Quick Navigation
European Data Protection History and Landscape (Domain I — 13%)GDPR Core Definitions (Domain II — 31%)GDPR Principles and Lawful Bases (Domain II — 31%)Data Subject Rights (Domain II — 31%)Security and Breach Notification (Domain II — 31%)Transparency and International Data Transfers (Domain III — 23%)Scope, Accountability, and Enforcement (Domain IV — 17%)One-Stop-Shop and Supervisory Authority Cooperation (Domain IV — 17%)Compliance in Specific Contexts (Domain V — 16%)Key Exam Distinctions and High-Risk Traps
European Data Protection History and Landscape (Domain I — 13%)
- Convention 108 / 108+ — Council of Europe
- Convention 108 (1981) was the first legally binding international treaty dedicated to data protection, produced by the Council of Europe (NOT an EU body); it was modernized as Convention 108+ in 2018 to align with GDPR principles — it is NOT an EU instrument and applies to all 46+ Council of Europe member states, including non-EU countries.
- Evolution: UDHR Art 12 → ECHR Art 8 → Convention 108 → Directive 95/46/EC → GDPR
- The development of European data protection traces from the Universal Declaration of Human Rights (1948) through the European Convention on Human Rights (1950) to the first binding treaty (1981) and then EU legislation (1995, 2018).
- Directive 95/46/EC vs. GDPR — Key Difference
- Directive 95/46/EC required member state transposition into national law, producing divergent implementations; GDPR (2016/679) is a Regulation, directly applicable in all EU member states without transposition, ensuring uniform rules across the bloc.
- GDPR Timeline: May 2016 (entered into force) → May 2018 (became applicable)
- GDPR was published and entered into force in May 2016 but organizations had a two-year transition period; it only became enforceable from 25 May 2018 — know both dates.
- ePrivacy Directive (2002/58/EC) — Lex Specialis
- The ePrivacy Directive governs cookies, electronic direct marketing, communication confidentiality, and traffic/location data as lex specialis — it takes precedence over GDPR within its specific scope; where ePrivacy is silent, GDPR applies as the general law.
- ePrivacy Directive vs. ePrivacy Regulation
- The ePrivacy Directive is still in force as of 2026; the proposed ePrivacy Regulation to replace it has NOT yet been adopted — cookie consent rules derive from the Directive, not the proposed Regulation.
- EU AI Act Risk Tiers
- The EU AI Act classifies AI systems into four tiers: Unacceptable risk (banned outright), High risk (strict compliance obligations), Limited risk (transparency obligations), Minimal risk (no specific requirements) — relevant to GDPR Article 22 scenarios.
- NIS2 Directive — Cybersecurity Intersection
- NIS2 establishes cybersecurity obligations for essential and important entities across EU member states; it intersects with GDPR Article 32 security obligations but is a distinct legal framework covering network and information system security, not data protection.
GDPR Core Definitions (Domain II — 31%)
- Personal Data (Article 4(1))
- Any information relating to an identified or identifiable natural person — 'identifiable' means the person can be identified directly or indirectly, particularly by reference to an identifier such as name, ID number, location data, or online identifier.
- Pseudonymisation vs. Anonymisation
- Pseudonymised data is still personal data under GDPR (the key linking back to the individual exists); truly anonymous data falls entirely outside GDPR scope — pseudonymisation reduces risk but does NOT remove GDPR obligations.
- Controller (Article 4(7))
- The natural or legal person that determines the PURPOSES and MEANS of processing personal data — bears primary responsibility for GDPR compliance including lawful basis, data subject rights, DPIAs, and breach notification to supervisory authorities.
- Processor (Article 4(8))
- The entity that processes personal data on behalf of and under the documented instructions of the controller — must have a written Data Processing Agreement (Article 28), cannot engage subprocessors without controller authorization, and must notify the controller of breaches without undue delay.
- Joint Controllers (Article 26)
- When two or more entities jointly determine the purposes AND means of processing, they are joint controllers and must establish a transparent arrangement defining their respective responsibilities — each remains fully liable to data subjects for the entire processing.
- Profiling (Article 4(4))
- Any form of automated processing of personal data to evaluate personal aspects, particularly to analyze or predict aspects of a natural person — profiling is closely linked to Article 22 automated decision-making rights.
