QUESTIONS FROM DATA PRIVACY QUIZ

(Please read e-Circular Sl No.552/2021-22 dated 31.08.2021 on GDPR Compliance and

Sl.No.1480/2019-20 dated 15.01.2020 on Data Governance Framework)

1 Which nation’s cyber security law plans to purge foreign technology from Banks, state-owned
enterprises and the military?
a. North Korea
b. China
c. Russia
d. India
2 Which is not the components of DATA Minimisation process?
a. Relevance
b. Adequacy
c. Necessity
d. Definability
3. The personal Data Protection Bill (PDP Bill) is based on the recommendations of the report of
the Expert Committee headed by?
a. Justice B. N. Srikrishna
b. Justice N. V. Ramana
c. Justice U. U. Lalit
d. Justice D Y Chandrachur
4. What are the obligations on organisations under GDPR?
a. Organisations must put in place technical and organisational measures to ensure
optimal data protection and able to demonstrate compliance.
b. Organisation must keep data on European Internet users for a minimum of 5 years
c. Organisation must share all user data with the European institutions in the interests of
transparency.
d. Organisations must put in place data protection mechanism for non-personal data.
5. An Expert Committee on Non-Personal Data Governance Framework set up by the government,
Who is the chairman of this committee?
a. Mr Kris Gopalakrishnan
b. Mr. N R Narayana Murthy
c. Mr Nandan M Nilekani
d. Mr S. D. Shibulal
6. What are the maximum penalties for contravention under PDP Bill?
a. INR 15 Crores or 4% of the worldwide turnover of the entity.
b. INR 50 Crores or 4% of the worldwide turnover of the entity.
c. INR 15 Crores or 2% of the worldwide turnover of the entity.
d. INR 50 Crores or 2% of the worldwide turnover of the entity.
7 Which among following is not a Data protection security technique?
a. Pseudonymisation
b. Anonymisation
c. Encryption
d. Syllabification
8 True or False, Bank needs to compulsory issue privacy notice to all its domestic customers to
comply with GDPR.
a. True
b. False
9 The DATA is ________ asset for an organisation.
a. Financial
b. Intangible
c. Tangible
d. Liquid
10 Which European country has levied highest number of fines for GDPR non-compliance? (in
counts not in amount)
 a. France
b. Italy
c. Spain
d. Germany
11 Which High Court has recently rules that couples planning to marry under Special Marriage Act
shall choose not to publish thirty-day notice before registering their marriage as it invades the
fundamental rights of liberty and privacy of bride & groom?
a. Punjab & Haryana High Court
b. Calcutta High Court
c. Madras High Court
d. The Allahabad High Court
12 True or False, a group of companies or public authorities may appoint a single data protection
officer to represent them all, under GDPR.
a. True
b. False
13 Which section of (Indian) Information Technology Act, 2000, disclosure of information,
knowingly and intentionally, without the consent of the person concerned and in breach of the
lawful contract has been made punishable?
a. Section 52B
b. Section 72A
c. Section 39A
d. Section 101B
14 ________ determines the purpose & means of processing of personal data of data subjects.
a. Data controllers
b. Data Protection Authority
c. Data Subjects
d. Data Processors
15 Under which section of (Indian) Information Technology Act, 2000, sending ‘grossly offensive’
or ‘menacing’ information using a computer resource or communication device is a punishable
offense?
a. Section 69
b. Section 72C
c. Section 101
d. Section 66A
16 Which is not the Risk mitigation measures under Data Protection Impact Assessment (DPIA)?
a. Deciding not to collect or store some types of personal Data
b. Putting in place strict retention periods
c. Ensuring that individuals are fully informed about how their PD will be used
d. Collecting as many details from individual as possible for assessment.
