MCQ ON TOPIC DIGITAL PERSONAL DATA PROTECTION ACT 2023
1. Which of the following is a primary objective of the Digital Personal Data Protection Act, 2023?
A. To promote digital payments in India
B. To protect personal data and privacy of individuals
C. To regulate the use of cryptocurrencies
D. To enhance cybersecurity for government agencies
Answer: B. To protect personal data and privacy of individuals
2. Under the Digital Personal Data Protection Act, 2023, which entity is responsible for enforcing the provisions of the Act?
A. Reserve Bank of India (RBI)
B. Data Protection Authority (DPA)
C. Ministry of Electronics and Information Technology (MeitY)
D. Central Bureau of Investigation (CBI)
Answer: B. Data Protection Authority (DPA)
3. Which of the following is NOT considered as sensitive personal data under the Act?
A. Financial information
B. Biometric data
C. Email address
D. Health records
Answer: C. Email address
4. What is the maximum penalty for a significant data breach under the Digital Personal Data Protection Act, 2023?
A. Rs.5 crore
B. Rs.10 crore
C. Rs.20 crore
D. Rs.50 crore
Answer: D. Rs.50 crore
5. How long can personal data be retained according to the Digital Personal Data Protection Act, 2023?
A. Indefinitely
B. As long as it is necessary for the purpose it was collected
C. For a maximum of 5 years
D. For a maximum of 10 years
Answer: B. As long as it is necessary for the purpose it was collected
6. Under the Act, which of the following rights is granted to data principals (individuals)?
A. Right to erasure
B. Right to transfer data internationally
C. Right to restrict government access to data
D. Right to anonymity
Answer: A. Right to erasure
7. What is the main criterion for an organization to be classified as a significant data fiduciary under the Act?
A. Number of employees
B. Volume and sensitivity of personal data processed
C. Annual revenue
D. Geographical location
Answer: B. Volume and sensitivity of personal data processed
8. Which of the following is a requirement for cross-border data transfer under the Digital Personal Data Protection Act, 2023?