- Personal Data Breach (Article 4(12))
- A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data — includes confidentiality breaches (unauthorized access), integrity breaches (unauthorized alteration), and availability breaches (loss of access).
GDPR Principles and Lawful Bases (Domain II — 31%)
- Seven GDPR Principles (Article 5)
- Lawfulness/Fairness/Transparency, Purpose Limitation, Data Minimisation, Accuracy, Storage Limitation, Integrity and Confidentiality, and Accountability — every processing activity must comply with all seven principles simultaneously.
- Six Lawful Bases (Article 6)
- Consent (Art 6(1)(a)), Contract (Art 6(1)(b)), Legal Obligation (Art 6(1)(c)), Vital Interests (Art 6(1)(d)), Public Task (Art 6(1)(e)), Legitimate Interests (Art 6(1)(f)) — controllers must identify and document a lawful basis BEFORE processing begins.
- Consent Requirements (Articles 4(11), 7)
- Consent must be freely given, specific, informed, and unambiguous — must be as easy to withdraw as to give, cannot be bundled with terms of service, and the controller bears the burden of proving consent was validly obtained.
- Consent in Employment Context
- Employment consent is generally invalid because the power imbalance between employer and employee means consent cannot be freely given — payroll, benefits, and work-related processing should use contract performance or legal obligation as the lawful basis instead.
- Legitimate Interest Balancing Test (Article 6(1)(f))
- Three-step test: (1) identify the legitimate interest, (2) demonstrate necessity — processing is needed and no less intrusive alternative exists, (3) balance against the data subject's rights and freedoms — document the assessment; data subjects retain the right to object.
- Special Categories of Data (Article 9)
- Processing of racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for identification, health data, and sex life/sexual orientation is prohibited unless an Article 9(2) exception applies — financial data is NOT a special category.
- Special Category Exceptions (Article 9(2)) — Key Examples
- Explicit consent, employment law obligations, vital interests, not-for-profit body (own members), manifestly public data, legal claims, substantial public interest, health/social care, public health, and archiving/research/statistics — explicit consent here is higher than Article 6 consent.
- Children's Consent (Article 8)
- For information society services, consent of a child under 16 requires parental or guardian verification — member states may lower this age to 13 but not below; controllers must make reasonable efforts to verify parental consent.
Data Subject Rights (Domain II — 31%)
- Eight Data Subject Rights (Articles 15–22)
- Right of Access (Art 15), Rectification (Art 16), Erasure/Right to Be Forgotten (Art 17), Restriction of Processing (Art 18), Notification Obligation (Art 19), Data Portability (Art 20), Object (Art 21), Automated Decision-Making Rights (Art 22).
- Right to Erasure — Not Absolute (Article 17)
- The right to erasure can be refused when processing is necessary for: freedom of expression, compliance with a legal obligation, public health tasks, archiving/research/statistical purposes, or establishing/exercising/defending legal claims — erasure is NOT an absolute right.
- Right to Restriction (Article 18) — Four Grounds
- Data subject may request restriction when: (1) accuracy is contested, (2) processing is unlawful but data subject opposes erasure, (3) controller no longer needs data but data subject needs it for legal claims, (4) data subject has objected pending verification of legitimate grounds.
- Right to Erasure vs. Right to Restriction
- Erasure means deletion; restriction means data is retained but NOT actively processed — restriction applies when the data subject wants data preserved (e.g., for legal claims) but does not want it used; the four grounds for restriction are distinct from erasure grounds.
- Data Portability (Article 20) — Narrow Conditions
- Data portability applies ONLY when: (1) data was PROVIDED by the data subject, (2) processing is by AUTOMATED means, (3) lawful basis is CONSENT or CONTRACT — it does NOT apply to data derived/observed by the controller or to other lawful bases.
- Right to Access vs. Right to Portability
- Access (Art 15) is broad — applies to ALL personal data regardless of how obtained or which lawful basis; Portability (Art 20) is narrow — only data provided by the data subject, automated processing, consent or contract basis — know the conditions that distinguish the two.
- Right to Object to Direct Marketing — Absolute (Article 21(2))
- The right to object to direct marketing processing is ABSOLUTE — the controller must stop marketing processing immediately without any balancing test; unlike the general right to object (Art 21(1)), there are no compelling legitimate grounds the controller can invoke.