17 While using IoT devices in your home, its best to ______
a. Never turn them off so they can always function at their full capability.
b. Only allow them access to your name, calendar and locations
c. Set them up on a secure Wi-fi network
d. All of the above
18 The pioneer DPA that issued the first GDPR fine was _____
a. The Portuguese DPA
b. The U.K. DPA
c. The Bulgarian DPA
d. The Hungarian DPA
19 You have received an email purportedly from Flipkart regarding a discount offer for a product
with a link provided. What should you do about it?
a. Click on link immediately and don’t miss the opportunity
b. Verify display name of the sender and proceed to click on the link if it looks genuine
c. Verify the email id of the sender and proceed to click on the link if it looks genuine
d. Go directly to Flipkart website/app and look for the offer there.
20 Which one of these activities falls outside the scope of GDPR?
a. Processing for marketing purpose
b. Processing for domestic and household purposes
c. Processing for the purposes of crime and investigation
d. None of the above
21 True or False, Bank has every right to place cookies at their website and customer must abide
by it without having any option to reject it.
a. True
b. False
22 Under which section of (Indian) Information Technology Act, 2000, identity theft/ cheating by
personation made punishable?
a. Section 52B
b. Section 72A
c. Section 101B
d. Section 66C
23 Which of the following is not considered Personally Identifiable Information?
a. Aadhaar number
b. Driver’s license number
c. Residential Address
d. Name of workplace
24 What type of personal information is it okay to share with someone you don’t know?
a. Your name & telephone number only
b. Your email address only, if it does not include your name
c. Minor details, like the name of your school and what parents do for a living
d. You should never share any personal information to unknown.
25 Situation for Question: Mr. Ankit is a businessman having an NRI account with one of the banks
in India. He stays and having business operation at Frankfurt. Recently, he got the citizenship
of Germany.
Subsequently, he approached the Bank for closure of account. After closure of the account, he
submitted a request for erasure of all his personal data and transaction details under RIGHT in
ERASURE. What should Bank’s stand be?
a. Will erase his complete personal information along with all transactions
b. Will erase his personal data but retain the transaction details
c. Will retain PD and transaction details as per extant regulatory instructions.
d. Will retain his transactional data but erase the personal details
26 Which of the following statements are correct? The requirement to maintain records on
processing will apply to an organisation if
i) its processing involves a high risk to the rights and freedom of individuals.
ii) its processing involves special categories of personal data/ data on convictions or offence
iii) it processes very high volumes of personal data
a. i, ii only
b. i, ii, iii
c. ii, iii only
d. None of the above
27 As per Bank’s policy, CM Credit at RBO will not be able access customer sensitive granular data
of which segments without deviation approval?
(i) Deposits, (ii) Advances, (iii) Operations, (iv) NPA, (v) CVE
a. iii, iv
b. i, iv
c. i, v
d. iii, v
28 Does a data controller have to notify a data breach to the Data Protection Authority (DPA)?
a. Yes, only under certain conditions
b. No, they only need to inform the persons concerned
c. Yes, always
 d. None of the above
29 One of the obligations of the GDPR is to maintain records of processing activity. What should
this document contain in particular?
a. The purposes of the processing operation, a description of the categories of data
subjects and categories of personal data.
b. The list of all subcontractors involved in the processing operation
c. The volume of data processed
d. None of the above
30. Which statement define DATA Minimisation concept of GDPR?
a. Personal Data collection should include maximum possible information related to
individuals.
b. Personal data shall be adequate, relevant, and limited to what is necessary in relation
to the purposes for which they are processed
c. Personal Data should be processed at minimum possible level by the organisation.
d. None of the above.
