Free BCS PDP9 Exam Actual Questions

The questions for PDP9 were last updated On Apr 22, 2025

At ValidExamDumps, we consistently monitor updates to the BCS PDP9 exam questions by BCS. Whenever our team identifies changes in the exam questions,exam objectives, exam focus areas or in exam requirements, We immediately update our exam questions for both PDF and online practice exams. This commitment ensures our customers always have access to the most current and accurate questions. By preparing with these actual questions, our customers can successfully pass the BCS Practitioner Certificate in Data Protection exam on their first attempt without needing additional materials or study guides.

Other certification materials providers often include outdated or removed questions by BCS in their BCS PDP9 exam. These outdated questions lead to customers failing their BCS Practitioner Certificate in Data Protection exam. In contrast, we ensure our questions bank includes only precise and up-to-date questions, guaranteeing their presence in your actual exam. Our main priority is your success in the BCS PDP9 exam, not profiting from selling obsolete exam questions in PDF or Online Practice Test.

 

Question No. 1

Under which circumstances can the 'domestic purposes' exemption be used to justify non-compliance with the Data Protection Act 2018?

A) An individual sells make up products for commission and uses social media to promote products to friends and family

B) A couple are planning their daughter's wedding and use excel to store contact details and dietary needs of the guests

C) An individual employs a babysitter and stores her bank details in an encrypted document in order to make payments

D) A pansh council keeps a spreadsheet to manage bookings of the village hall, it contains only contact information and time slots

E) A group of students are arranging a house party and using social media to invite people that they do and do not know

Show Answer Hide Answer
Correct Answer: C

The domestic purposes exemption applies to personal data processed by an individual only for the purposes of their personal, family or household affairs. This means that the processing has no connection to any professional or commercial activity. Examples of such processing include writing to friends and family, taking pictures for personal enjoyment, or keeping an address book. However, the exemption does not apply if the individual processes personal data outside the reasonable expectations of the data subject, or if the processing causes unwarranted harm to the data subject's interests. Therefore, the exemption can be used to justify non-compliance with the Data Protection Act 2018 in scenarios B and C, where the processing is purely personal and does not affect the rights and freedoms of others. However, the exemption cannot be used in scenarios A, D and E, where the processing has a professional or commercial element, or involves sharing personal data with third parties without consent or legitimate interest.Reference:

Data Protection Act 2018, Schedule 2, Part 1, Paragraph 21

ICO Guide to Data Protection, Domestic Purposes2

ICO Guide to Data Protection, Exemptions3


Question No. 2

What is the Employment Practices Code?

Show Answer Hide Answer
Correct Answer: A

The Employment Practices Code is a guidance document issued by the ICO that provides recommendations on how to comply with the data protection principles and the rights of data subjects when processing personal data in the context of employment. The code covers various aspects of employment practices, such as recruitment and selection, employment records, monitoring at work, and information about workers' health. The code is not legally binding, but it reflects the ICO's interpretation of the Data Protection Act and the UK GDPR, and it may be used as evidence in legal proceedings or investigations. The code is intended to help employers balance their legitimate interests in managing their workforce with the privacy rights of their workers.Reference:

The Employment Practices Code

Quick Guide to the Employment Practices Code


Question No. 3

Of the following options which is NOT a purpose of carrying out a Data Protection Impact Assessment (DPIA)?

Show Answer Hide Answer
Correct Answer: A

A DPIA is not required to fulfil the requirement that all DPIAs are submitted to the ICO, because this is not a requirement under the GDPR. The GDPR only requires that the controller consults the ICO before carrying out processing that is likely to result in a high risk to individuals, if the controller cannot mitigate that risk. This means that not all DPIAs need to be submitted to the ICO, only those that identify a high residual risk that cannot be reduced. The other options are valid purposes of carrying out a DPIA, as they help the controller to comply with the GDPR, ensure data protection by design and by default, and identify and mitigate the main risks to individuals' rights and freedoms.Reference:

Article 35 and 36 of the GDPR3

ICO guidance on DPIAs5


Question No. 4

Two businesses decide to work together to sell their products by mail order Orders are made via a single online website and they each use their existing employees to administer and update each other's orders on a single order system regardless of product.

Which of the below is CORRECT of the roles of the two businesses in relation to the single order system'?

Show Answer Hide Answer
Correct Answer: D

The two businesses are both joint controllers of the information contained in the single order system, because they jointly determine the purposes and means of the processing. They have a shared purpose of selling their products by mail order and they agree on the means of processing by using a single online website and a single order system. Their decisions complement each other and are necessary for the processing to take place. The processing by each party is inseparable and inextricably linked. Therefore, they meet the criteria for joint controllership under the GDPR.Reference:

Article 26 of the GDPR1

Guidelines 07/2020 on the concepts of controller and processor in the GDPR2, pp. 16-24


Question No. 5

A UK public body has a security breach, in which the details of a hundred thousand members of the public are published What is the MAXIMUM fine that they could receive for this breach?

Show Answer Hide Answer
Correct Answer: A

The UK GDPR and the Data Protection Act 2018 set a maximum fine of 17.5 million or 4% of annual global turnover, whichever is higher, for infringements of the data protection principles, the rights of data subjects, or the rules on transfers of personal data to third countries. This is the higher maximum penalty that applies to the most serious breaches of the UK GDPR. A security breach that exposes the details of a hundred thousand members of the public would likely fall under this category, as it would compromise the confidentiality and integrity of personal data, and potentially cause significant harm and distress to the data subjects. Therefore, the maximum fine that the UK public body could receive for this breach is 17.5 million or 4% of gross annual turnover, whichever is higher.Reference:

Penalties3

GDPR Penalties & Fines4

Three years of GDPR: the biggest fines so far5