The Privacy and Data Protection Foundation course and exam are based on the following Intended Learning Outcomes (ILOs):
1 Privacy & data protection fundamentals and regulations
1.1 Definitions
The candidate can…
1.1.1 define privacy.
1.1.2 relate privacy to personal data and data protection.
1.1.3 describe the context of Union and Member state law.
1.2 Personal data
The candidate can…
1.2.1 define personal data according to the GDPR.
1.2.2 make a distinction between personal data and special categories of data, like sensitive personal data.
1.2.3 describe the data subject’s rights regarding personal data.
1.2.4 define processing of personal data that falls within the scope of the GDPR.
1.2.5 list the roles, responsibilities and stakeholders in the GDPR.
1.3 Legitimate grounds and purpose limitation
The candidate can…
1.3.1 list the six legitimate grounds for processing.
1.3.2 describe the concept of purpose limitation.
1.3.3 describe proportionality and subsidiarity.
1.4 Further requirements for legitimate processing of personal data
The candidate can…
1.4.1 describe the requirements for legitimate data processing.
1.4.2 describe the purpose of personal data processing.
1.4.3 explain the principles relating to processing of personal data.
1.5 Rights of data subjects
The candidate can…
1.5.1 describe the rights regarding data portability and the right of inspection.
1.5.2 describe the right to be forgotten.
1.6 Personal data breach and related procedures
The candidate can…
1.6.1 describe the concept of personal data breach.
1.6.2 explain procedures on how to act when a personal data breach occurs.
1.6.3 give examples of categories of personal data breaches.
1.6.4 describe the difference between a security breach (incident) and a personal data breach.
1.6.5 list relevant stakeholders that should be informed in case of a personal data breach.
2 Organizing data protection
2.1 Importance of data protection for the organization
The candidate can…
2.1.1 list the different types of administration (GDPR Article 28 & Article 30).
2.1.2 indicate what activities are required to comply with the GDPR.
2.1.3 define data protection by design and by default.
2.1.4 give examples of personal data breaches.
2.1.5 describe the personal data breach notification obligation as laid down in the GDPR.
2.1.6 describe enforcement of the rules by issuing penalties including administrative fines.
2.2 Supervisory authority
The candidate can…
2.2.1 describe the general responsibilities of a supervisory authority.
2.2.2 describe the role and responsibilities of a supervisory authority related to personal data breaches.
2.2.3 describe how a supervisory authority contributes to the application of the GDPR.
2.3 Personal data transfer to third countries
The candidate can…
2.3.1 describe the regulations that apply to data transfer inside the EEA.
2.3.2 describe the regulations that apply to data transfer outside the EEA.
2.3.3 describe the regulations that apply to data transfer between the EEA and the USA.
2.4 Binding corporate rules and data protection in contracts
The candidate can…
2.4.1 describe the concept of binding corporate rules (BCR).
2.4.2 describe how data protection is formalized in contracts between the controller and the processor.
2.4.3 describe the clauses of such a contract.
3 Practice of data protection
3.1 Data protection by design and by default
The candidate can…
3.1.1 describe the benefits of data protection by design and by default.
3.1.2 describe the seven principles of data protection by design.
3.2 Data Protection Impact Assessment (DPIA)
The candidate can…
3.2.1 outline what a DPIA covers and when to do a DPIA.
3.2.2 mention the eight objectives of a DPIA.
3.2.3 list the topics of a DPIA report.
3.3 Personal data in use
The candidate can…
3.3.1 describe the purpose of data lifecycle management (DLM).
3.3.2 explain data retention and minimization.
3.3.3 describe what a cookie is and what its purpose is.
3.3.4 describe the right to object to the processing of personal data for the purpose of direct marketing, including profiling.
This is one of the four exams you need to pass (or for which you must obtain a waiver) to earn the stackable CDPP® certificate.