PDPF Exam Information and Outline
Privacy and Data Protection Foundation
PDPF Exam Syllabus & Study Guide
Before you start practicing with our exam simulator, it is essential to understand the official PDPF exam objectives. This course outline serves as your roadmap, breaking down exactly which technical domains and skills will be tested. By reviewing the syllabus, you can identify your strengths and focus your study time on the areas where you need the most improvement.
The information below reflects the latest 2026 course contents as defined by Exin. We provide this detailed breakdown to help you align your preparation with the actual exam format, ensuring there are no surprises on test day. Use this outline as a checklist to track your progress as you move through our practice question banks.
Below are complete topics detail with latest syllabus and course outline, that will help you good knowledge about exam objectives and topics that you have to prepare. These contents are covered in questions and answers pool of exam.
Exam Code: PDPF
Exam Name: Privacy and Data Protection Foundation
Number of questions: 40
Time allotted: 60 minutes
Passing mark: 65% (i.e. at least 26 out of 40 correct)
Question format: Multiple-choice (one correct answer per question)
1. Privacy fundamentals & regulation
- Definitions of privacy 7,5%
- Recall privacy related definitions according to the GDPR.
- Relate privacy to the concept of data protection
- Describe the context of Union and Member state law
- Personal data 12%
- Give a definition of personal data according to the GDPR
- Make a distinction between personal data and special categories like sensitive personal data
- Describe the data subject’s rights regarding personal data
- Describe processing of personal data
- List the roles, responsibilities and stakeholders
- Legitimate grounds and purpose limitation 5%
- List the six legitimate grounds
- Describe the purpose specifications
- Describe proportionality and subsidiarity
- Further requirements for legitimate processing of personal data 5%
- Describe the requirements for data processing
- Describe the purpose of personal data processing
- Principles relating to processing of personal data
- Rights of data subjects 5%
- Can describe the rights regarding data portability and the right of inspection
- Is aware of the right to be forgotten
- Data breach and related procedures 10%
- Describe the concept of data breach
- Explain the procedures on how to act when a data breach occurs
- Give categories of data breaches
- Describe the difference between a security breach (incident) and a data breach
- Mention relevant stakeholders that should be informed
2. Organizing data protection
- Importance of data protection for the organization 13%
- List the different types of administration
- Indicate what activities are required to comply with the GDPR
- Give a definition of data protection by design and by default
- Give examples of data breaches
- Describe the data breach notification obligation as laid down in the GDPR.
- Describe enforcement of the rules by issuing penalties including administrative fines.
- Data protection authorities 7,5%
- Describe the general responsibilities of a Data Protection Authority
- Describe the role and responsibility of a Data Protection Authority related to data breaches
- Describe how a Data Protection Authority applies the GDPR
- Personal data transfer to third countries 7,5%
- Data Transfer inside the EEA
- Data Transfer outside the EEA
- Data Transfer between the EEA and the USA
- Binding Corporate rules and Privacy in contracts 7,5%
- Describe the concept of binding corporate rules (BCR)
- Describe how Privacy is formalized in written contracts between the controller and the processor
- Mention the clauses of such a written contract
3. Practice of data protection
- Privacy by design and privacy by default related to information security 5%
- Describe the benefits of the application of the principles of Privacy by design and privacy by default
- Describe the seven principles of Privacy by design
- Describe the relation between privacy and information security
- Privacy impact assessment (PIA) and privacy audit 5%
- Outline what a PIA comprises and when to apply a PIA
- Mention the eight objectives of a PIA
- List the topics of a PIA report
- Define the purpose of an audit
- List the contents of an audit plan
- Practice related applications of the use of data, marketing and social media 10%
- Describe the purpose of Data Life Cycle (DLC) management
- Explain data retention and minimization
- Describe what a cookie is and what it does
- Describe, from a data privacy perspective, how the wide spread use of internet has affected the field of marketing
- Give examples of how social media information is used for Marketing activities
TERMINOLOGIES
- adequate
- appropriate technical and organizational measures
- authenticity
- availability
- binding
- binding corporate rules
- biometric data
- certification
- certification bodies
- child's consent
- codes of conduct
- collection of personal data (verb.)
- commission reports
- complaint
- compliance
- conditions for consent
- consent
- consistency
- consistency mechanism
- constitution
- contract
- controller
- cross-border processing
- data breach
- data concerning health
- data controller
- data protection
- data protection by default
- data protection by design
- data protection impact assessment
- data protection officer
- data subject
- data transfer
- delegated acts and implementing acts
- derogation
- enforcement
- enterprise
- European Economic Area (EEA)
- European Data Protection Supervisor (EDPS)
- European Union legal acts on data protection
- exchange of information
- exemption
- explicit consent
- genetic data
- filing system
- General Data Protection Regulation (GDPR)
- governing body
- group of undertakings
- independent supervisory authorities
- information society service
- international organization
- joint controllers
- judicial remedy
- lawfulness of processing
- legal basis
- legitimate ground (GDPR article 17/1c, article 18/1d, article 21/1) and
- legitimate basis (GDPR article 40)
- legitimate interest
- liability
- main establishment
- material scope
- National Identification Number
- non-repudiation
- opinion of the board
- personal data
- personal data breach
- personal data relating to criminal convictions and offences
- principles relating to processing of personal data
- prior consultation
- processing
- processing situations
- processing which does not require identification
- processor
- profiling
- pseudonymization
- recipient
- relevant and reasoned objection
- representative
- restriction of processing
- retention period
- right to compensation
- rights of the data subject
- rules of procedure
- security breach (security incident)
- security of personal data
- security of processing
- sensitive data
- special categories of personal data
- Supervisory Authority
- Supervisory Authority concerned
- suspension of proceedings
- territorial scope
- third party
- transfer of personal data to third countries and to international organizations