Exam Prep - Strategy & traps
Exam Prep · Test-day strategy & the classic traps
On the day, technique matters. Read the full stem, watch for absolutes ("always", "never"), and pick the best answer, not merely a true one. Most lost marks come from a handful of recurring confusions the examiners love - learn to tell each pair apart on sight.
- Read the whole stem and every option before answering - the last option is often the best.
- Treat absolutes ('always', 'never', 'only') with suspicion unless the rule really is absolute (e.g., the absolute right to object to direct marketing).
- For scenarios, first identify the role (controller vs processor) and the lawful basis, then the question usually answers itself.
- Eliminate two options fast, then decide between the remaining two on the load-bearing fact.
- Manage time: 90 questions in 150 minutes ≈ 100 seconds each. Flag and move on; don't sink five minutes into one item.
- Don't change a considered answer without a clear reason.
| Don't confuse… | …with | The deciding fact |
|---|---|---|
| Council of Europe (46 states, no legislative power, ECHR/Convention 108) | European Union (27 states, makes binding law) | The CoE is an international body; the ECtHR is NOT an EU court |
| Controller (determines purposes & means) | Processor (acts on instructions) | Who decides the 'why'? Only a controller |
| Consent | Legitimate interests | Imbalance of power / need to withdraw → not consent |
| Article 13 (data from the data subject) | Article 14 (data from another source) | Art 14 adds the source + categories, with a 1-month timing rule |
| 72 hours (notify the SA, Art 33) | Without undue delay / high risk (tell data subjects, Art 34) | Regulator = 72h; individuals = high risk, no fixed hour |
| Lower fine tier (€10m or 2%) | Higher fine tier (€20m or 4%) | Principles/rights/transfers breaches = the 4% tier |
| Directive (transposed by states) | Regulation (directly applicable) | GDPR is a Regulation; ePrivacy is a Directive |
| Anonymous data (outside the GDPR) | Pseudonymous data (still personal data) | Can it be re-identified with extra info? Then it's pseudonymous |
Read for the trigger word
Scenario stems hide the answer in one phrase: "public authority" (can't use legitimate interests; needs a DPO), "solely automated" (Article 22), "manifestly made public" (Article 9 exception), "not established in the EU but targeting EU residents" (Article 3(2) + Article 27 representative).
Key terms - quick answers
What is “Distractor”?
A deliberately plausible wrong option, usually drawn from a common misconception or an adjacent concept.
What is “Stem”?
The question text before the answer options; scenario stems hide the key fact that decides the answer.