Preparation Guide

Edition 201911
Copyright © EXIN Holding B.V. 2019. All rights reserved.
EXIN® is a registered trademark.

No part of this publication may be reproduced, stored, utilized or transmitted in any form or by any means, electronic,
mechanical, or otherwise, without the prior written permission from EXIN.

Preparation Guide EXIN Privacy & Data Protection Practitioner (PDPP.EN) 2

Content

1. Overview 4
2. Exam Requirements 7
3. List of Basic Concepts 10
4. Literature 14

Preparation Guide EXIN Privacy & Data Protection Practitioner (PDPP.EN) 3

1. Overview

EXIN Privacy & Data Protection Practitioner (PDPP.EN)

Scope
The EXIN Privacy & Data Protection Practitioner is a certification that validates a professional’s
knowledge and understanding of the European privacy and data protection legislation and its
international relevance, as well as the professional’s ability to apply this knowledge and
understanding to everyday professional practice.

Summary
With the ever increasing explosion of information flooding the internet, every company needs to
plan how to manage and protect privacy of persons and their data. Not without a reason, many new
laws within the EU, as well as in the USA and many other regions, are formed in order to regulate
both privacy and data protection.

The European Commission has published the EU General Data Protection Regulation (GDPR),
meaning that from the 25th of May 2018 on, all organizations concerned must comply with specific
rules. This Practitioner certification builds on the subjects covered by the Foundation exam by
focusing on the development and implementation of policies and procedures in order to comply
with existing and new legislation, application of privacy and data protection guidelines and best
practices, and by establishing a data and privacy protection management system (DPMS).

The new standard in the ISO/IEC 27000 series: ISO/IEC 27701:2019 Security Techniques –
Extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management –
Requirements and Guidelines is useful for organizations that want to show compliance with the
GDPR. The content of the new ISO standard helps fulfill the GDPR obligations to organizations
regarding the processing of personal data.

Neither the GDPR nor the ISO standard are exam literature. However, the literature matrix in Chapter
4 is designed to show the link between the exam requirements, the literature, the GDPR and the
ISO/IEC 27701:2019 standard to give the certification a broader context.

Preparation Guide EXIN Privacy & Data Protection Practitioner (PDPP.EN) 4

Context
The EXIN Privacy & Data Protection Practitioner (PDPP) certification is part of the EXIN Privacy &
Data Protection qualification program.

Target Group
This Practitioner level certification will be particularly useful to Data Protection Officers (DPOs) /
Privacy Officers, Legal / Compliance Officers, Security Officers, Business Continuity Managers,
Data Controllers, Data Protection Auditors (internal and external), Privacy Analyst and HR
managers.

Requirements for Certification

• Successful completion of the EXIN Privacy & Data Protection Practitioner exam.
• Accredited EXIN Privacy & Data Protection Practitioner training, including completion of the
Practical Assignments.

Examination details
Examination type: Multiple-choice questions
Number of questions: 40 questions
Pass mark: 65%
Open book/notes: The GDPR text may be consulted throughout the exam.
It is provided as an appendix to the digital exam.
Candidates are required to bring their own copy for
paper-based exams.
Electronic equipment/aides permitted: No
Exam duration: 120 minutes

The Rules and Regulations for EXIN’s examinations apply to this exam.

Preparation Guide EXIN Privacy & Data Protection Practitioner (PDPP.EN) 5

Bloom level
The EXIN Privacy & Data Protection Practitioner certification tests candidates at Bloom Levels 2, 3
and 4 according to Bloom’s Revised Taxonomy:
• Bloom Level 2: Understanding - a step beyond remembering. Understanding shows that
candidates comprehend what is presented and can evaluate how the learning material may
be applied in their own environment. This type of questions aims to demonstrate that the
candidate is able to organize, compare, interpret and choose the correct description of
facts and ideas.
• Bloom Level 3: Application - shows that candidates have the ability to make use of
information in a context different from the one in which it was learned. This type of
questions aims to demonstrate that the candidate is able to solve problems in new
situations by applying acquired knowledge, facts, techniques and rules in a different, or
new way. These questions usually contains a short scenario.
• Bloom Level 4: Analysis - shows that candidates have the ability to break learned
information into its parts to understand it. This Bloom level is mainly tested in the Practical
Assignments. The Practical Assignments aim to demonstrate that the candidate is able to
examine and break information into parts by identifying motives or causes, make
inferences and find evidence to support generalizations.

