Chapter 17 Quiz: Data Privacy, GDPR, and Cross-Border Data Compliance

Instructions: Select the single best answer for each question. Answers and explanations follow at the end of the quiz.

Questions

1. A UK challenger bank processes customer transaction data in order to execute payment instructions. Which lawful basis under Article 6 of the UK GDPR is most appropriate?

A. Consent B. Contract C. Legal obligation D. Legitimate interests

2. Under GDPR Article 12(3), within what maximum period must a controller ordinarily respond to a Subject Access Request (Article 15)?

A. 14 days B. 21 days C. 30 days D. 60 days

3. A customer submits a request to erase all personal data a bank holds about them. The bank has an obligation under the UK Money Laundering Regulations 2017 to retain customer due diligence records for five years after the end of the customer relationship. How should the bank respond?

A. Erase all data immediately to comply with the right to erasure under GDPR B. Refuse the erasure request in its entirety, citing legal obligation, and retain all data for five years C. Erase data not covered by the mandatory retention obligation while retaining AML records, citing Article 17(3)(b) D. Seek the customer's consent to continue retaining the data

4. Under GDPR Article 33, what is the maximum period within which a controller must notify the supervisory authority of a personal data breach that is likely to result in risk to individuals?

A. 24 hours B. 48 hours C. 72 hours D. 7 calendar days

5. The Court of Justice of the European Union judgment in Data Protection Commissioner v. Facebook Ireland Limited and Maximilian Schrems (C-311/18), decided in July 2020 and known as "Schrems II," had which of the following principal outcomes?

A. It invalidated the use of Standard Contractual Clauses for cross-border data transfers B. It invalidated the EU-US Privacy Shield and upheld SCCs in principle while requiring Transfer Impact Assessments C. It invalidated the EU-US Privacy Shield and prohibited all data transfers to the United States D. It created the EU-US Data Privacy Framework as a replacement for Privacy Shield

6. The EU-US Data Privacy Framework (DPF) was adopted by the European Commission in:

A. July 2020, immediately following the Schrems II judgment B. September 2021, following the adoption of new Standard Contractual Clauses C. July 2023, following Executive Order 14086 and the establishment of the Data Protection Review Court D. January 2024, following review by the European Parliament

7. Under GDPR Article 17(3), which of the following is a valid exception to the right to erasure?

A. The controller finds deletion technically inconvenient B. The controller has a legitimate commercial interest in retaining the data C. Processing is necessary for compliance with a legal obligation to which the controller is subject D. The data was collected more than three years ago

8. A financial services firm is planning to implement a new AI-powered credit scoring system that will make automated decisions with significant legal effects on customers, using large volumes of personal transaction data. Under GDPR Article 35, which of the following is required before the system is deployed?

A. Supervisory authority approval B. A Data Protection Impact Assessment (DPIA) C. Individual consent from every customer who will be scored D. A Transfer Impact Assessment (TIA)

9. Under the GDPR, what is the distinction between a "controller" and a "processor"?

A. A controller processes data using automated systems; a processor processes data manually B. A controller is a public authority; a processor is a private organisation C. A controller determines the purposes and means of processing; a processor processes data on behalf of and under the instructions of the controller D. A controller is located in the EU; a processor may be located outside the EU

10. A European bank transfers personal data of EU customers to its US parent company's servers. Following Schrems II, and prior to the adoption of the EU-US DPF, what was the primary mechanism enabling this transfer to proceed lawfully?

A. Safe Harbor agreement B. EU-US Privacy Shield C. Standard Contractual Clauses with a Transfer Impact Assessment D. Binding Corporate Rules alone, without any additional assessment

11. Verdant Bank's customer D.K. has submitted a Subject Access Request. D.K. is also the subject of an active Suspicious Activity Report filed with the National Crime Agency. Which UK legal provision permits Verdant Bank to withhold the AML SAR-related data from the access response?

A. GDPR Article 17(3)(e) — legal claims exception B. DPA 2018 Schedule 2, paragraph 14 — crime and taxation exemption C. GDPR Article 6(1)(c) — legal obligation lawful basis D. POCA 2002 section 333A — tipping-off prohibition only

12. A bank uses a third-party cloud provider to process customer data on its behalf. The cloud provider follows the bank's instructions and has no independent say in the purpose of processing. Under GDPR, the cloud provider is best characterised as:

A. A joint controller B. An independent controller C. A data broker D. A processor

13. Which of the following processing activities would typically require reliance on GDPR Article 9(2) (conditions for special category data) in addition to a lawful basis under Article 6?

