Certified GDPR Professional

The controller or the processor shall __________ the contact details of the data protection officer and communicate them to the supervisory authority.

The data protection officer shall be __________ on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.

A group of __________ may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.

Where the controller or the processor is a public authority or body, a single data protection officer may be designated for __________ such authorities or bodies, taking account of their organisational structure and size.

In cases other than those referred to in paragraph 1, the controller or processor or __________ and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. 

The data protection officer may act for such associations and other bodies __________ controllers or processors.

The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of __________

The controller and processor shall __________ the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.

The controller and processor shall ensure that the data protection officer does not receive any __________ regarding the exercise of those tasks regarding resources required.

Data Subject shall not be dismissed or __________ by the controller or the processor for performing his tasks.

The data protection officer shall directly report to the __________ management level of the controller or the processor.

Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under __________

The data protection officer shall be bound by secrecy or confidentiality concerning the __________ of his or her tasks, in accordance with Union or Member State law.

The data protection officer may fulfil other tasks and duties, and the controller or processor shall ensure that any such tasks and duties do not result in a __________.

The data protection officer shall in the performance of his or her tasks have due regard to the __________ associated with processing operations, taking into account the nature, scope, context and purposes of processing.

The __________ shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.

The __________ shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.

The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union and those implementing acts shall be __________ in accordance with the examination procedure set out in Article 93(2).

Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with GDPR, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the __________ shall submit its opinion to the Commission.

Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the __________ shall register and publish the code.

Where a __________ code of conduct relates to processing activities, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board.

Associations and other bodies referred to in paragraph 2 of GDPR intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the __________ authority which is competent pursuant to Article 55

The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate __________

A __________ referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.

The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of GDPR, taking account of the specific features of the various __________ sectors and the specific needs of micro, small and medium-sized enterprises.

Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of __________ the application of GDPR.

In addition to adherence by controllers or processors, codes of conduct approved pursuant in order to provide appropriate safeguards within the framework of personal data transfers to third countries or __________ under the terms referred to in point (e) of Article 46(2). 

Controllers or processors shall make binding and enforceable __________, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects for transfering personal data.

The __________ supervisory authority shall submit the draft requirements for accreditation of a body as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63.

Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the __________ of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.

Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII, a body as referred to in paragraph 1 shall, subject to appropriate safeguards, take appropriate action in cases of __________ of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. 

The competent supervisory authority shall __________ the accreditation of a body as referred to in paragraph 1 if the requirements for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.

GDPR shall not apply to processing carried out by __________ authorities and bodies.

Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, certification bodies which have an appropriate level of expertise in relation to data protection shall, after informing the supervisory authority in order to allow it to exercise its powers pursuant to point (h) of Article 58(2) where necessary, issue and __________ certification.

The __________ of certification bodies as referred to in paragraphs 1 and 2 of this Article shall take place on the basis of requirements approved by the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63. 

In the case of accreditation pursuant to point (b) of paragraph 1, those requirements shall complement those __________ in Regulation (EC) No 765/2008 and the technical rules that describe the methods and procedures of the certification bodies.

The certification bodies referred to in paragraph 1 shall be responsible for the proper assessment leading to the certification or the __________ of such certification without prejudice to the responsibility of the controller or processor for compliance with GDPR.

The accreditation shall be issued for a maximum period of __________ years and may be renewed on the same conditions provided that the certification body meets the requirements set out in this Article.

The certification bodies referred to in paragraph 1 shall provide the competent supervisory authorities with the reasons for __________ or withdrawing the requested certification.

The supervisory authorities shall not transmit the requirements and criteria to the Board.

Without prejudice to Chapter VIII, the competent supervisory authority or the __________ accreditation body shall revoke an accreditation of a certification body pursuant to paragraph 1 where the conditions for the accreditation are not, or are no longer, met or where actions taken by a certification body infringe this Regulation.

The Commission shall be __________ to adopt delegated acts in accordance with Article 92 for the purpose of specifying the requirements to be taken into account for the data protection certification mechanisms referred to in Article 42(1).

The Commission may adopt implementing acts laying down __________ standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognise those certification mechanisms, seals and marks.

Implementing acts shall be adopted in accordance with the __________ procedure referred to in Article 93(2).

Any transfer of personal data which are __________ processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions, are complied by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.

All provisions shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not __________

Decisions adopted by the Commission on the basis of Article 25(6) of Directive 95/46/EC shall remain in force until amended, replaced or __________ by a Commission Decision adopted in accordance with paragraph 3 or 5 of this Article.

The __________ shall publish in the Official Journal of the European Union and on its website a list of the third countries, territories and specified sectors within a third country and international organisations for which it has decided that an adequate level of protection is or is no longer ensured.

A decision pursuant is without prejudice to transfers of personal data to the third country, a territory or one or more specified __________ within that third country, or the international organisation in question pursuant to Articles 46 to 49.