Training

Contact hours
The recommended number of contact hours for this training course is 21. This includes Practical
Assignments, exam preparation and short breaks. This number of hours does not include lunch
breaks, homework and the exam.

If the training provider wishes to dedicate time to national privacy and data protection legislation,
this will require extra training hours in addition to the 21 recommended training hours.

Indication study effort

120 hours, depending on existing knowledge.

Training Organization
You can find a list of our Accredited Training Organizations at www.exin.com.

Preparation Guide EXIN Privacy & Data Protection Practitioner (PDPP.EN) 6

2. Exam Requirements

The exam requirements are specified in the exam specifications. The following table lists the
topics of the module (exam requirements) and the subtopics (exam specifications).

Exam Exam Specification Weight

Requirement
1. Data Protection Policies 10%
1.1 Purpose of the Data Protection and Privacy Policies within an 5%
Organization
1.2 Data Protection by Design and by Default 5%
2. Managing and Organizing Data Protection 32.5%
2.1 Phases of the Data Protection Management System (DPMS) 32.5%
3. Roles of the Controller, Processor and Data Protection Officer (DPO) 17.5%
3.1 Roles of the Controller and Processor 10%
3.2 Role and Responsibilities of a DPO 7.5%
4. Data Protection Impact Assessment (DPIA) 27.5%
4.1 Criteria for a DPIA 15%
4.2 Steps of a DPIA 12.5%
5. Data Breaches, Notification and Incident Response 12.5%
5.1 GDPR Requirements with Regard to Personal Data Breaches 2.5%
5.2 Requirements for Notification 10%
Total 100%

Preparation Guide EXIN Privacy & Data Protection Practitioner (PDPP.EN) 7

Exam specifications

1 Data Protection Policies

1.1 Purpose of the Data Protection and Privacy Policies within an Organization
The candidate can…
1.1.1 explain the policies and procedures needed within an organization to comply
with data protection legislation.
1.1.2 explain the content of the policies.
1.2 Data Protection by Design and by Default
The candidate can….
1.2.1 explain the concept of data protection by design and by default.
1.2.2 describe the seven principles for data protection by design and by default.
1.2.3 illustrate how principles of privacy by design and by default can be
implemented.

2 Managing and Organizing Data Protection

2.1 Phases of the Data Protection Management System (DPMS)
The candidate can…
2.1.1 illustrate how to apply phase 1 of the DPMS: Data Protection and Privacy:
Preparation.
2.1.2 illustrate how to apply phase 2 of the DPMS: Data Protection and Privacy:
Organization.
2.1.3 illustrate how to apply phase 3 of the DPMS: Data Protection and Privacy:
Development and Implementation.
2.1.4 illustrate how to apply phase 4 of the DPMS: Data Protection and Privacy:
Governance.
2.1.5 illustrate how to apply phase 5 of the DPMS: Data Protection and Privacy:
Evaluation and Improvement.

3 Roles of the Controller, Processor and Data Protection Officer (DPO)

3.1 Roles of the Controller and Processor
The candidate can…
3.1.1 enact the responsibilities of the controller.
3.1.2 enact the responsibilities of the processor.
3.1.3 explain the relationship between the controller and the processor in a specific
situation.
3.2 Role and Responsibilities of a DPO
The candidate can…
3.2.1 explain when appointment of a DPO is mandatory under the GDPR.
3.2.2 enact the role of the DPO.
3.2.3 explain the position of the DPO in relation to the supervisory authority 1.

1
Before the GDPR was introduced, the data protection authority was the name of the national
authority in charge of the enforcement of regulation on data protection in EU countries. Under the
GDPR the data protection authority is now called the supervisory authority.

Preparation Guide EXIN Privacy & Data Protection Practitioner (PDPP.EN) 8

4 Data Protection Impact Assessment (DPIA)
4.1 Criteria for a DPIA
The candidate can…
4.1.1 apply the criteria for conducting a DPIA.
4.1.2 describe the objectives and outcomes of a DPIA.
4.2 Steps of a DPIA
The candidate can…
4.2.1 describe the steps of a DPIA.
4.2.2 perform a DPIA in a specific situation.

5 Data Breaches, Notification and Incident Response

5.1 GDPR Requirements with Regard to Personal Data Breaches
The candidate can…
5.1.1 assess whether a data breach has taken place in terms of the GDPR
5.2 Requirements for Notification
The candidate can…
5.2.1 notify the supervisory authority of a personal data breach
5.2.2 notify the data subject of the personal data breach
5.2.3 describe the elements of the GDPR documentation obligation

Preparation Guide EXIN Privacy & Data Protection Practitioner (PDPP.EN) 9

3. List of Basic Concepts

This chapter contains the terms and abbreviations with which candidates should be familiar.

