Data Privacy Quiz
How strong is your privacy knowledge? In this quiz, you'll see eight different statements about data privacy. Guess whether each statement is true or false!
Trusted and used by companies
Test your privacy know-how
Data Privacy Quiz
Answer the questions to test yourself and learn interesting trivia as you play the quiz.
Start quiz1/8
1. My doctor or my doctor’s assistants are not allowed to call me up by name in the waiting room.
Correct! Patients can still be called up by name in the waiting room as there is a valid reason to do so. However, it would not be allowed to call up a patient and mention their treatment, e.g., “Ms Smith, please come to room three for your fillings”. Moreover, in accordance with Art. 13 UK-GDPR, information regarding obligations in doctor’s offices must be displayed.
Incorrect. Patients can still be called up by name in the waiting room as there is a valid reason to do so. However, it would not be allowed to call up a patient and mention their treatment, e.g., “Ms Smith, please come to room three for your fillings”. Moreover, in accordance with Art. 13 UK-GDPR, information regarding obligations in doctor’s offices must be displayed.
2/8
2. If I have not consented to data collection, collecting my data would be unlawful.
Correct! Six different lawful legal bases for data collection and processing are listed in Article 6 of the UK-GDPR. Consent is only one of these. Therefore, data collection and processing is lawful if it fills one of the following conditions: it is necessary for the fulfilment of a contract or compliance with a legal obligation, it protects the vital interests of the data subject, the processing is necessary to carry out a task that is in the public interest, or the processing is necessary to safeguard the legitimate interests of the controller or a third party. In addition, the UK-GDPR defines flexibility clauses that are to be implemented in national law. Moreover, you always have the right to request information from an organisation or company about the legal basis on which data was collected. Simply submit a so-called data subject request. This information should also be part of privacy policies or other documents with information according to Art. 13 UK-GDPR.
Incorrect. Six different lawful legal bases for data collection and processing are listed in Article 6 of the UK-GDPR. Consent is only one of these. Therefore, data collection and processing is lawful if it fills one of the following conditions: it is necessary for the fulfilment of a contract or compliance with a legal obligation, it protects the vital interests of the data subject, the processing is necessary to carry out a task that is in the public interest, or the processing is necessary to safeguard the legitimate interests of the controller or a third party. In addition, the UK-GDPR defines flexibility clauses that are to be implemented in national law. Moreover, you always have the right to request information from an organisation or company about the legal basis on which data was collected. Simply submit a so-called data subject request. This information should also be part of privacy policies or other documents with information according to Art. 13 UK-GDPR.
3/8
3. My employer is not allowed to use team photos on their website – unless everyone in the photo has given their consent.
Correct! The UK-GDPR stipulates that consent is absolutely necessary in the absence of another legal basis. Therefore, the consent of the data subjects, in this case the employees on the photo, is mandatory for the publication of their data (this also includes photos). The Information Commissioner's Office (ICO) has issued guidance to supplement the provisions of the UK-GDPR regarding employee data protection. The important thing here is that consent is given voluntarily, can be withdrawn by the data subject, and is not linked to any conditions.
Incorrect. The UK-GDPR stipulates that consent is absolutely necessary in the absence of another legal basis. Therefore, the consent of the data subjects, in this case the employees on the photo, is mandatory for the publication of their data (this also includes photos). The Information Commissioner's Office (ICO) has issued guidance to supplement the provisions of the UK-GDPR regarding employee data protection. The important thing here is that consent is given voluntarily, can be withdrawn by the data subject, and is not linked to any conditions.
4/8
4. If I do not accept cookies on a website, I will not be able to access important features.
Correct! The cookies necessary for the operation of the website do not require consent. These are identified as “technically necessary” or “essential” cookies. In online shops, for example, these cookies ensure that you can place goods in your shopping cart. All other cookies, such as for marketing purposes, are not absolutely necessary for the use of a website and require consent for processing to be legitimate.
Incorrect. The cookies necessary for the operation of the website do not require consent. These are identified as “technically necessary” or “essential” cookies. In online shops, for example, these cookies ensure that you can place goods in your shopping cart. All other cookies, such as for marketing purposes, are not absolutely necessary for the use of a website and require consent for processing to be legitimate.
5/8
5. My name on the doorbell does not violate my data protection rights. I cannot ask my landlord to remove my name from the doorbell nameplate.