31 GDPR is applicable on _______________.
a. All Indian citizens
b. All NRI
c. All NRI, resident of EU
d. All NRI, resident of USA
32 What is the amount of highest fine (appx) awarded by any EU Data protection regulators?
a. 890 Million Euro
b. 750 Million Euro
c. 100 Million Euro
d. 250 Million Euro
33 True or False, A data processor cannot employ another data processor without the data
controller’s written consent.
a. True
b. False
34 How many countries (appx) have put in place regulations and legislations to secure the
protection of personal data privacy?
a. 100
b. 220
c. 130
d. 59
35 Within what period an organisation is required to notify a supervisory authority about a data
breach within the realm of GDPR?
a. Within 48 hours
b. Within 72 hours
c. Within 12 hours
d. Within 24 hours
36 What does the acronym DPO stand for?
a. Data Preservation Officer
b. Data Positioning Officer
c. Data Protection Officer
d. Data Processing Officer
37 Smishing is a type of attack done over _______
a. Email
b. SMS
c. Wi-fi
d. Pen Drive
38. Under GDPR, how many principles of the Data Protection Act are there?
a. 6
b. 7
c. 8
 d. 9
39. As per PDP Bill 2019, who is data fiduciary?
a. Whose data is being collected
b. Who define purpose & method of processing the data
c. Who processes the data
d. Who audits the data
40 Which of the following is not an example of sensitive personal data?
a. Age
b. Finger Print
c. Ethnic details
d. Political Affiliation
41 Which of the following is not an example of sensitive personal information?
a. Genetic details sexual life
b. Religion
c. Residential address
d. Bank and credit/debit card numbers
42 ADGC stand for:
a. Apex level data Governance Council
b. Apex Data-protection Governance Council
c. Apex level Data-protection Governance Council
d. Apex level Data-protection Governance Committee
43 In which of these cases is the right to object absolute?
a. Where the, processing is based on legitimate interests
b. Where the processing is for scientific, historical, research and statistical purpose
c. Where processing is for direct marketing purposes.
d. None of the above
44 Adopting a privacy-centric GDPR-compliant approach brings no benefits whatsoever to a
company.
a. True
b. False
45 What does the acronym GDPR stand for?
a. General Data Protection Regulation
b. General data Privacy Regulation
c. General Data Privacy resolution
d. Geographical Data Prevention Resolution
46 True of False. The GDPR obliges data controllers to provide a wider range of fair processing
information than is required by the DPA.
a. True
b. False
47 ____________ is an individual whose personal, sensitive personal or privileged information is
processed.
a. Data controllers
b. Data Protection Authority
c. Privacy administrator
d. Data Subject
48 How long should data be retained as per GDPR guidelines?
a. 60 months
b. As per Bank’s Data Retention Policy
c. 120 months
d. 84 months
49 Which among the below is not a correct example of multi factor authentication?
a. Entering password and SMS OTP
b. Entering password and PIN
c. Entering password and face recognition
d. Entering ATM card and PIN for ATM card cash withdrawal
50 What is personal data/ PII (Personally Identifiable Information)?
a. Any data that alone, or in combination with other information, can identify an
individual
b. Historical information published about a monument
c. Any information of an employee
d. Information or data that is stored in a vault.
51 True or False. The GDPR regulations on profiling will only apply where that profiling is carried
out by automated means.
a. True
b. False
52 Under GDPR, ________ is not the base for processing personal data of Individual.
a. Vital Interest of data subjects
b. Public task
c. Legal Obligation
d. Value of data collected
53 Which SBI App was targeted and involved in data breach incident?
a. SBI Quick
b. SBI Buddy
c. SBI Yono
d. SBI Rewardz
54 Which among following countries, is not the part of European Union?
a. Romania
b. Poland
c. Malta
d. Switzerland
55 Which hacker group was responsible for infamous ‘Colonial Grid attack’ in USA?
a. Anonymous
b. DaskSide
c. Bureau 121
d. Lizard Squad
56 True or False. Privacy Notice for EU-NRI Customers must contain Lawful grounds for processing
personal information.
a. True
b. False
57 Generally speaking, privacy settings:
a. Limit who can access your profile and what information other people can see
b. Control what information can and cannot be shared about you
c. Help parents keep track of what their kids are doing online
d. Manage which apps and devices can access your location
58 How can you limit the information that is collected and stored about you when using the
Internet?
a. Use a search engine that only collect your web searches or log your personal
information.
b. Turn on Incognito or Private Mode in your browser
c. Use home wi-fi to encrypt your Internet activity
d. All of the above.