A. Approval from the Ministry of Home Affairs
B. Consent from the data principal
C. Adequate data protection measures in the receiving country
D. Data localization within India
Answer: C. Adequate data protection measures in the receiving country
9. According to the Act, who is responsible for appointing the Data Protection Officer (DPO) in an organization?
A. The CEO of the organization
B. The Data Protection Authority
C. The board of directors
D. The Ministry of Electronics and Information Technology
Answer: C. The board of directors
10. What is the role of the Data Protection Authority (DPA) as per the Act?
A. To promote digital literacy
B. To monitor and enforce compliance with the Act
C. To manage national cybersecurity infrastructure
D. To issue digital certificates to companies
Answer: B. To monitor and enforce compliance with the Act
11. Which section of the Digital Personal Data Protection Act, 2023 deals with the rights of data principals?
A. Section 4
B. Section 9
C. Section 12
D. Section 15
Answer: C. Section 12
12. Under the Act, personal data can be processed only if:
A. The data principal is notified
B. The data principal provides explicit consent
C. The data is encrypted
D. The data is publicly available
Answer: B. The data principal provides explicit consent
13. What is the term used in the Act for entities that determine the purpose and means of processing personal data?
A. Data processors
B. Data controllers
C. Data fiduciaries
D. Data subjects
Answer: C. Data fiduciaries
14. Under the Act, which of the following is required for processing the personal data of children?
A. Written consent from the child
B. Parental or guardian consent
C. Approval from the Data Protection Authority
D. Biometric verification
Answer: B. Parental or guardian consent
15. Which principle mandates that personal data should be processed lawfully, fairly, and in a transparent manner?
A. Accountability
B. Purpose limitation
C. Lawfulness, fairness, and transparency
D. Data minimization
Answer: C. Lawfulness, fairness, and transparency
16. What is the primary purpose of data anonymization under the Act?
A. To enhance data security
B. To comply with international data protection standards
C. To prevent the identification of data principals
D. To facilitate data sharing with third parties
Answer: C. To prevent the identification of data principals
17. According to the Act, which of the following is NOT a right granted to data principals?
A. Right to access
B. Right to correction
C. Right to data portability
D. Right to financial compensation
Answer: D. Right to financial compensation
18. What is the primary role of a Data Protection Officer (DPO) in an organization?
A. To manage customer relationships
B. To oversee compliance with data protection laws
C. To conduct internal audits
D. To develop new data processing technologies
Answer: B. To oversee compliance with data protection laws
19. Under the Act, what is required before processing personal data for direct marketing purposes?
A. Notification to the Data Protection Authority
B. Explicit consent from the data principal
C. Encryption of the data
D. Data localization
Answer: B. Explicit consent from the data principal
20. Which principle of data protection requires that personal data be adequate, relevant, and limited to what is necessary for processing?
A. Accuracy
B. Storage limitation
C. Data minimization
D. Integrity and confidentiality
Answer: C. Data minimization
21. Which of the following bodies can make recommendations to the government regarding data protection under the Act?
A. Central Bureau of Investigation (CBI)
B. Data Protection Authority (DPA)
C. National Informatics Centre (NIC)
D. Telecom Regulatory Authority of India (TRAI)
Answer: B. Data Protection Authority (DPA)
