Privacy & Data Protection Foundation

EXIN Privacy & Data Protection Foundation (PDPF) is a certification that validates a professional’s knowledge and understanding of the protection of personal data and the EU rules and regulations regarding data protection.

Wherever personal data is collected, stored, used, and finally deleted or destroyed, privacy concerns arise. With the EU General Data Protection Regulation (GDPR), the Council of the European Union aims to strengthen and unify data protection for all individuals within the European Union (EU). This regulation affects every organization that processes personal data of EU citizens. The EXIN Privacy & Data Protection Foundation certification covers the main subjects related to the GDPR.

The new standard in the ISO/IEC 27000 series: ISO/IEC 27701:2019 Security Techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management – Requirements and Guidelines is useful for organizations that want to show compliance with the GDPR. The content of the new ISO standard helps fulfill the GDPR obligations for organizations regarding the processing of personal data.

Neither the GDPR nor the ISO standard are exam literature. However, the literature matrix in Chapter 4 is designed to show the link between the exam requirements, the literature, the GDPR, and the ISO/IEC 27701:2019 standard to give the certification a broader context.


Not stated.

Successful completion of the EXIN Privacy & Data Protection Foundation exam

All employees must have an understanding of data protection and European legal requirements as defined in the GDPR. This certification is tailored to:

    • data protection officers (DPOs)
    • compliance officers
    • security officers
    • HR staff
    • process and project managers
1.1 Definitions 1.2 Personal Data
1.3 Legitimate Grounds and Purpose Limitations
1.4 Further Requirements for Legitimate Processing of Personal Data
1.5 Rights of Data Subjects
1.6 Personal Data Breach and Related Procedures
2.1 Importance of Data Protection for the Organization
2.2 Supervisory Authority
2.3 Personal Data Transfer to Third Countries
2.4 Binding Corporate Rules and Data Protection in Contracts
3.1 Data protection by Design and by Default
3.2 Data Protection Impact Assessment (DPIA)
3.3 Personal Data in Use
Length of exam 1 hour
Number of questions 40
Question format Multiple choice
Passing grade  65%
Exam availability English, Chinese, German, Portuguese, Dutch
Testing center Online Proctored / Paper-Based