59 What kind of transactions are exempted under the provisions of the PDP Bill 2019?
a. Data collected by Small Bank
b. Data collected by Small Business
c. Data collected by UIDAI related to individual Aadhaar card
d. RTO data in relation to individual Driving license
60 Which of the following is not the rights of the individual under GDPR?
a. Right to object
b. Right to be informed
c. Right to erasure
 d. Right to influence
61 In the event of a data protection breach by the data processor, the processor must notify
a. The Data Protection Authority
b. The Data Subject
c. The Data Controller
d. The Data Auditor
62 The best way to protect your personal information when shopping online is:
a. Saving your credit card information for each purchase
b. Ensuring the site is secure, checking out as a guest, and using a password protected
Wi-fi network or VPN
c. Buying from reputable Canadian retailers who abide by privacy laws
d. All of the above.
63 You need to email a spreadsheet containing personal data. How should you send it?
a. Send it as a password protected attachment with the password in the body of the email
b. Paste the information into the body of the email
c. Send it as a password protected attachment and send the password as a separate
text message.
d. Send the document as a standard attachment.
64 Which among the following is sensitive personal information?
a. Sexual Orientation
b. Country of citizenship
c. Education
d. Name
65 Data Protection Officer in SBI, is a _______________ level officer:
a. DMD
b. CGM
c. GM
d. DGM
66 The right to object empowers the data subject to _______.
a. Have their personal data deleted
b. Question the processing of personal data
c. Have a disputed decision reviewed
d. Can raise objection on Bank’s financial decisions related to individual.
67. Under GDPR, what is not true about consent?
a. It must be made clear to the individual how their data will be used
b. Only share personal data which was consented for. Otherwise, you’ll need to seek
consent again.
c. If you’re unsure about consent, contact the data protection officer of organisation.
d. Consent can be assumed
68 The Supreme Court of India held that ‘privacy is a fundamental right’, in which month?
a. Aug-17
b. Jul-18
c. Dec-15
d. Sep-19
69 Currently, usage and transfer of personal data of citizens is regulated by ________.
a. Banking Regulation Act, 1949
b. IT Act, 2000
c. Civil Procedure Code, 1908
d. Code of Criminal Procedure, 1973
70 Data Loss Prevention (DLP) keywords have been implemented in ________.
a. Office 365 email
b. CBS Access
c. ADS
d. HRMS
71 Who can reject the Data Subject Rights requests?
 a. Branch Manager
b. Data Protection Officer
c. Regional Manager
d. DGM (B&O)
72 What are examples of PII?
a. Name
b. E-Mail ID
c. Address
d. All of the above
73 One privacy best practice is ‘keeping your digital household clean’. This means:
a. Starting fresh every other year, buying brand new devices, and setting up new accounts
b. Hiring a professional to clean up the personal information that can be found about you
online
c. Changing your passwords at frequent intervals, reviewing friends lists and
deactivating old accounts on a regular basis
d. Routinely asking your smart assistant to Google search your name and city to see what
information comes up.
74 True or False. All data breach are incidents, but all incidents are not data breach.
a. True
b. False
75 True or False. Under the GDPR, data controllers must report every data protection breach to
the supervising authority.
a. True
b. False
76 Which of the following are the risks of GDPR non-compliance:
i) A large fine,
(ii) A prison sentences,
(iii) Wasted time and cost for breach management, notification, post breach expenses,
(iv) Lost and unrecoverable business,
(v) Reputation and brand damage

a. i, ii, iii, iv
b. all of the above
c. i, iii, iv, v
d. i, ii, iii, iv
77 What is the GDPR?
a. A European law obliging major browsers to comply on the use of personal data
b. A European regulation on data sharing within companies
c. A European Union regulation that aims to standardise the governance of personal
information, particularly in terms of the security and protection data
d. A European Union regulation that aims to standardise the governance on non-personal
information, particularly in terms of the security and protection of non-personal data.