A. Processing customer home addresses for account management purposes B. Processing biometric facial recognition data for digital onboarding identity verification C. Processing transaction history for AML monitoring D. Processing customer income data for mortgage affordability assessment

14. Under the UK adequacy framework post-Brexit, which body is responsible for making adequacy decisions determining that a third country provides adequate protection for UK personal data?

A. The ICO (Information Commissioner's Office) B. The European Commission C. The UK Secretary of State (Department for Science, Innovation and Technology) D. The Financial Conduct Authority

15. Which of the following Privacy-Enhancing Technologies (PETs) enables machine learning models to be trained across multiple institutions' datasets without the underlying personal data leaving each institution's own infrastructure?

A. Differential privacy B. Synthetic data C. Federated learning D. Pseudonymisation

16. A UK bank's customer requests portability of their current account transaction data under GDPR Article 20. Which of the following conditions must be met for the portability right to apply?

A. The processing must be based on legitimate interests and involve special category data B. The processing must be based on consent or contract, and carried out by automated means C. The processing must have been carried out for more than 12 months D. The customer must be able to demonstrate a specific technical need for the data

Answer Key and Explanations

1. B — Contract

Executing payment instructions is necessary for the performance of the contract between the bank and the customer. The customer opens an account and the bank's core obligation is to process their transactions. Processing transaction data to execute payments is squarely within Article 6(1)(b). Consent (A) would be inappropriate because the processing is necessary for the contract, and consent can be withdrawn — which cannot override a contractual obligation. Legal obligation (C) could apply to some aspects of transaction processing (e.g., CHAPS settlement rules) but the primary basis is contract. Legitimate interests (D) is a secondary basis not needed where contract applies.

2. C — 30 days

GDPR Article 12(3) states that the controller shall provide information on action taken on a request without undue delay and in any event within one month of receipt. One month is approximately 30 days. Where requests are complex or numerous, this period may be extended by a further two months (total three months), but the data subject must be informed of the extension within the first month. 14 days (A) applies under some national consumer protection laws but is not the GDPR standard. 60 days (D) is the total with extension; 21 days (B) is incorrect.

3. C — Erase data not covered by mandatory retention obligation, citing Article 17(3)(b)

Article 17(3)(b) provides that the right to erasure does not apply where processing is necessary "for compliance with a legal obligation which requires processing by Union or Member State law." The UK MLR 2017 obligation to retain CDD records for five years overrides the erasure right for that specific data. However, the exemption covers only what the law actually requires to be retained — the bank must erase data not covered by mandatory retention requirements (e.g., marketing preferences, optional data captured beyond regulatory requirements). Option B (refuse in its entirety) is overbroad. Option A violates the legal obligation. Option D is procedurally incorrect — consent is not required and would not create a lawful basis for retention that overrides a legal obligation.

4. C — 72 hours

GDPR Article 33(1) requires notification to the competent supervisory authority "without undue delay and, where feasible, not later than 72 hours after having become aware of it." If notification is made after 72 hours, the controller must provide reasons for the delay. Note that the FCA requires notification within 24 hours (A) for material operational incidents, making concurrent obligations a practical compliance challenge. Seven calendar days (D) was the standard under some prior frameworks but is not the GDPR requirement.

5. B — Invalidated EU-US Privacy Shield and upheld SCCs in principle while requiring Transfer Impact Assessments

The CJEU in Schrems II (C-311/18): (1) declared the EU-US Privacy Shield adequacy decision invalid, finding that US surveillance law (particularly FISA Section 702 and EO 12333) did not provide essentially equivalent protection; (2) upheld SCCs in principle as a valid transfer mechanism; but (3) required data exporters to conduct case-by-case Transfer Impact Assessments to verify that SCCs provide effective protection given the destination country's legal framework. Option A is incorrect — SCCs were upheld. Option C is incorrect — transfers to the US remain possible under SCCs. Option D is incorrect — the DPF was not created by Schrems II; it was adopted in 2023.

6. C — July 2023, following Executive Order 14086 and the establishment of the Data Protection Review Court

The EU-US Data Privacy Framework adequacy decision was adopted by the European Commission on 10 July 2023. It followed US President Biden's Executive Order 14086 (October 2022), which introduced new safeguards for US signals intelligence activities and created the Data Protection Review Court (DPRC) as a two-tier redress mechanism for EU data subjects. Options A, B, and D are all incorrect dates.

7. C — Processing is necessary for compliance with a legal obligation

Article 17(3)(b) specifically provides that the right to erasure does not apply where "processing is necessary for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject." This is the primary exception relied upon in financial services to resist erasure requests for AML, regulatory reporting, and other legally required data. Technical inconvenience (A) is not a valid exception. A legitimate commercial interest (B) is not a listed exception and would not override the erasure right. The age of the data (D) is irrelevant to the exceptions framework.

