• Home
  • BCS
  • PDP9: BCS Practitioner Certificate in Data Protection

BCS PDP9 Exam Dumps

Get All BCS Practitioner Certificate in Data Protection Exam Questions with Validated Answers

PDP9 Pack
Vendor: BCS
Exam Code: PDP9
Exam Name: BCS Practitioner Certificate in Data Protection
Exam Questions: 40
Last Updated: April 6, 2026
Related Certifications: Information security and data protection certifications
Exam Tags:
Gurantee
  • 24/7 customer support
  • Unlimited Downloads
  • 90 Days Free Updates
  • 10,000+ Satisfied Customers
  • 100% Refund Policy
  • Instantly Available for Download after Purchase

Get Full Access to BCS PDP9 questions & answers in the format that suits you best

PDF Version

$40.00
$24.00
  • 40 Actual Exam Questions
  • Compatible with all Devices
  • Printable Format
  • No Download Limits
  • 90 Days Free Updates

Discount Offer (Bundle pack)

$80.00
$48.00
  • Discount Offer
  • 40 Actual Exam Questions
  • Both PDF & Online Practice Test
  • Free 90 Days Updates
  • No Download Limits
  • No Practice Limits
  • 24/7 Customer Support

Online Practice Test

$30.00
$18.00
  • 40 Actual Exam Questions
  • Actual Exam Environment
  • 90 Days Free Updates
  • Browser Based Software
  • Compatibility:
    supported Browsers

Pass Your BCS PDP9 Certification Exam Easily!

Looking for a hassle-free way to pass the BCS Practitioner Certificate in Data Protection exam? DumpsProvider provides the most reliable Dumps Questions and Answers, designed by BCS certified experts to help you succeed in record time. Available in both PDF and Online Practice Test formats, our study materials cover every major exam topic, making it possible for you to pass potentially within just one day!

DumpsProvider is a leading provider of high-quality exam dumps, trusted by professionals worldwide. Our BCS PDP9 exam questions give you the knowledge and confidence needed to succeed on the first attempt.

Train with our BCS PDP9 exam practice tests, which simulate the actual exam environment. This real-test experience helps you get familiar with the format and timing of the exam, ensuring you're 100% prepared for exam day.

Your success is our commitment! That's why DumpsProvider offers a 100% money-back guarantee. If you don’t pass the BCS PDP9 exam, we’ll refund your payment within 24 hours no questions asked.
 

Why Choose DumpsProvider for Your BCS PDP9 Exam Prep?

  • Verified & Up-to-Date Materials: Our BCS experts carefully craft every question to match the latest BCS exam topics.
  • Free 90-Day Updates: Stay ahead with free updates for three months to keep your questions & answers up to date.
  • 24/7 Customer Support: Get instant help via live chat or email whenever you have questions about our BCS PDP9 exam dumps.

Don’t waste time with unreliable exam prep resources. Get started with DumpsProvider’s BCS PDP9 exam dumps today and achieve your certification effortlessly!

Free BCS PDP9 Exam Actual Questions

Question No. 1

Which of the following is NOT a processor obligation?

Show Answer Hide Answer
Correct Answer: C

Providing the controller with corporate information relating to its board members is not a processor obligation under the GDPR. The processor obligations under the GDPR are mainly the following:

To process the personal data only on documented instructions from the controller, unless required by law;

To ensure that persons authorised to process the personal data are bound by confidentiality;

To implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk;

To not engage another processor without the prior authorisation of the controller;

To assist the controller in fulfilling its obligations regarding data subject rights, data protection impact assessments, prior consultations, and data breach notifications;

To delete or return the personal data to the controller at the end of the service, unless required by law to store the data;

To make available to the controller all information necessary to demonstrate compliance and allow for audits and inspections.Reference:

Article 28 of the GDPR1

Guidelines 07/2020 on the concepts of controller and processor in the GDPR2, pp. 37-41


Question No. 2

An individual applies for a job as a security guard The employer has had significant issues with the sickness record of past recruits They therefore decide to offer the position to the individual on the basis they request a copy of their medical record so that the employer can be assured that they are in a good state of health.

The Data Protection Officer has been asked to advise. What advice is MOST appropriate?

Show Answer Hide Answer
Correct Answer: D

The Data Protection Act 2018 (DPA 2018) makes it a criminal offence for a person to require another person to make a subject access request for information about their health, convictions or cautions, or spent convictions, and to provide that information to the first person or a third person, as a condition of providing or offering to provide goods, facilities or services, or as a condition of entering into or continuing a contract. This is known as an enforced subject access request. The employer in this scenario is committing a criminal offence by offering the job to the individual on the condition that they request a copy of their medical record and provide it to the employer. The employer is also breaching the data protection principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, and storage limitation, as they are processing health data, which is a special category of personal data, without a valid legal basis, without informing the individual of the purpose and legal basis of the processing, and without limiting the processing to what is necessary and relevant for the employment relationship. The employer should instead obtain the individual's explicit consent to request the health information directly from the relevant health professional, and only request the information that is necessary and proportionate for the specific role of a security guard.Reference:

Section 184 of the DPA 20183

ICO guidance on enforced subject access requests4

ICO guidance on special category data5


Question No. 3

In which of the following circumstances would Privacy and Electronic Communications Regulation (PECR) NOT apply?

