5.4 GDPR for OrganizationsQuiz

1.

A healthcare provider discovers on Monday morning that patient records were accessed without authorisation over the weekend. Under GDPR Art. 33, when must it notify the DPA?

2.

An organisation is planning to introduce a city-wide facial recognition system to monitor pedestrian behaviour. What must it carry out before deployment?

3.

A company is fined for violating GDPR's core principles — specifically, processing data without a lawful basis. What is the maximum fine it can receive?

4.

Explain the difference between a data controller and a data processor, and give a real-world example of each role.

5.

A marketing analytics company processes customer data on behalf of an e-commerce retailer, following the retailer's instructions. What GDPR role dös the analytics company hold?

6.

Which of the following organisations is NOT required to appoint a Data Protection Officer under GDPR Art. 37?