- Automated Decision-Making (Article 22)
- Data subjects have the right not to be subject to decisions based SOLELY on automated processing that produce legal or similarly significant effects — exceptions: contract, law, or explicit consent; controller must then allow human review and enable data subject to express their view.
Security and Breach Notification (Domain II — 31%)
- Security of Processing (Article 32)
- Controllers and processors must implement appropriate technical and organizational measures — appropriateness is assessed considering state of the art, implementation cost, nature/scope/context/purposes of processing, and the risk to data subjects.
- Breach Notification to Supervisory Authority (Article 33)
- Controllers must notify the supervisory authority within 72 hours of becoming AWARE of a breach likely to result in ANY RISK to rights and freedoms — the 72-hour clock starts from awareness with reasonable certainty, even if full scope is not yet confirmed.
- Breach Notification to Data Subjects (Article 34)
- Controllers must notify affected data subjects WITHOUT UNDUE DELAY when a breach is likely to result in HIGH RISK to their rights and freedoms — notification can be avoided if data was encrypted, risk was subsequently eliminated, or individual notification requires disproportionate effort (public communication instead).
- Art 33 Threshold (RISK) vs. Art 34 Threshold (HIGH RISK)
- Article 33 threshold is lower — any risk triggers authority notification; Article 34 threshold is higher — only high risk triggers data subject notification; a breach can require supervisory authority notification but NOT require data subject notification.
- 72-Hour Clock Start Point
- The 72-hour deadline begins when the controller BECOMES AWARE — initial discovery constitutes awareness even if full details are not confirmed; controllers may notify in phases (Art 33(4)) but cannot delay initial notification pending a complete investigation.
- Processor Breach Obligations
- A processor that becomes aware of a breach must notify the controller WITHOUT UNDUE DELAY — the processor does NOT notify the supervisory authority directly; the controller makes the supervisory authority notification decision and must do so within 72 hours of their own awareness.
Transparency and International Data Transfers (Domain III — 23%)
- Article 13 vs. Article 14 Transparency
- Article 13 applies when data is collected DIRECTLY from the data subject — information must be provided at the time of collection; Article 14 applies when data is obtained FROM A THIRD PARTY — information must be provided within one month (or first communication or first disclosure, whichever is sooner).
- International Transfer Mechanism Hierarchy (Chapter V)
- Transfers outside the EEA must use: (1) Adequacy decision (Commission-approved country), (2) Appropriate safeguards — SCCs, BCRs, codes of conduct, certification, (3) Derogations under Article 49 — this hierarchy must be followed in order.
- Adequacy Decisions — Current Examples
- Countries with EU adequacy decisions include: Japan, South Korea, UK (post-Brexit), Canada (commercial), Switzerland, Israel, New Zealand, and the United States under the EU-US Data Privacy Framework (DPF, adopted 2023).
- Standard Contractual Clauses (SCCs) — Four Modules
- 2021 SCCs cover four data flow scenarios: Controller-to-Controller (C2C), Controller-to-Processor (C2P), Processor-to-Processor (P2P), Processor-to-Controller (P2C) — the appropriate module must be selected based on the actual relationship of the parties.
- Schrems II — CJEU Ruling (2020)
- Schrems II invalidated Privacy Shield in 2020 and established that SCCs alone do not automatically guarantee adequate protection — data exporters must conduct a Transfer Impact Assessment (TIA) to evaluate whether the recipient country's surveillance laws undermine SCC protections.
- EU-US Data Privacy Framework (DPF) — 2023
- The DPF is an adequacy decision for US organizations that SELF-CERTIFY under the framework — it does NOT apply to all US companies; organizations must be on the DPF list for the adequacy decision to apply.
- Binding Corporate Rules (BCRs) — Intra-Group Only
- BCRs are internal data transfer rules for multinational corporate groups, approved by the competent supervisory authority — BCRs ONLY work for intra-group transfers within the same corporate family and CANNOT be used for transfers to unrelated third parties.
- Article 49 Derogations — Occasional Use Only
- Article 49 derogations (explicit consent, contract performance, important public interest, legal claims, vital interests, public register) are for OCCASIONAL transfers only — they CANNOT serve as the primary mechanism for systematic, large-scale international data transfers.