78 What is considered as lawful consent in the GDPR?
a. A clear affirmative act by which the person freely expresses, in a specific and
informed manner, their consent to data processing.
b. The simple act of downloading a document from a site or mobile application
c. A continuation of navigation on a site or a mobile application by a simple scroll
d. All of the above
79 What is referred as Crypto jacking?
a. Obtaining your crypto currency wallet password.
b. Hacking your system’s cryptography module
c. Misusing your system’s resources for crypto mining
d. Hacking the encrypted communication between your system and a website.
80 Which of the following categories of data are considered to be of a personal nature?
a. IP address, cookies, name of the site consulted and time of page consultation.
 b. Cookies only.
c. IP addresses only
d. None of the above
81 If someone makes a data erasure request, Bank should respond within?
a. 7 days
b. 24 days
c. 30 days
d. 60 days
82 True or False, Under PDP Bill 2019, CASTE of an individual is considered as Sensitive personal
information data.
a. True
b. False
83 How does the GDPR define personal data?
a. Your IP addresses and all personal online information.
b. Any information relating to an identified or identifiable natural person.
c. Your personal bank details and postal address.
d. None of the above.
84 What is privacy-by-design principle?
a. A principle aimed at protecting data sharing within companies.
b. An approach to integrating privacy protection into the design and architecture
specifications of new systems and processes.
c. A methodology for documenting all compliance actions initiated by data controllers
d. None of the above
85 What is the maximum fine for GDPR non-compliance?
a. Euro 10 million and 2 % of annual world wide turnover.
b. Euro 50 million and 5 % of annual world wide turnover
c. Euro 20 million and 4 % of annual world wide turnover
d. Euro 50 million and 4 % of annual world wide turnover
86 Personal data protection bill 2019 was introduced in parliament by which ministry?
a. Ministry of science and technology
b. Ministry of communication
c. Ministry of law and justice
d. Ministry of electronics and IT
87 Under GDPR, __________is not the base for processing personal data of individual.
a. Legitimate interest
b. Consent
c. Contract
d. Vital interest of third party
88 Which of the following passwords is more secure?
a. Boat123
b. Wthy@5z7
c. into!48
d. asdf659
89 Which of the following is correct?
a. The GDPR only applies to organisations based within the EU.
b. The GDPR covers any processing of personal data of people in the EU, regardless of
whether the organisation concerned is based in the EU.
c. The GDPR covers organisations outside the EU who offer goods and services to people
in the EU.
d. All of the above.
90 Under GDPR, Data protection is guided by certain principles on how we should handle data.
Which one of the following is not one of these principles?
a. Only collect what is necessary.
b. Ensure data is accurate and up to date.
c. Ensure data is not duplicated to minimise spread of data.
 d. Don’t keep data longer than required and dispose of it properly
91 What is not the benefits of conducting a Data Processing Impact Assessment(DPIA) under
GDPR.
a. Reducing the cost and disruption of data protection safeguards by integrating them
into a product process design an early stage.
b. Inspiring confidence in the public by communicating about data protection issues.
c. Ensuring customers are not at risk of their data protection rights.
d. Increased operating costs for controllers due to increased cost of conducting DPIA.
92 Which one of the following would be classified as sensitive personal data.
a. Address
b. Mobile No
c. Name
d. Religion
93 True or False. Bank needs to compulsory issue privacy notice to all its EU-NRI customers to
comply with GDPR.
a. True
b. False
94 Under GDPR, _______ is not a principle of Data Protection Act?
a. Data Minimisation
b. Purpose limitation
c. Accountability
d. Availability
95 The sharing of Data to the external users should be made on (i) Need-to-know basis, (ii) Need
to Access basis
a. Both
b. Only i
c. Only ii
d. Either i or ii
96 There are _____ rights available to Data subjects under GDPR
a. 6
b. 8
c. 7
d. 9
97 The examination of large amounts of data to see what patterns or other useful information can
be found is known as __________
a. Data Examination
b. Information Analysis
c. Big Data Analytics
d. Data Analysis
98 Joint Parliamentary Committee (JPC) on Data Protection Bill is presently headed by ______
a. Mohua Moitra
b. P. P. Choudhary
c. Sudhanshu Trivedi
d. Meenakshi Lekhi
99 As per Bank’s policy, Field Officer/ RMPB/RMSME at branches will not be able access customer
sensitive granular data of which segments without deviation approval?