22. The Act requires data fiduciaries to report data breaches to the Data Protection Authority within:
A. 24 hours
B. 48 hours
C. 72 hours
D. One week
Answer: C. 72 hours
23. Under the Act, which of the following is considered a lawful basis for processing personal data without consent?
A. Public interest
B. Employee monitoring
C. Data marketing
D. Social media activities
Answer: A. Public interest
24. According to the Act, personal data should be:
A. Shared freely with international organizations
B. Retained indefinitely
C. Accurate and kept up to date
D. Processed for any purpose
Answer: C. Accurate and kept up to date
25. What does the term “data principal” refer to under the Act?
A. The person who controls the data processing
B. The entity that processes personal data
C. The individual to whom the personal data relates
D. The regulatory authority
Answer: C. The individual to whom the personal data relates
26. Under the Act, data fiduciaries must implement appropriate technical and organizational measures to ensure:
A. Data portability
B. Data anonymity
C. Data security
D. Data publication
Answer: C. Data security
27. Which of the following actions can the Data Protection Authority take against non-compliant organizations?
A. Imprisonment of employees
B. Financial penalties
C. Seizure of assets
D. Deregistration of the company
Answer: B. Financial penalties
28. Which principle ensures that personal data is collected for specified, explicit, and legitimate purposes?
A. Lawfulness
B. Purpose limitation
C. Accountability
D. Transparency
Answer: B. Purpose limitation
29. Which of the following is NOT a responsibility of a data processor under the Act?
A. Processing personal data on behalf of the data fiduciary
B. Determining the purpose of data processing
C. Implementing data security measures
D. Reporting data breaches to the data fiduciary
Answer: B. Determining the purpose of data processing
30. The Digital Personal Data Protection Act, 2023 applies to:
A. Only government organizations
B. Only private companies
C. Both government and private organizations
D. Only multinational corporations
Answer: C. Both government and private organizations
31. According to the Act, personal data must be erased when:
A. The data principal requests it
B. It is no longer necessary for the purpose it was collected
C. The data fiduciary changes its business model
D. The Data Protection Authority issues a directive
Answer: B. It is no longer necessary for the purpose it was collected
32. Under the Act, who has the right to withdraw consent for data processing at any time?
A. The data fiduciary
B. The Data Protection Authority
C. The data principal
D. The government
Answer: C. The data principal
33. Which section of the Act mandates data fiduciaries to maintain records of data processing activities?
A. Section 7
B. Section 9
C. Section 11
D. Section 13
Answer: D. Section 13
34. What does the principle of “accountability” entail for data fiduciaries?
A. Ensuring data is always encrypted
B. Being responsible for and able to demonstrate compliance with the Act
C. Limiting data sharing with third parties
D. Conducting annual data audits
Answer: B. Being responsible for and able to demonstrate compliance with the Act
35. Which of the following best describes a “data breach” under the Act?
A. Unauthorized access to personal data
B. Lawful processing of personal data
C. Voluntary data sharing with third parties
D. Data anonymization
Answer: A. Unauthorized access to personal data
36. The Act requires data fiduciaries to provide data principals with information about:
A. The price of their personal data
B. The identity and contact details of the data fiduciary
C. The business strategy of the data fiduciary
D. The financial statements of the data fiduciary
Answer: B. The identity and contact details of the data fiduciary
37. What is required under the Act before transferring personal data to a third party?
A. Data anonymization
B. Explicit consent from the data principal
C. Encryption of the data
D. Approval from the Data Protection Authority
Answer: B. Explicit consent from the data principal
38. Which of the following is a significant data fiduciary required to conduct periodically?
A. Data integrity checks
B. Data protection impact assessments
C. Data encryption updates
D. Data marketing campaigns
Answer: B. Data protection impact assessments
39. What does “data portability” allow data principals to do under the Act?
A. Transfer their personal data to another data fiduciary
B. Erase their personal data
C. Restrict access to their personal data
D. Anonymize their personal data
Answer: A. Transfer their personal data to another data fiduciary
40. Which of the following is NOT a ground for processing personal data without consent under the Act?
A. Performance of a contract
B. Compliance with a legal obligation
C. Vital interests of the data principal
D. Direct marketing
Answer: D. Direct marketing
41. Under the Act, personal data should be stored in a manner that:
A. Ensures it is publicly accessible
B. Ensures its confidentiality and security
C. Allows for indefinite retention
D. Facilitates unrestricted sharing
Answer: B. Ensures its confidentiality and security
42. The Act mandates that data fiduciaries must obtain consent for data processing that is:
A. Inferred from the context
B. Implicitly given
C. Explicit and informed
D. Assumed based on previous interactions
Answer: C. Explicit and informed
43. Which of the following is a key component of data protection by design and by default?
A. Using the latest hardware
B. Minimizing data collection to what is necessary
C. Sharing data with multiple processors
D. Publishing data processing activities
Answer: B. Minimizing data collection to what is necessary
44. Which section of the Act provides for penalties for non-compliance with the data protection obligations?
A. Section 16
B. Section 21
C. Section 25
D. Section 30
Answer: C. Section 25
45. According to the Act, a data principal can request access to:
A. Their entire digital footprint
B. Only anonymized data
C. The specific personal data held about them
D. Data held about other individuals
Answer: C. The specific personal data held about them
46. Under the Act, what is the primary responsibility of a data processor?
A. To determine the purpose of data processing
B. To process data on behalf of the data fiduciary
C. To provide data principals with consent forms
D. To oversee the operations of the Data Protection Authority
Answer: B. To process data on behalf of the data fiduciary
47. What is required from data fiduciaries when collecting personal data from data principals under the Act?
A. Detailed information about data retention policies
B. High-level summary of processing activities
C. Information on the purpose of data collection
D. No information is required
Answer: C. Information on the purpose of data collection
48. Which of the following rights allows data principals to obtain their personal data in a structured, commonly used, and machine-readable format?
A. Right to be forgotten
B. Right to access
C. Right to data portability
D. Right to restrict processing
Answer: C. Right to data portability
49. What must be demonstrated by data fiduciaries to ensure compliance with the principles of the Act?
A. Data encryption
B. Accountability
C. Public data sharing
D. Continuous data processing
Answer: B. Accountability
50. Under the Act, who is responsible for the protection of personal data?
A. Data principals
B. Data processors
C. Data fiduciaries
D. All of the above
Answer: D. All of the above