Please note that knowledge of these terms alone does not suffice for the exam; the candidate must
understand the concepts and be able to provide examples.

adequate
appropriate technical and organizational measures
audit
• initial data (protection) audit
• internal and external data (protection) audit
authenticity
availability
awareness
benchmark
binding corporate rules
bring your own device (BYOD)
certification / certification bodies
cloud computing
codes of conduct
collecting personal data
commission reports
complaint
compliance
consent
• child's consent
• conditions for consent
• explicit consent
consistency mechanism
constitution
controller
cross-border processing
data accuracy
data breach
data classification system
data concerning health
data lifecycle management (DLM)
data mapping
data portability
data protection
data protection authority (DPA)
data protection by default / privacy by default
data protection by design / privacy by design
data protection impact assessment (DPIA)
data protection management system (DPMS)
data protection officer (DPO)
• designation
• position
• tasks
data protection policy
data protection program
data protection provisions
data subject

Preparation Guide EXIN Privacy & Data Protection Practitioner (PDPP.EN) 10

data subject access (facilities)
data transfer
declaration of consent
delegated acts and implementing acts
• committee procedure
derogation
documentation obligation
enforcement
• administrative fines
• administrative penalties
• criminal penalties
• dissuasive penalties
• effective penalties
• proportionate penalties
enterprise
EU types of legal act
• decision
• directive
• opinion
• recommendation
• regulation
European Data Protection Board
• chair
• confidentiality
• independence
• procedure
• reports
• secretariat
• tasks
European Data Protection Supervisor (EDPS)
European Economic Area (EEA)
European Union legal acts on data protection
exchange of information
exemption
filing system
General Data Protection Regulation (GDPR)
governing body
group of undertakings
incident response
• activity reports
• competence
• establishment
• independent supervisory authorities
• powers
• tasks
Information Security Management System (ISMS)
information society service
international organization
internet of things (IoT)
joint controllers
judicial remedy
lawfulness of processing
legal basis
legitimate basis (GDPR Article 40)
legitimate ground (GDPR Article 17(1c), Article 18(1d), Article 21(1))
legitimate interest

Preparation Guide EXIN Privacy & Data Protection Practitioner (PDPP.EN) 11

liability
main establishment
material scope
measures based on DPIA results
non-repudiation
notification obligation
opinion of the board
personal data
personal data breach
personal data relating to criminal convictions and offences
policy / policy rules
principles relation to processing of personal data (GDPR, Article 5)
• accountability
• accuracy
• confidentiality
• data minimization
• fairness
• integrity
• lawfulness
• purpose limitation
• storage limitation
• transparency
prior consultation
privacy
privacy analysis
privacy officer / chief privacy officer
processing (of personal data)
processing agreement
processing situations
• data protection rules of churches and religious associations
• employment
• for archiving purposes in the public interest
• for scientific or historical research purposes
• for statistical purposes
• freedom of expression and information
• National Identification Number
• obligations of secrecy
• public access to official documents
processing which does not require identification
processor
profiling
proportionality, the principle of
pseudonymization
quality cycle
recipient
relevant and reasoned objection
repealed
representative
restriction of processing
retention period

Preparation Guide EXIN Privacy & Data Protection Practitioner (PDPP.EN) 12

rights of the data subject
• ‘right to be forgotten’
• automated individual decision-making
• data portability
• information and access
• modalities
• notification obligation
• rectification and erasure
• restriction of processing
• restrictions
• right to compensation
• right to objection
• transparency
risk management
rules of procedure
security breach
security incident
security of personal data
security of processing
sensitive data
service provider
seven principles for privacy by design
Social, Mobile, Analytics, Cloud, Things (SMACT)
special categories of personal data
• biometric data
• data concerning health
• genetic data
• political opinions
• racial or ethnic origin
• religious or philosophical beliefs
• sex life or sexual orientation
• trade union membership
subsidiarity, the principle of
supervisory authority
supervisory authority concerned
suspension of proceedings
territorial scope
third party
threat
transfer of personal data to third countries and to international organizations
• adequacy decision
• appropriate safeguards
• binding corporate rules
• derogations
• disclosures
• international protection of personal data
unified communications and collaboration (UCC)
vulnerability

Preparation Guide EXIN Privacy & Data Protection Practitioner (PDPP.EN) 13

4. Literature

Exam literature

The knowledge required for the EXIN Privacy & Data Protection Practitioner exam is covered in the
following literature:

A. IT Governance Privacy Team

EU General Data Protection Regulation (GDPR). An Implementation and Compliance Guide
IT Governance Publishing, Cambridgeshire (second edition, 2017)
ISBN 978-1-84928-9450 (paperback)
ISBN 978-1-84928-9474 (e-book)

B. Kyriazoglou, J.
Data Protection and Privacy Management System. Data Protection and Privacy Guide –
Vol. I
bookboon.com (first edition, 2016)
ISBN 978-87-403-1540-0

Additional Literature

C. European Commission
General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
Regulation of the European Parliament and the Council of the European Union. Brussels, 6
April 2016, available at http://eur-lex.europa.eu
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=EN

D. Article 29 Data Protection Working Party

Guidelines on Data Protection Officers (‘DPOs’), wp 243rev.01, 5 April 2017 available at
http://ec.europa.eu/newsroom/Article29/item-detail.cfm?item_id=612048

E. Article 29 Data Protection Working Party

Guidelines on Data Protection Impact Assessment (DPIA) and determining whether
processing is “likely to result in a high risk” for the purposes of Regulation 2016/679,
wp248, 4 April 2017 available at http://ec.europa.eu/newsroom/Article29/item-
detail.cfm?item_id=611236

F. A. Cavoukian
Privacy by Design - The 7 Foundational Principles
Information & Privacy Commissioner, Ontario, Canada
https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf

G. Example of Privacy by Design Framework

https://www.privacycompany.eu/files/DPbD_Framework.pdf

H. ISO/IEC 27701:2019 (EN)

Security Techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy
Information Management – Requirements and Guidelines
Switzerland, ISO/IEC, 2019
https://www.iso.org/home.html

Preparation Guide EXIN Privacy & Data Protection Practitioner (PDPP.EN) 14

Comment
Additional literature is for reference and depth of knowledge only.

The GDPR text (source C) is no primary exam literature, because the exam literature provides
sufficient knowledge about the GDPR. Candidates should be familiar with the references to the
GDPR made in the other literature.

Literature Matrix

Exam Exam Literature GDPR ISO/IEC 27701

Requirements Specifications Reference Reference Reference
1. Data Protection Policies
1.1 Purpose of the Data Protection and A, Chapter 1, no reference no reference
Privacy Policies within an Chapter 16
Organization
1.2 Data Protection by Design and by A, Chapter 5 Article 25 Section B.8.4,
Default Subclause 6.11.2.1,
Subclause 6.11.2.5,
Subclause 7.4.2
2. Managing and Organizing Data Protection
2.1 Phases of the Data Protection A, Chapter 12 no reference no reference
Management System (DPMS) Chapter 14
B, Chapter 2
3. Roles of the Controller, Processor and Data Protection Officer (DPO)
3.1 Roles of the Controller and A, Chapter 12 Article 24, Subclause 5.2.1,
Processor Article 26, Subclause 6.3.1.1,
Article 27, Subclause 6.12.1.2,
Article 28, Subclause 6.15.1.1,
Article 29 Subclause 7.2.6,
Subclause 7.2.7,
Subclause 8.2.1,
Subclause 8.2.4,
Subclause 8.2.5,
Subclause 8.5.4,
Subclause 8.5.6,
Subclause 8.5.7,
Subclause 8.5.8
3.2 Role and Responsibilities of a DPO A, Chapter 2 Article 37, Subclause 6.3.1.1,
Article 38, Subclause 6.4.2.2,
Article 39 Subclause 6.10.2.4
4. Data Protection Impact Assessment (DPIA)
4.1 Criteria for a DPIA A, Chapter 5, Article 35 Subclause 5.2.2,
Chapter 6, Subclause 7.2.5,
Chapter 7, Subclause 8.2.1
Chapter 8
4.2 Steps of a DPIA A, Chapter 5, no reference Subclause 5.2.2,
Chapter 7, Subclause 7.2.5,
Chapter 8 Subclause 8.2.1
5. Data Breaches, Notification and Incident Response
5.1 GDPR Requirements with Regard to A, Chapter 3, Article 4(12), Subclause 6.13.1.1,
Personal Data Breaches Chapter 14 Article 33, Subclause 6.13.1.5
Article 34
5.2 Requirements for Notification A, Chapter 14 Article 33, Subclause 6.13.1.1,
Article 34 Subclause 6.13.1.5

Preparation Guide EXIN Privacy & Data Protection Practitioner (PDPP.EN) 15

Contact EXIN

www.exin.com