Exercise 1:-

Prepare a Data Processing Questionnaire to determine

the lawful basis of processing.
1. What type of personal data do you collect from users?
2. How do you obtain the consent of users for collecting and processing their personal data?
3. How do you ensure that the consent is freely given, specific, informed, and unambiguous?
4. How do you ensure that the consent is revocable at any time?
5. How do you ensure the data is collected and processed for a specific, explicit, legitimate
purpose?
6. How do you ensure that the data is adequate, relevant and limited to what is necessary for
the purpose of the processing?
7. How do you ensure that the data is accurate and kept up to date?
8. How do you ensure that the data is kept for no longer than is necessary for the purpose of
the processing?

Exercise 2:-
Advise your client on developing best practices to get
consent while collecting personal data.
(Q.1) The best practice for obtaining consent for the privacy policy on the website is to
ensure that the policy is easily accessible and clearly visible to the user. The policy should be
written in plain language and should be concise and easy to understand. Additionally, the user
should be given the option to opt-in or opt-out of the policy. The user should also be given
the option to withdraw their consent at any time. Furthermore, the user should be informed of
the consequences of not providing consent. Finally, the user should be provided with a clear
and unambiguous way to provide their consent.
(Q.2) 1. Make sure that the consent request is clear and concise. The request should be
written in plain language and should not contain any legal jargon.
2. Provide the user with an easy way to withdraw their consent. This should be as easy as
giving consent.
3. Make sure that the user is aware of the type of data that is being collected and how it will
be used.
4. Provide the user with an option to opt-out of the cookie collection.
5. Make sure that the user is aware of the consequences of not giving consent.
6. Make sure that the user is aware of their right to lodge a complaint with the relevant data
protection authority.
7. Make sure that the user is aware of the company’s contact details in case they have any
queries or concerns.
8. Make sure that the user is aware of the company’s data retention policy.
9. Make sure that the user is aware of the company’s data security measures.
10. Make sure that the user is aware of the company’s data sharing policy.
If the user does not consent to place cookies, the company can rely on other grounds for
processing such as legitimate interests or performance of a contract. However, it is important
to note that the company must still comply with the GDPR’s principles and requirements.
(Q.3) 1. Make sure that the consent is freely given, specific, informed and unambiguous.
2. Ensure that the consent is given by a clear affirmative action such as ticking a box or
clicking a button.
3. Make sure that the user is aware of the purpose of the data processing and the type of data
being collected.
4. Provide a clear and easily accessible way for the user to withdraw their consent.
5. Make sure that the user is aware of their right to withdraw their consent at any time.
6. Make sure that the user is aware of the consequences of withdrawing their consent.
7. Make sure that the user is aware of their right to lodge a complaint with the relevant
supervisory authority.
8. Make sure that the user is aware of the data controller’s contact details.
9. Make sure that the user is aware of the data controller’s data protection policy.
10. Make sure that the user is aware of the data controller’s data retention policy.