The Commission shall enter into __________ with the third country or international organisation with a view to remedying the situation giving rise to the decision made pursuant.

The Commission shall, where available information reveals, following the review, that a third country, a territory or one or more specified sectors within a third country, or an international organisation no longer ensures an adequate level of protection , to the extent necessary, repeal, amend or suspend the decision by means of implementing acts without __________ effect.

On duly justified imperative grounds of urgency, the __________ shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93(3).

A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an __________ level of protection.

A tranfer of personal data to a third country ensuring level of protection, such a transfer shall not require any __________ authorisation.

The Commission, after assessing the adequacy of the level of protection, may decide, by means of __________, that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2 of the Article 45. 

The implementing act shall provide for a mechanism for a periodic review, at least every __________ years, which shall take into account all relevant developments in the third country or international organisation. 

The implementing act shall specify its __________ and sectoral application and, where applicable, identify the supervisory authority or authorities referred to in point (b) of paragraph 2 of this Article

A __________ pursuant is without prejudice to transfers of personal data to the third country, a territory or one or more specified sectors within that third country, or the international organisation in question pursuant to Articles 46 to 49.

The supervisory authority shall apply the __________ mechanism referred to in Article 63 in the cases referred to in paragraph 3 of the Article 46.

Authorisations by a__________ or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority

In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective __________ remedies for data subjects are available.

The Commission may specify the __________ and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules within the meaning of the Article 47

The binding corporate rules specifies the complaint procedures?

The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they expressly confer enforceable rights on data subjects with regard to the processing of their personal data?

Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an __________, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter 5.

The controller or processor shall __________ the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of the Article 49 in the records referred to in Article 30.

In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly __________ to the transfer of specific categories of personal data to a third country or an international organisation. 

The public interest shall be recognised in Union law or in the law of the Member State to which the __________ is subject.

A __________ pursuant shall not involve the entirety of the personal data or entire categories of the personal data contained in the register, where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.

In relation to third countries and international organisations, the Commission and supervisory authorities shall take appropriate steps to promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries?

Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not __________ by the interests or rights and freedoms of the data subject.

The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling __________ interests pursued.

In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding __________ rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place.

For special personal data which requires a higher level of protection, the Art. 9 of the GDPR provides __________ legal requirements.

The term ‘__________’ is the entryway to the application of the General Data Protection Regulation (GDPR).

Personal data are any information which are related to an identified or identifiable __________ person.

All the special categories of personal data is also known as __________ personal data

In addition to general personal data, one must consider all the special categories of personal data which are __________ relevant because they are subject to a higher level of protection.

The opinions of the supervisory authorities are of considerable practical relevance due to their __________ through their investigative and corrective powers.

The final interpretation of the GDPR is exclusively within the jurisdiction of the European __________.

The __________ to create records of processing activities is not only imposed on the controller and their representative, but also directly on the processor and their representatives as set forth in Art. 30(2) of the GDPR.

If a company does not maintain records of processing activities and/or does not provide a complete index to authorities, they are subject to __________ according to Art. 83(4)(a) of the GDPR. 

The __________ allows the data subject to exercise further rights (such as rectification and erasure). On the other hand, because an omitted or incomplete disclosure is subject to fines.

Information can be provided to the data subject in writing, electronically or verbally as per Art. 12(1) sentences 2 and 3 of the GDPR, depending on the __________. 

The General Data Protection Regulation (GDPR) offers a uniform, Europe-wide possibility for so-called ‘__________ data processing’, which is the gathering, processing or use of personal data by a processor in accordance with the instructions of the controller based on a contract.

The first thoughts of “__________” were expressed in the 1970s and were incorporated in the 1990s into the RL 95/46/EC data protection directive.

The term “Privacy by Design” means nothing more than “data protection through __________ design.”

Recognised certification can serve as an indicator to authorities that the persons responsible have complied with the __________ requirements of “Privacy by Design”.

The principle that processing is __________ but subject to the possibility of authorisation also applies to the personal data which is used to send e-mails.

Companies can reduce the __________ of a data breach and thus reduce the risk of fines in the future, if they chose to use encryption of personal data. 

__________ refers to the procedure that converts clear text into a hashed code using a key, where the outgoing information only becomes readable again by using the correct key. 

Encryption as a concept is explicitly mentioned as one possible technical and organisational measure to __________ data in the list of Art. 32(1) of the GDPR, which is not exhaustive.

__________ authorities can or must assess fines for specific data protection violations in accordance with the General Data Protection Regulation. 

What is the full form of TFEU?

According to __________ of the European Court of Justice, “the concept of an undertaking encompasses every entity engaged in an economic activity, regardless of the legal status of the entity or the way in which it is financed”.