Show Answer Hide Answer
Correct Answer: B

The Privacy and Electronic Communications Regulations (PECR) are a set of rules that regulate the use of electronic communications for marketing purposes, as well as the use of cookies and similar technologies, and the security and privacy of electronic communications services. PECR apply to all organisations that market by phone, email, text, fax, or online, or that use cookies or similar technologies on their websites or other electronic services. PECR do not apply to postal marketing communications, which are not considered electronic communications under the definition of PECR. However, postal marketing communications may still be subject to the UK GDPR and the Data Protection Act 2018, as well as other regulations, such as the Consumer Protection from Unfair Trading Regulations 2008 and the Advertising Standards Authority codes of practice.Reference:

ICO Guide to PECR, What are PECR?4

ICO Guide to PECR, Electronic and telephone marketing5


Question No. 4

How does the GDPR relate to cookies?

Show Answer Hide Answer
Correct Answer: C

The GDPR and the Privacy and Electronic Communications Regulations (PECR) are two different but related legal frameworks that regulate the use of cookies and similar technologies. Cookies are small text files that are stored on the user's device when they visit a website or use an online service. Cookies can be used for various purposes, such as remembering user preferences, tracking user behaviour, delivering targeted advertising, or enabling online transactions. The GDPR applies to the processing of personal data by cookies and similar technologies, as they can be used to identify or single out individuals, either directly or indirectly. Personal data is any information relating to an identified or identifiable natural person, such as a name, an email address, a location data, or a cookie identifier. The GDPR requires data controllers to obtain the user's consent before using any cookies that are not strictly necessary for the functioning of the website or service, and to provide clear and transparent information about the purposes and legal basis of the processing, the categories and recipients of the personal data, the retention periods, and the rights of the data subjects. The GDPR also requires data controllers to implement appropriate technical and organisational measures to ensure the security and confidentiality of the personal data, and to comply with the principles of data protection by design and by default. The PECR are a set of UK-specific rules that implement the EU ePrivacy Directive, which is a complementary legislation to the GDPR that deals with the privacy and security of electronic communications. The PECR apply to the use of cookies and similar technologies, as well as to the sending of marketing communications by phone, email, text, or fax, and to the provision of public electronic communications services and networks. The PECR require data controllers to obtain the user's consent before using any cookies or similar technologies, except those that are strictly necessary for the provision of an information society service requested by the user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network. The PECR also require data controllers to provide clear and comprehensive information about the purposes of the cookies or similar technologies, and to offer the user a way to refuse or withdraw their consent. The PECR do not apply to the processing of personal data by cookies or similar technologies, as this is covered by the GDPR. Therefore, the correct answer is C, as where PECR is engaged only PECR will apply to the use of cookies or similar technologies, but not to the processing of personal data by them. The other options are incorrect because:

The GDPR does not only apply where a cookie processes personal data, but to any processing of personal data by any means, including cookies and similar technologies. The GDPR applies to the processing of personal data by cookies and similar technologies, regardless of whether they are strictly necessary or not, or whether they are first-party or third-party cookies. However, the GDPR does not apply to the use of cookies or similar technologies, as this is covered by the PECR.

The GDPR does not apply in all cases where cookies are used, but only in cases where cookies are used to process personal data. The GDPR does not apply to the use of cookies or similar technologies that do not process personal data, such as those that are strictly necessary for the functioning of the website or service, or those that do not identify or single out individuals. However, the PECR still apply to the use of cookies or similar technologies, regardless of whether they process personal data or not, except for some limited exemptions.

Websites do not only need an opt out of cookies if GDPR applies, but also if PECR applies. The GDPR and the PECR both require data controllers to obtain the user's consent before using any cookies or similar technologies that are not strictly necessary, and to offer the user a way to refuse or withdraw their consent. The opt out of cookies is a mechanism that allows the user to exercise their right to object to the use of cookies or similar technologies, and to prevent the processing of their personal data by them. Websites need to provide an opt out of cookies in all cases where the user's consent is required, regardless of whether the GDPR or the PECR applies.Reference:

GDPR, Article 4(1)5

GDPR, Article 6(1)(a)6

GDPR, Article 13 and 147

GDPR, Article 328

GDPR, Article 25

PECR, Regulation 6

PECR, Regulation 5


Question No. 5

Of the following options which is NOT a purpose of carrying out a Data Protection Impact Assessment (DPIA)?

Show Answer Hide Answer
Correct Answer: A

A DPIA is not required to fulfil the requirement that all DPIAs are submitted to the ICO, because this is not a requirement under the GDPR. The GDPR only requires that the controller consults the ICO before carrying out processing that is likely to result in a high risk to individuals, if the controller cannot mitigate that risk. This means that not all DPIAs need to be submitted to the ICO, only those that identify a high residual risk that cannot be reduced. The other options are valid purposes of carrying out a DPIA, as they help the controller to comply with the GDPR, ensure data protection by design and by default, and identify and mitigate the main risks to individuals' rights and freedoms.Reference:

Article 35 and 36 of the GDPR3

ICO guidance on DPIAs5


Get All 40 Questions & Answers Explore Other BCS Exam Dumps

100%

Security & Privacy

10000+

Satisfied Customers

24/7

Committed Service

100%

Money Back Guranteed