- Successful completion of the EXIN Privacy & Data Protection Professional exam.
- Accredited EXIN Privacy & Data Protection Professional training, including completion of the Practical Assignments.
Exin Privacy & Data Protection Professional
EXIN Privacy and Data Protection Professional is an advanced-level certification that validates a professional knowledge and understanding of the European General Data Protection Regulation (GDPR). The exam tests the candidate’s ability to apply this knowledge and understanding in everyday professional practice.
This advanced-level certification will be particularly useful to
- data protection officers (DPOs) / privacy officers
- legal/compliance officers
- security officers
- business continuity managers
- data controllers
- data protection auditors (internal and external)
- privacy analysts
- HR-managers
1.1 Purpose of data protection and privacy policies within an organization
The candidate can…
1.1.1 explain the policies and procedures needed within an organization to comply with data protection legislation.
1.1.2 explain the content of the policies.
1.2 Data protection by design and by default
The candidate can…
1.2.1 explain the concept of data protection by design and by default.
1.2.2 describe the seven principles for data protection by design and by default.
1.2.3 illustrate how principles of privacy by design and by default can be implemented.
The candidate can…
1.1.1 explain the policies and procedures needed within an organization to comply with data protection legislation.
1.1.2 explain the content of the policies.
1.2 Data protection by design and by default
The candidate can…
1.2.1 explain the concept of data protection by design and by default.
1.2.2 describe the seven principles for data protection by design and by default.
1.2.3 illustrate how principles of privacy by design and by default can be implemented.
2.1 Privacy information management system (PIMS) basics
The candidate can…
2.1.1 explain the different terms used in the ISO/IEC 27701 standard (internal and external issues, interested parties).
2.1.2 list which media must be considered when implementing a PIMS.
2.1.3 define what a statement of applicability (SoA) is.
2.1.4 explain the purpose of documentation in a PIMS.
2.1.5 explain the purpose of management reviews in a PIMS.
2.2 Benefits of a privacy information management system (PIMS)
The candidate can…
2.2.1 explain the objective of audits in a PIMS.
2.2.2 explain how to determine the specific requirements of a PIMS in light of the appropriate local rules and contractual requirements.
2.2.3 explain how a PIMS and audits help to show compliance with standards and regulations.
2.2.4 explain how a PIMS can help with supplier selection.
2.3 Privacy information management system (PIMS) relationships
The candidate can…
2.3.1 explain the difference between a privacy information management system (PIMS) and an information security management system (ISMS).
2.3.2 explain the relationship between the data protection principle of appropriate information security arrangements and the ISO/IEC 27701 standard.
2.3.3 explain the usefulness of the ISO/IEC 27002 standard for the implementation of a PIMS.
2.3.4 explain how to apply PIMS controls.
The candidate can…
2.1.1 explain the different terms used in the ISO/IEC 27701 standard (internal and external issues, interested parties).
2.1.2 list which media must be considered when implementing a PIMS.
2.1.3 define what a statement of applicability (SoA) is.
2.1.4 explain the purpose of documentation in a PIMS.
2.1.5 explain the purpose of management reviews in a PIMS.
2.2 Benefits of a privacy information management system (PIMS)
The candidate can…
2.2.1 explain the objective of audits in a PIMS.
2.2.2 explain how to determine the specific requirements of a PIMS in light of the appropriate local rules and contractual requirements.
2.2.3 explain how a PIMS and audits help to show compliance with standards and regulations.
2.2.4 explain how a PIMS can help with supplier selection.
2.3 Privacy information management system (PIMS) relationships
The candidate can…
2.3.1 explain the difference between a privacy information management system (PIMS) and an information security management system (ISMS).
2.3.2 explain the relationship between the data protection principle of appropriate information security arrangements and the ISO/IEC 27701 standard.
2.3.3 explain the usefulness of the ISO/IEC 27002 standard for the implementation of a PIMS.
2.3.4 explain how to apply PIMS controls.
3.1 Roles of the controller and processor
The candidate can…
3.1.1 enact the responsibilities of the controller.
3.1.2 enact the responsibilities of the processor.
3.1.3 explain the relationship between the controller and the processor in a specific situation.
3.2 Role and responsibilities of a data protection officer (DPO)
The candidate can…
3.2.1 explain when appointment of a DPO is mandatory under the GDPR.
3.2.2 enact the role of the DPO.
3.2.3 explain the position of the DPO in relation to the supervisory authority.
The candidate can…
3.1.1 enact the responsibilities of the controller.
3.1.2 enact the responsibilities of the processor.
3.1.3 explain the relationship between the controller and the processor in a specific situation.
3.2 Role and responsibilities of a data protection officer (DPO)
The candidate can…
3.2.1 explain when appointment of a DPO is mandatory under the GDPR.
3.2.2 enact the role of the DPO.
3.2.3 explain the position of the DPO in relation to the supervisory authority.
4.1 Criteria for a data protection impact assessment (DPIA)
The candidate can…
4.1.1 apply the criteria for conducting a DPIA.
4.1.2 describe the objectives and outcomes of a DPIA.
4.2 Steps of a data protection impact assessment (DPIA)
The candidate can…
4.2.1 describe the steps of a DPIA.
4.2.2 perform a DPIA in specific situations.
The candidate can…
4.1.1 apply the criteria for conducting a DPIA.
4.1.2 describe the objectives and outcomes of a DPIA.
4.2 Steps of a data protection impact assessment (DPIA)
The candidate can…
4.2.1 describe the steps of a DPIA.
4.2.2 perform a DPIA in specific situations.
5.1 GDPR requirements with regard to personal data breaches
The candidate can…
5.1.1 assess whether a data breach has taken place in terms of the GDPR.
5.2 Requirements for notification
The candidate can…
5.2.1 notify the supervisory authority of a personal data breach.
5.2.2 notify the data subject of the personal data breach.
5.2.3 describe the elements of the GDPR documentation obligation.
The candidate can…
5.1.1 assess whether a data breach has taken place in terms of the GDPR.
5.2 Requirements for notification
The candidate can…
5.2.1 notify the supervisory authority of a personal data breach.
5.2.2 notify the data subject of the personal data breach.
5.2.3 describe the elements of the GDPR documentation obligation.
| Length of exam | 2 hour |
| Number of questions | 40 questions |
| Question format | Multiple choice |
| Passing grade | 65% |
| Exam availability | English, Chinese, Portuguese |
| Testing center | Online Proctored/ Paper-based |