Scope, Accountability, and Enforcement (Domain IV — 17%)
- Territorial Scope — Three Criteria (Article 3)
- GDPR applies to: (1) Establishment — organizations with an EU establishment processing personal data in the context of that establishment's activities, (2) Targeting — non-EU organizations offering goods/services to EU data subjects, (3) Monitoring — non-EU organizations monitoring the behavior of EU data subjects.
- Targeting Criterion Indicators
- Evidence of targeting EU data subjects includes: use of EU languages or currencies, .eu domains, pricing in Euros, EU-specific promotions, or mentions of EU customers — using English and USD alone does not indicate EU targeting.
- DPIA Mandatory Triggers (Article 35)
- A DPIA is required BEFORE high-risk processing, including: (1) systematic extensive profiling with significant legal effects, (2) large-scale processing of special categories, (3) systematic monitoring of publicly accessible areas — must be completed before processing begins, not retroactively.
- DPIA Required Contents
- A GDPR Article 35 DPIA must include: description of processing and purposes, assessment of necessity and proportionality, identification of risks to data subjects, technical and organizational measures to mitigate risks, and the residual risk assessment — DPO consultation is required during the process.
- Prior Consultation (Article 36)
- If a DPIA shows residual risk remains HIGH after all mitigations, the controller must consult the supervisory authority before beginning processing — the SA has 8 weeks to respond (extendable to 14 weeks); processing cannot begin until the consultation period expires.
- DPO Mandatory Appointment Triggers (Article 37)
- A DPO is mandatory when: (1) a public authority or body processes personal data, (2) core activities involve large-scale systematic monitoring of individuals, or (3) core activities involve large-scale processing of special categories or criminal conviction data — private organizations not meeting these thresholds may voluntarily appoint a DPO.
- DPO Independence and Conflict of Interest (Article 38)
- The DPO must be independent and cannot hold a position that creates a conflict of interest — appointing the Head of IT as DPO is problematic because IT determines purposes and means of processing, conflicting with the DPO's oversight role; the DPO must report directly to the highest management level.
- Administrative Fines — Two Tiers (Article 83)
- Lower tier: up to 10 million EUR or 2% of total worldwide annual turnover for procedural violations (ROPA, DPIA, processor contracts); Higher tier: up to 20 million EUR or 4% of total worldwide annual turnover for violations of principles, data subject rights, consent, or international transfer rules.
One-Stop-Shop and Supervisory Authority Cooperation (Domain IV — 17%)
- One-Stop-Shop Mechanism
- Organizations with cross-border processing in multiple EU member states deal primarily with ONE lead supervisory authority based on their main establishment — the lead SA coordinates with concerned SAs through cooperation and consistency procedures.
- Lead Supervisory Authority — How Determined
- The lead SA is identified by the location of the controller/processor's main establishment — the place of central administration in the EU, or where decisions about processing purposes/means are taken; for processors, it is the place of central administration.
- EDPB — European Data Protection Board
- The EDPB is the independent EU body that ensures consistent application of GDPR across member states — it issues binding decisions, guidelines, recommendations, and best practices; it is composed of one representative from each EU member state supervisory authority.
- EU Representative Requirement (Article 27)
- Non-EU controllers and processors subject to GDPR (targeting or monitoring EU data subjects) must designate a written representative in the EU — exceptions apply for occasional processing that does not involve large-scale special categories or high risk.
- Records of Processing Activities — ROPA (Article 30)
- Controllers must maintain a written ROPA documenting: controller identity, processing purposes, categories of data subjects and personal data, recipients, international transfers, retention periods, and security measures — processors must maintain their own ROPA; Article 30 violations are lower-tier fines (2%/10M).
- ROPA Exemption — Small Organizations
- Organizations with fewer than 250 employees are EXEMPT from ROPA obligations UNLESS processing is likely to result in a risk to data subjects, processing is not occasional, or special category/criminal conviction data is involved — in practice, most organizations must maintain a ROPA.
Compliance in Specific Contexts (Domain V — 16%)
- Employment Data Processing
- Consent is generally invalid in employment due to the power imbalance; processing is typically based on contract performance, legal obligation, or legitimate interests — employee monitoring must be proportionate, necessary, and communicated to employees in advance.