Each __________ shall lay down rules on other penalties for infringements of the Regulation which are not already covered by Art. 83. 

A __________ situation in a company can be revealed through proactive inspection activities conducted by the data protection authorities, by an unsatisfied employee or by customers or potential customers who complain to the authorities, through the company making a self-denunciation, or by the press in general, especially through investigative journalism.

The articles of the GDPR have been adopted and the latest and final recitals on __________

The protection of natural persons in relation to the processing of personal data is a __________ right.

Article 8(1) of the __________ (the ‘Charter’) and Article 16(1) of TFEU provide that everyone has the right to the protection of personal data concerning him or her.

The exchange of personal data between public and private actors, including natural persons, associations and undertakings across the Union has __________

__________ authorities in the Member States are being called upon by Union law to cooperate and exchange personal data so as to be able to perform their duties or carry out tasks on behalf of an authority in another Member State.

Directive 95/46/EC of the European Parliament and of the Council seeks to __________ the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States.

The right to the protection of personal data is not an __________ right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. 

In order to __________ transparency and compliance, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services

__________ allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. 

__________ in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. 

The differences in the level of protection of rights and freedoms of natural persons, may therefore constitute an obstacle to the pursuit of __________ activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. 

In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be __________ in all Member States.

Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the __________

Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, __________ should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation.

In conjunction with the __________ and horizontal law on data protection implementing Directive 95/46/EC, Member States have several sector-specific laws in areas that need more specific provisions

Effective protection of personal data throughout the Union requires the __________ and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.

Article 16(2) TFEU mandates the European Parliament and the __________ to lay down the rules relating to the protection of natural persons with regard to the processing of personal data and the rules relating to the free movement of personal data.

The proper functioning of the __________ market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. 

To take account of the specific situation of micro, small and medium-sized enterprises, a __________ for organisations with fewer than 250 employees with regard to record-keeping

The Union institutions and bodies, and Member States and their supervisory authorities, are __________ to take account of the specific needs of micro, small and medium-sized enterprises in the application.

The __________ of personal data should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data

The Regulation does not cover the __________ of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.

In order to prevent creating a serious risk of circumvention, the protection of natural persons should be __________ neutral and should not depend on the techniques used.

The delegation of __________ referred to in Article 12(8) and Article 43(8) may be revoked at any time by the European Parliament or by the Council.

The delegation of power referred to in Article 12(8) and Article 43(8) shall be conferred on the Commission for an __________ period of time from 24 May 2016.

The Regulation shall not impose additional __________ on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC.

International agreements involving the __________ of personal data to third countries or international organisations which were concluded by Member States prior to 24 May 2016, and which comply with Union law as applicable prior to that date, shall remain in force until amended, replaced or revoked.

By 25 May 2020 and every __________ years thereafter, the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. The reports shall be made public.

In carrying out the evaluations and reviews referred to in paragraphs 1 and 2, the __________ shall take into account the positions and findings of the European Parliament, of the Council, and of other relevant bodies or sources.

The Commission shall, if appropriate, submit legislative proposals with a view to amending other Union legal acts on the protection of personal data, in order to ensure __________ and consistent protection of natural persons with regard to processing.

Where in a Member State, churches and religious associations or communities apply, at the time of entry into force of the Regulation, __________ rules relating to the protection of natural persons with regard to processing, such rules may continue to apply, provided that they are brought into line with the Regulation.

Churches and religious associations which apply comprehensive rules in accordance shall be subject to the supervision of an __________ supervisory authority, which may be specific, provided that it fulfils the conditions laid down in Chapter VI of the Regulation.

Member States may further determine the specific conditions for the processing of a __________ or any other identifier of general application

Personal data in official documents held by a public authority or a public body or a private body for the performance of a task carried out in the public interest may be __________ by the authority or body in accordance with Union or Member State law to which the public authority or body is subject in order to reconcile public access to official documents with the right to the protection of personal data pursuant to this Regulation.

Member States shall by law __________ the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.

Each Member State shall notify to the __________ the provisions of its law which it has adopted pursuant and, without delay, any subsequent amendment law or amendment affecting them.

The processing of personal data by official authorities for the purpose of achieving the aims, laid down by __________ law or by international public law, of officially recognised religious associations, is carried out on grounds of public interest.

The controller should be obliged to __________ appropriate and effective measures and be able to demonstrate the compliance of processing activities , including the effectiveness of the measures. 

The General Data Protection Regulation is a __________ in EU law 

The General Data Protection Regulation is based on __________ and privacy for all individuals within the European Union (EU)

The GDPR aims primarily to __________ to individuals over their personal data.

The European Data Protection Regulation is applicable as of __________ in all member states to harmonize data privacy laws across Europe.

GDPR simplifies the regulatory environment for international business by unifying the regulation within the EU.