8. B — A Data Protection Impact Assessment (DPIA)

Article 35(3)(a) specifically identifies as requiring a mandatory DPIA: "a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce significant effects concerning the natural person." An AI credit scoring system making consequential automated decisions fits this description precisely. Supervisory authority approval (A) is required only if the DPIA reveals high residual risk that cannot be mitigated (Article 36 prior consultation); it is not the first step. Consent (C) may be required for certain purposes but is not specifically triggered by the automated decision-making scenario described. TIA (D) relates to cross-border transfers, not automated decision-making.

9. C — A controller determines purposes and means; a processor processes on behalf of the controller

GDPR Article 4(7) defines "controller" as the entity that "alone or jointly with others, determines the purposes and means of the processing." Article 4(8) defines "processor" as an entity that "processes personal data on behalf of the controller." The distinction is functional and factual — it depends on who actually makes decisions about why and how data is processed, not on whether processing is automated (A), whether the entity is public or private (B), or where it is established (D).

10. C — Standard Contractual Clauses with a Transfer Impact Assessment

Following Schrems II in July 2020, Privacy Shield (B) was invalid and Safe Harbor (A) had already been invalidated by Schrems I in 2015. SCCs remained valid in principle but required Transfer Impact Assessments to verify their effectiveness given the US legal framework. BCRs alone (D) without additional assessment do not address the fundamental concern Schrems II raised about US surveillance law — BCRs bind the corporate group but cannot override US government access to data.

11. B — DPA 2018 Schedule 2, paragraph 14 — crime and taxation exemption

The DPA 2018 Schedule 2, paragraph 14 provides an exemption from certain data subject rights (including the right of access) where disclosure would be likely to prejudice the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty. This is the provision that permits withholding AML SAR-related data from the access response. Option D (POCA 2002 s.333A) prohibits tipping off but does not itself create a GDPR exemption — it explains why the exemption is needed, but the legal mechanism for withholding the data is the DPA 2018 Schedule 2 exemption. Option A (Art. 17(3)(e)) relates to legal claims, not access exemptions. Option C (Art. 6(1)(c)) is the lawful basis for the processing, not an exemption from the access right.

12. D — Processor

The cloud provider processes data on behalf of the bank, following the bank's instructions, with no independent determination of processing purposes. This is precisely the GDPR Article 4(8) definition of a processor. A joint controller (A) would exist where two or more entities jointly determine the purposes and means of processing. An independent controller (B) would determine its own purposes independently. A data broker (C) is not a defined GDPR category and does not describe this relationship.

13. B — Biometric facial recognition data

GDPR Article 4(14) defines "biometric data" as "personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person." Biometric data used for the purpose of uniquely identifying a person (including facial recognition for identity verification) is special category data under Article 9(1), requiring both a lawful basis under Article 6 and a condition under Article 9(2). Home addresses (A), transaction history (C), and income data (D) are standard personal data, not special category data.

14. C — The UK Secretary of State (Department for Science, Innovation and Technology)

Post-Brexit, the power to make UK adequacy decisions — determining that third countries provide adequate protection for UK personal data — rests with the UK Secretary of State, specifically within the Department for Science, Innovation and Technology (previously DCMS). The ICO (A) is the supervisory authority but does not make adequacy decisions. The European Commission (B) makes adequacy decisions under EU GDPR, not UK GDPR. The FCA (D) is the UK financial services regulator, not the data protection authority.

15. C — Federated learning

Federated learning is a machine learning approach where models are trained across decentralised data sources. Instead of moving data to a central location, model updates (gradients) are aggregated without the underlying personal data being shared. This is particularly valuable for cross-institution applications such as AML and fraud detection where data cannot be legally shared but the signal across institutions would improve model accuracy. Differential privacy (A) adds noise to statistical outputs and can be combined with federated learning but does not itself keep data at source. Synthetic data (B) generates artificial data sets, does not train across real distributed data. Pseudonymisation (D) replaces identifiers but still involves the data moving.

16. B — Processing must be based on consent or contract, and carried out by automated means

Article 20(1) conditions the portability right on: (1) processing based on consent (Article 6(1)(a)) or contract (Article 6(1)(b)); and (2) processing carried out by automated means. Current account transaction data processed to manage the customer's account (contract basis, automated systems) satisfies both conditions. The portability right does not depend on: the processing basis being legitimate interests or special category involvement (A); the duration of processing (C); or the customer demonstrating a specific technical need (D).

Score Interpretation