Free Practice PECB GDPR Exam Questions 2025

According to the principle of data minimization, data must be: 

Scenario 8: MA store is an online clothing retailer founded in 2010. They provide quality products at areasonable cost. One thing that differentiates MA store from other online shopping sites is theirexcellent customer service.MA store follows a customer-centered business approach. They have created a user-friendly websitewith well-organized content that is accessible to everyone. Through innovative ideas and services,MA store offers a seamless user experience for visitors while also attracting new customers. Whenvisiting the website, customers can filter their search results by price, size, customer reviews, andother features. One of MA store's strategies for providing, personalizing, and improving its productsis data analytics. MA store tracks and analyzes the user actions on its website so it can createcustomized experience for visitors.In order to understand their target audience, MA store analyzes shopping preferences of itscustomers based on their purchase history. The purchase history includes the product that wasbought, shipping updates, and payment details. Clients' personal data and other information relatedto MA store products included in the purchase history are stored in separate databases. Personalinformation, such as clients' address or payment details, are encrypted using a public key. Whenanalyzing the shopping preferences of customers, employees access only the information about theproduct while the identity of customers is removed from the data set and replaced with a commonvalue, ensuring that customer identities are protected and cannot be retrieved.Last year, MA store announced that they suffered a personal data breach where personal data ofclients were leaked. The personal data breach was caused by an SQL injection attack which targetedMA stores web application. The SQL injection was successful since no parameterized queries wereused.Based on this scenario, answer the followingHow could MA store prevent the SQL attack described in scenario 8? 

Scenario: Bankbio is a financial institution that handles personal data of its customers. Its data processing activities involve processing that is necessary for the legitimate interests pursued by the institution. In such cases, Bankbio processes personal data without obtaining consent from data subjects. Is the data processing lawful under GDPR?  

Scenario 8: MA store is an online clothing retailer founded in 2010. They provide quality products at areasonable cost. One thing that differentiates MA store from other online shopping sites is theirexcellent customer service.MA store follows a customer-centered business approach. They have created a user-friendly websitewith well-organized content that is accessible to everyone. Through innovative ideas and services,MA store offers a seamless user experience for visitors while also attracting new customers. Whenvisiting the website, customers can filter their search results by price, size, customer reviews, andother features. One of MA store's strategies for providing, personalizing, and improving its productsis data analytics. MA store tracks and analyzes the user actions on its website so it can createcustomized experience for visitors.In order to understand their target audience, MA store analyzes shopping preferences of itscustomers based on their purchase history. The purchase history includes the product that wasbought, shipping updates, and payment details. Clients' personal data and other information relatedto MA store products included in the purchase history are stored in separate databases. Personalinformation, such as clients' address or payment details, are encrypted using a public key. Whenanalyzing the shopping preferences of customers, employees access only the information about theproduct while the identity of customers is removed from the data set and replaced with a commonvalue, ensuring that customer identities are protected and cannot be retrieved.Last year, MA store announced that they suffered a personal data breach where personal data ofclients were leaked. The personal data breach was caused by an SQL injection attack which targetedMA stores web application. The SQL injection was successful since no parameterized queries wereused.Based on this scenario, answer the followingHow could MA store prevent the SQL attack described in scenario 8? 

Scenario 3:COR Bank is an international banking group that operates in 31 countries. It was formed as themerger of two well-known investment banks in Germany. Their two main fields of business are retailand investment banking. COR Bank provides innovative solutions for services such as payments, cashmanagement, savings, protection insurance, and real-estate services. COR Bank has a large numberof clients and transactions. Therefore, they process large information, including clients' personal data. Some of the data from the application processes of COR Bank, including archived data, is operatedby Tibko, an IT services company located in Canada. To ensure compliance with the GDPR, COR Bankand Tibko have reached a data processing agreement Based on the agreement, the purpose andconditions of data processing are determined by COR Bank. However, Tibko is allowed to maketechnical decisions for storing the data based on its own expertise. COR Bank aims to remain atrustworthy bank and a long-term partner for its clients. Therefore, they devote special attention tolegal compliance. They started the implementation process of a GDPR compliance program in 2018.The first step was to analyze the existing resources and procedures. Lisa was appointed as the dataprotection officer (DPO). Being the information security manager of COR Bank for many years, Lisahad knowledge of the organization's core activities. She was previously involved in most of theprocesses related to information systems management and data protection. Lisa played a key role inachieving compliance to the GDPR by advising the company regarding data protection obligations and creating a data protection strategy. After obtaining evidence of the existing data protectionpolicy, Lisa proposed to adapt the policy to specific requirements of GDPR. Then, Lisa implementedthe updates of the policy within COR Bank. To ensure consistency between processes of differentdepartments within the organization, Lisa has constantly communicated with all heads of GDPR.Then, Lisa implemented the updates of the policy within COR Bank. To ensure consistency betweenprocesses of different departments within the organization, Lisa has constantly communicated withall heads of departments. As the DPO, she had access to several departments, including HR andAccounting Department. This assured the organization that there was a continuous cooperationbetween them. The activities of some departments within COR Bank are closely related to dataprotection. Therefore, considering their expertise, Lisa was advised from the top management totake orders from the heads of those departments when taking decisions related to their field. Basedon this scenario, answer the followingConsidering the GDPR's territorial scope and the data processing agreement between COR Bank andTibko, which of the following best describes Tibko's obligations under the GDPR?