Correct! This is a persistent data protection myth. Having your name on the door has absolutely nothing to do with the UK-GDPR and in no way violates the principles of data protection. The former German Federal Data Protection Officer, Andrea Vosshoff, explains the reason for this: “Placing names on doorbell nameplates in itself does not represent automated processing or actual or intended storage in file systems.”
Incorrect. This is a persistent data protection myth. Having your name on the door has absolutely nothing to do with the UK-GDPR and in no way violates the principles of data protection. The former German Federal Data Protection Officer, Andrea Vosshoff, explains the reason for this: “Placing names on doorbell nameplates in itself does not represent automated processing or actual or intended storage in file systems.”
6/8
6. I can object to receiving advertising emails for similar or supplementary products, even as an existing customer of a company.
Correct! Although companies, whose customer base you belong to, can in some cases also rely on a so-called legitimate interest as the legal basis for advertising emails. In addition to consent, you must also be given the opportunity, in a very transparent manner, to withdraw consent to these emails. In addition, the guidance from the ICO on direct marketing must be taken into account.
Incorrect. Although companies, whose customer base you belong to, can in some cases also rely on a so-called legitimate interest as the legal basis for advertising emails. In addition to consent, you must also be given the opportunity, in a very transparent manner, to withdraw consent to these emails. In addition, the guidance from the ICO on direct marketing must be taken into account.
7/8
7. If I ask my dentist to erase all my personal data, they must delete all the existing data they have on me.
Correct! There is certain data that is subject to a statutory retention period. For example, doctors may need to keep patient data in the patient's file for five to ten years, and in some exceptional cases for up to thirty years. Personal data that does not have to be retained on the basis of statutory retention periods, can be deleted on request. However, in some cases, this can result in consequences, such as if the data is required for the execution of contractual relationships, then the destruction of said data cannot be carried out. Moreover, there are a few exceptions according to Art. 17 UK-GDPR, which legitimise the continued retention of personal data.
Incorrect. There is certain data that is subject to a statutory retention period. For example, doctors may need to keep patient data in the patient´s file for five to ten years, and in some exceptional cases for up to thirty years. Personal data that does not have to be retained on the basis of statutory retention periods, can be deleted on request. However, in some cases, this can result in consequences, such as if the data is required for the execution of contractual relationships, then the destruction of said data cannot be carried out. Moreover, there are a few exceptions according to Art. 17 UK-GDPR, which legitimise the continued retention of personal data.
8/8
8. The messenger provider, WhatsApp, shares some of its users’ data with its parent company, Facebook, and other Facebook companies.
Correct. However, it is unclear which data is shared and for what purpose. Even if a Facebook spokeswoman assured users that the WhatsApp user data of British users would not be shared with Facebook and other Facebook companies for advertising purposes, the terms of use allow these data to be transmitted.
Incorrect - this statement is true. However, it is unclear which data is shared and for what purpose. Even if a Facebook spokeswoman assured users that the WhatsApp user data of British users would not be shared with Facebook and other Facebook companies for advertising purposes, the terms of use allow these data to be transmitted.
The results are in...
Quiz score:
Hmm, looks like your privacy knowledge is a little rusty... but fear not, help is on it's way. Consider signing up to our privacy newsletter. You'll receive practical tips and webinar invites in one dedicated monthly update. You'll be a pro in no time!
Not bad... but are you ready to level up your privacy know-how? Consider signing up to our privacy newsletter. You'll receive practical tips and webinar invites in one dedicated monthly update.
Wow, you're a natural! Interested in learning more? Consider signing up to our privacy newsletter. You'll receive practical tips and webinar invites in one dedicated monthly update.
Businesses often face the same GDPR issues around data privacy mistakes. These mistakes can have vastly different consequences. Download our whitepaper to find out the 6 most common UK GDPR mistakes and learn ways how to avoid them.
If you want to receive practical tips along with invitations to webinars and online Q&A sessions, consider signing up to our monthly newsletter.
Sign up for our newsletter!
WANT TO LEARN MORE?
Browse our data privacy articles and resources
Talk to an expert
If you have specific questions around data protection in your company or if you’re facing concrete challenges with the implementation of privacy regulations in your company, contact us – we’d love to help you!
Book a free initial consultation here or request a non-binding offer by filling out the email form on the right.