Under Article 37 of the UK GDPR, a public authority or a public body must appoint a data protection officer (DPO) unless it is a court acting in its judicial capacity. This is the only exception for public authorities or bodies from the obligation to appoint a DPO. The other circumstances listed in the question, such as processing a large amount of personal data, processing special category data, or being defined as a public body in the Data Protection Act 2018, do not exempt a public authority or a public body from appointing a DPO.Reference:
Data protection officers | ICO2
What is the Employment Practices Code?
The Employment Practices Code is a guidance document issued by the ICO that provides recommendations on how to comply with the data protection principles and the rights of data subjects when processing personal data in the context of employment. The code covers various aspects of employment practices, such as recruitment and selection, employment records, monitoring at work, and information about workers' health. The code is not legally binding, but it reflects the ICO's interpretation of the Data Protection Act and the UK GDPR, and it may be used as evidence in legal proceedings or investigations. The code is intended to help employers balance their legitimate interests in managing their workforce with the privacy rights of their workers.Reference:
Quick Guide to the Employment Practices Code
Unlock All Questions for BCS PDP9 Exam
Full Exam Access, Actual Exam Questions, Validated Answers, Anytime Anywhere, No Download Limits, No Practice Limits
Get All 40 Questions & Answers