- Video Surveillance (CCTV) — Compliance
- CCTV requires a lawful basis (usually legitimate interest), DPIA for systematic monitoring of public areas, prior transparency (visible signage), retention limits (typically 24-72 hours unless specific incident), and compliance with EDPB guidelines on video devices.
- Direct Marketing — ePrivacy Opt-In Requirement
- The ePrivacy Directive requires opt-in consent for electronic direct marketing (email, SMS, automated calls) to individuals — the soft opt-in exception allows marketing to existing customers for similar products/services if an opt-out was provided at collection and in every message.
- Soft Opt-In Exception — Three Conditions
- The soft opt-in for existing customers applies ONLY when: (1) the customer purchased similar products/services from the same company, (2) an opt-out was clearly provided at the time of original data collection, AND (3) every subsequent marketing message includes a clear opt-out — all three conditions must be met.
- Cookie Consent — Planet49 Ruling
- The CJEU Planet49 ruling confirmed that pre-ticked consent boxes do NOT constitute valid consent for cookies — consent must be an active, affirmative action; strictly necessary cookies do not require consent, but analytics, marketing, and preference cookies do.
- Deceptive Design Patterns (Dark Patterns) — EDPB Guidelines
- EDPB guidelines identify six deceptive design pattern types that invalidate consent: Overloading (overwhelming users with information), Skipping (design that distracts from privacy choices), Stirring (appeals to emotion), Obstructing (blocking privacy-protective choices), Fickle (inconsistent interface design), Left in the dark (hiding information).
- AI and GDPR — Article 22 Intersection
- Automated decision-making with legal or similarly significant effects triggers data subjects' Article 22 right to opt out, request human review, and express their view — AI-based profiling with such effects requires a DPIA and may need explicit consent or contract as the legal basis.
- Facial Recognition — High Risk Processing
- Facial recognition processes biometric data (a special category under Article 9) and typically requires explicit consent or another Article 9(2) exception, a mandatory DPIA under Article 35, and compliance with EU AI Act prohibitions — real-time remote biometric identification in public spaces by law enforcement is banned under the EU AI Act.
Key Exam Distinctions and High-Risk Traps
- Council of Europe vs. EU Council (Critical Distinction)
- Convention 108 was produced by the COUNCIL OF EUROPE — a separate international organization with 46 member countries that includes but is broader than the EU; the EU Council (Council of the European Union) is an EU institution — these are different bodies.
- Consent vs. Legitimate Interest — Best Basis Test
- Consent is NOT the default or 'safest' lawful basis — in B2B contexts and situations where you can pass a legitimate interest balancing test, legitimate interest is often more appropriate; the exam tests scenarios where consent appears obvious but another basis is actually correct.
- LIA vs. DPIA (Exam Trap)
- A Legitimate Interest Assessment (LIA) assesses WHETHER legitimate interest is a valid lawful basis — it tests the balancing of controller interest vs. data subject rights; a DPIA assesses the RISK TO DATA SUBJECTS from a processing activity — they serve different purposes and both may be required for the same processing.
- SCCs Do Not Guarantee Adequacy Post-Schrems II
- SCCs alone are NOT sufficient after Schrems II — exporters must conduct a Transfer Impact Assessment, and if the recipient country's laws (surveillance powers, government access) undermine SCC protections, supplementary measures (encryption, pseudonymization) must be implemented.
- DPIA Must Be Completed BEFORE Processing Begins
- A DPIA is a pre-processing obligation — beginning high-risk processing without a DPIA violates Article 35(1) even if a DPIA is conducted afterwards; retroactive DPIAs are non-compliant.
- One-Stop-Shop Only for Cross-Border Processing
- The one-stop-shop mechanism applies ONLY to cross-border processing (affecting multiple EU member states) — purely local or national processing is handled exclusively by the local supervisory authority, not the lead SA.
- 4% Fine Is Based on Worldwide Group Turnover
- The Article 83(5) maximum fine of 4% is calculated on TOTAL WORLDWIDE annual turnover of the entire corporate group — not just the EU subsidiary's revenue or the local entity's turnover; this is often much larger than organizations expect.