(i) Deposits, (ii) Advances, (iii) Operations, (iv) NPA, (v) CVE
a. i, ii, iii
b. iii, iv, v
c. i, iii, v
d. i, iii
100 Which company hold the record for largest data breach till date?
a. First American Financial Corp
b. Yahoo
c. Facebook
 d. Friend Finder Networks
101 Which company has been penalised with highest fine for GDPR non-compliance?
a. Google
b. Amazon
c. Facebook
d. Whatsapp
102 Who is primarily concerned by the GDPR?
a. EU residents and all entities bodies processing their data
b. The major tech companies
c. Company employees
d. All banks operating in any geographical areas.
103 Privacy Notice for EU-NRI Customers does not include:
a. Purpose of collecting data
b. Lawful basis for processing personal information
c. Rights enjoyed by EU-NRI customers
d. Obligation of Data Subjects
104 SBI's Data Governance policy is issued by _________.
a. Information Security Department
b. Data protection cell, Compliance Department
c. Data Management Office
d. IT Risk Management Department
105 As per Bank's Data Governance policy, Data is broadly categorised into ____ .
a. 3
b. 4
c. 6
d. 7
106 Under GDPR, ___________ is not the base for processing personal data of Individual.
a. Legitimate Interest
b. Consent
c. Contract
d. Vital interest of third party
107 Keeping which of the following functionality activated all the time can cause serious threat to
the security of your mobile phone data/details?
a. Rotation
b. Location
c. Bluetooth
d. Mobile data
108 Under GDPR, as an individual you have certain rights over your data, one of which is being able
to see what data organisation holds on you. A request for data must be responded by the
organisation within how many days?
a. 30 days
b. 20 days
c. 07 days
d. 14 days
109 As per PDP Bill 2019, who is data principal?
a. Whose data is being collected
b. Who define purpose & method of processing the data
c. Who processes the data
d. Who utilise the data
110 True or False. Bank do not need explicit consent from customer to market financial products/
services of third parties/ vendors under GDPR.
a. True
b. False
111 Situation for Question: Mr. Ankit is a businessman having an NRI account with one of the banks
in India. He stays and having business operation at Frankfurt. Recently, he got the citizenship
of Germany.
After closure of his account, he submitted the request for not sending any marketing messages
to his mobile no. What bank will do?
a. Will not send any marketing messages after receiving request.
b. Will continue to send the marketing messages as he was a NRI customer
c. Will only send promotional messages related to cross selling products
d. Will only send promotional messages related to NRI customers
112 Under GDPR, the right of data portability won’t apply if,
a. The data controller is a public authority
b. Disclosure would prejudice the rights and freedom of others
c. The data involved is held on a manual filling system
d. None of the above
113 How can a Data Subject exercise his/ her rights under GDPR as per bank’s guidelines?
(A) By calling the Home Branch
(B) Submitting DSR request Form online/ offline at Branch
(C) Contacting nodal officer at GNC Ernakulam
(D) Contacting Data Protection Officer

a. A, B & D
b. Only B
c. Only C
d. D & C
114 A communication by whatever means of any advertising or marketing material which is
directed to particular individual
a. Social Marketing
b. Personal Marketing
c. Demographic marketing
d. Direct Marketing
115 Legitimate Interest Balancing Test (LIBT) is a form of ________ activity, that identify the
legitimate interest and balance the processing activity against the rights and freedoms of data
subject.