GDPR also addresses the export of personal data outside the EU and EEA areas?

__________ is responsible for managing compliance with the GDPR.

The GDPR was adopted on __________ 2016 

In November 2018, __________ was accused of GDPR privacy violations by 7 countries

The GDPR consists of __________ articles

The free movement of personal data within the Union shall be neither __________ nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

For the processing of personal data by the __________ institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies.

When did the GDPR became valid in the EEA countries (Iceland, Liechtenstein, and Norway)after the EEA Joint Committee and the three countries agreed to follow the regulation?

How many bases are mentioned in the General Data Protection Regulation (GDPR)?

GDPR replaces the 1995 __________, and goes into force on May 25, 2018.

GDPR applies to the processing of personal data wholly or partly by __________ means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

In the course of an activity which falls outside the scope of Union law does GDPR apply to the processing of personal data ?

By a __________ person in the course of a purely personal or household activity GDPR does not apply to the processing of personal data.

GDPR applies to the processing of personal data by a controller not established in the __________ , but in a place where Member State law applies by virtue of public international law.

GDPR applies to the processing of personal data in the context of the activities of an __________ of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

__________ means the marking of stored personal data with the aim of limiting their processing in the future.

__________ means the processing of personal data, that the personal data can no longer be attributed to a specific data subject without the use of additional information, which is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

__________ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis

__________ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data

__________ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

__________ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

__________ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

__________ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status

__________ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity

__________ means an independent public authority which is established by a Member State pursuant to Article 51

__________ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries

__________ shall be lawful only if and to the extent that at least one of the following applies processing is necessary for compliance with a legal obligation to which the controller is subject

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a __________

Where processing is based on consent, the __________ shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

The data __________ shall have the right to withdraw his or her consent at any time in GDPR

When assessing whether consent is freely given, utmost account shall be taken of whether, __________, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Member States may provide by law for a lower age for those purposes provided that such lower age is not below __________ years.

Where point (a) of Article 6(1) applies, in relation to the offer of information society services __________ to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be __________

Member States may maintain or introduce further conditions, including __________, with regard to the processing of genetic data, biometric data or data concerning health.

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for__________ for the rights and freedoms of data subjects

Any comprehensive register of criminal convictions shall be kept only under the control of __________ authority.

If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be __________ to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.

The GDPR requires businesses and organizations to obtain __________ consent to process the personal data of children under the age of 16.

The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any __________ under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. 

The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within __________ month of receipt of the request

Where personal data are transferred to a third country or to an international organisation, the __________ shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

The right to obtain a __________ referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

The data subject shall have the right to obtain from the controller without undue delay the __________ of inaccurate personal data concerning him or her.

A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be __________ by the controller before the restriction of processing is lifted.

Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the __________of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

GDPR also __________ the 1998 UK Data Protection Act.

The __________ shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.

The __________ shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request from data subject.

In exercising his or her right to __________ pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

The data subject shall have the __________ from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay with certain rules.

The right of data portability referred to in paragraph 1 shall not __________ affect the rights and freedoms of others

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each __________ to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

The __________ shall inform the data subject about those recipients if the data subject requests it to disclose the personal data.

The data subject shall have the right to __________, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions

The controller shall no longer process the personal data unless the controller __________ compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where the data subject objects to processing for __________purposes, the personal data shall no longer be processed for such purposes.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes __________ to the extent that it is related to such direct marketing.

At the latest at the time of the first communication with the __________, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

In the context of the use of information society services, and__________ Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to __________, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest

Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided in so far as its provisions correspond to the rights and obligations provided, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to __________

The data subject shall have the right not to be subject to a decision based solely on __________ processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and __________ measures to ensure and to be able to demonstrate that processing is performed in accordance with GDPR.

Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the __________ of appropriate data protection policies by the controller.

Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate __________ with the obligations of the controller.

An approved __________ mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

__________, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are __________ for each specific purpose of the processing are processed.

Personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons?

Where two or more controllers jointly determine the purposes and means of processing, they shall be __________.

Joint Controller shall in a __________ manner determine their respective responsibilities for compliance with the obligations , such as the exercising of the rights of the data subject and their respective duties to provide the information.

The arrangement referred to in paragraph 1 shall duly __________ the respective roles and relationships of the joint controllers vis-à-vis the data subjects. 

Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may __________ his or her rights under this Regulation in respect of and against each of the controllers in joint controller.

Where Article 3(2) applies, the controller or the processor shall __________ in writing a representative in the Union.

The representative shall be __________ in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored.

The __________ shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with GDPR

The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated __________ the controller or the processor themselves.

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees in such a manner that processing will meet the __________ and ensure the protection of the rights of the data subject.

The processor shall not engage another processor without prior specific or general written __________ of the controller.

In the case of general written authorisation, the __________ shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

Processing by a processor shall be __________ by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.