a. Risk Assessment
b. Risk Mitigation
c. Risk Averse
d. None of the above
116 Under GDPR, data breach is reported depending on the severity: If its of high severity, it should
be reported to (A) Customer, (B) Data Protection Authority (DPA)
a. Only A
b. Only B
c. Both
d. Neither
117 Privacy by default principle, captures which element of the Fair Information Principles:
(A)Purpose Specification
(B) Collection Limitation
(C) Data Minimisation
(D) Use, retention, and Disclosure Limitation

a. B, C, & D
b. A & C
c. B & D
d. All of the above
118 Data Breach notification guidelines issued by DP Cell, Compliance Department presently
applicable to whom? (A) Domestic Customers, (B) NRI Customers, (C) EU Customers, (D) EU-
NRI customers
 a. C & D
b. B & C
c. D
d. B
119 Privacy by default in system leads to ________
a. No action is required on the part of individual to protect privacy
b. Individual need to work in in-cognito mode in explorer to protect privacy
c. Individual should not share any sensitive information on such systems
d. None of the above
120 Under GDPR, which type of organisation is not exempt from creating and maintaining a Record
of Processing Activities (RoPA)?
a. All organisation need to maintain RoPA
b. If organisation only process sensitive personal data
c. If organisation involves in data processing activity occasionally
d. None of the above
121 For which activity, Bank has to stop the processing the personal data of the individual if
objected by customer?
a. Evidential purposes
b. Regulatory requirement
c. Direct Marketing
d. Bank will continue to process the data as processing activity is based on legitimate
interest.
122 Data Breach notification guidelines to Data Subjects, contains which of the following?
(A)Nature of the breach
(B) Contact details of DPO for any further information about the breach
(C) Description of the likely consequences of the personal data breach
(D) Measures taken and recommended by the bank to the Data Subject concerned to mitigate
the negative consequences of the violation

a. B & C
b. B, C, & D
c. A, B & C
d. All of the above
123 Which article the EU General Data Protection Regulation (GDPR) requires organisations to
create and maintain a Record of Processing Activities (RoPA)?
a. Article 30
b. Article 12
c. Article 24
d. Article 28
124 The following are the rights of the data subject, except:
a. Right to be informed
b. Right to access
c. Right to claim damage
d. Right to restrict processing
125 Out of the following, where provisions of Data Privacy Bill are being followed:
a. Processing personal information after authorised consent
b. Malicious Disclosure
c. Improper Disposal of Personal Information
d. Accessing personal information due to negligence
126 Where the data subject has exercised their right to be forgotten and the data controller
operates in an online environment in which it makes personal data public (e.g. a social
networking site), then that data controller must inform other organisatios who are processing
the data in question so they can________
a. Erase the data and prevent further replication of that data
b. Archieve the data
 c. Record the data subject obligation
d. All of the above
127 The role of Balancing Test in Legitimate Interest Balancing Test (LIBT) is to:
a. To identify the legitimate interest for processing of personal data of data subjects
b. To identify the necessary of processing of personal data of data subjects
c. To measure that legitimate interest must not override by fundamental rights of data
subjects
d. All of the above
128 While opening NRI accounts of customers belonging to EU regions, which of the following
procedure to be followed?
(A)Issue Privacy Notice (PN)
(B) Take Consent Form
(C) Send signed Privacy Notice to GNC
(D) Send signed Consent Form to GNC

a. A & C
b. B, C, & D
c. A, B, C, & D
d. A, B, & D
129 Issued Privacy notice needed to be kept _______
a. At Branch
b. At GNC along with AOF
c. At LCPC along with AOF
d. None of the above
130 Some of the examples of processing of personal data based on “Legitimate Interest”?
(A)To prevent, detect, investigate, and prosecute fraud and alleged fraud, money laundering
and other crimes
(B) To ensure that complaints are investigated
(C) To protect our business and to comply with laws that apply to us and/or where such
processing is a contractual requirement of the services or financing you have requested

a. B&C
b. A&C
c. A&B
d. All of the above

XXXXX