Module 4 Assessment Quiz | CDPL

Q1Part 1: SDF Designation

Under Section 10(1) DPDPA 2023, a Data Fiduciary may be notified as a Significant Data Fiduciary based on:

A.Annual revenue exceeding ₹500 crore B.Number of employees in the organization C.Volume and sensitivity of personal data processed, and risk to Data Principal rights D.Whether the organization is publicly listed

Explanation

Section 10(1) specifies six factors including volume/sensitivity, risk to Data Principal rights, sovereignty of India, electoral democracy, State security, and public order. Revenue is not a statutory factor.

Q2Part 1: SDF Designation

Which is NOT a factor in Section 10(1) for SDF determination?

A.Risk to electoral democracy B.Market capitalization of the company C.Security of the State D.Public order

Explanation

Section 10(1) lists specific factors focusing on data processing impact, not corporate financial metrics like market capitalization.

Q3Part 1: SDF Designation

The maximum penalty for SDF non-compliance under Section 18(1)(c) is:

A.₹150 crore B.₹250 crore C.₹50 crore D.₹500 crore

Explanation

Section 18(1)(c) imposes penalty up to ₹150 crore for SDF non-compliance with Section 10 obligations.

Q4Part 1: SDF Designation

SDF designation occurs through:

A.Self-declaration by the Data Fiduciary B.Data Principal complaint to DPB C.Central Government notification — entity-specific or class-based D.Automatic trigger at 1 crore Data Principals

Explanation

Section 10(1) uses "Central Government may... notify" — designation is by Government notification, either entity-specific or class-based.

Q5Part 1: SDF Designation

Which factor relates to India's digital sovereignty under Section 10(1)?

A.Volume of data processed B.Risk to Data Principal rights C.Sensitivity of personal data D.Potential impact on sovereignty and integrity of India

Explanation

Section 10(1)(c) explicitly lists "potential impact on the sovereignty and integrity of India" as a factor for SDF designation.

Q6Part 2: DPO Requirements

Under Section 10(2)(a), a DPO must satisfy how many mandatory requirements?

A.Two requirements B.Four requirements C.Six requirements D.Eight requirements

Explanation

Section 10(2)(a) specifies four mandatory DPO requirements: (i) represent SDF, (ii) India-based, (iii) Board-responsible, (iv) grievance contact.

Q7Part 2: DPO Requirements

Which is a mandatory statutory requirement for the DPO under Section 10(2)(a)?

A.Must have a law degree B.Must have 10 years experience C.Must be employed full-time D.Must be based in India

Explanation

Section 10(2)(a)(ii) explicitly requires the DPO to "be based in India" — the only location requirement in the statute.

Q8Part 2: DPO Requirements

The DPO must be responsible to:

A.The Chief Executive Officer B.The Data Protection Board of India C.The Board of Directors or similar governing body D.The Chief Information Security Officer

Explanation

Section 10(2)(a)(iii) requires DPO to be "responsible to the Board of Directors or similar governing body."

Q9Part 2: DPO Requirements

Under Section 10(2)(a)(iv), the DPO serves as:

A.Chief compliance officer B.Point of contact for grievance redressal C.External auditor liaison D.Government relations officer

Explanation

Section 10(2)(a)(iv) designates the DPO as "the point of contact for the grievance redressal mechanism under the provisions of this Act."

Q10Part 2: DPO Requirements

Can a Singapore-based Global CPO serve as DPO for an Indian SDF?

A.No — DPO must be based in India B.Yes — if they have a local team C.Yes — global CPOs are permitted D.Depends on quarterly visits to India

Explanation

Section 10(2)(a)(ii) mandates "be based in India" — this is non-negotiable. A Singapore-based CPO cannot serve as DPO.

Q11Part 3: DPIA Framework

According to Section 10(2)(c)(i), a DPIA must comprise:

A.Description of Data Principal rights, purpose of processing, and risk assessment/management B.Financial impact analysis C.Penetration testing results D.Competitive analysis

Explanation

Section 10(2)(c)(i) defines DPIA as comprising: (1) rights description, (2) purpose of processing, (3) risk assessment and management.

Q12Part 3: DPIA Framework

Under Rule 12(1), how frequently must an SDF undertake DPIA?

A.Every six months B.Every calendar year C.Once every twelve months from SDF notification date D.Only when launching new processing

Explanation

Rule 12(1): "once in every period of twelve months from the date on which it is notified" — rolling 12-month cycle, NOT calendar year.

Q13Part 3: DPIA Framework

Under Rule 12(2), after completing DPIA, the SDF must:

A.Publish full DPIA on website B.Keep DPIA confidential for 5 years C.Submit complete DPIA to Central Government D.Cause assessor to furnish to DPB a report containing significant observations

Explanation

Rule 12(2): "furnish to the Board a report containing significant observations" — not full report, and to DPB, not Central Government.

Q14Part 3: DPIA Framework

In risk assessment, "Critical" risk level results from:

A.High likelihood × Severe impact B.Low likelihood × Moderate impact C.Medium likelihood × Minor impact D.Very low likelihood × Any impact

Explanation

Risk = Likelihood × Impact. High likelihood + Severe impact = Critical risk requiring immediate mitigation.

Q15Part 3: DPIA Framework

When an SDF launches a new AI diagnostic tool, what DPIA approach is best?

A.Wait for annual DPIA cycle B.Conduct project-specific DPIA before launch, then include in annual DPIA C.No DPIA needed within first 12 months D.Only notify DPB

Explanation

High-risk new processing should have project-specific DPIA before deployment, not wait for annual cycle.

Q16Part 4: Periodic Audits

Section 10(2)(b) requires an independent data auditor to:

A.Audit financial statements B.Conduct penetration testing C.Evaluate compliance with DPDPA provisions D.Review HR policies

Explanation

Section 10(2)(b): auditor shall "evaluate the compliance of the SDF in accordance with the provisions of this Act."

Q17Part 4: Periodic Audits

Why is "independence" emphasized for the data auditor?

A.To reduce audit costs B.To ensure faster completion C.To comply with international transfers D.To ensure objective evaluation without conflict of interest (nemo judex in causa sua)

Explanation

"Independent" reflects nemo judex in causa sua — no one should be judge in their own cause. Ensures objective evaluation.

Q18Part 4: Periodic Audits

A firm providing IT implementation services to an SDF wants to also be its data auditor. Is this appropriate?

A.Yes — familiarity helps B.No — existing business relationship creates conflict of interest C.Yes — if different team members D.Depends on DPB approval

Explanation

IT implementation + audit = conflict of interest. They'd be auditing systems they built. Compromises independence.

Q19Part 4: Periodic Audits

What is the relationship between DPIA and periodic audit under DPDPA?

A.Both required annually under Rule 12(1) and can be operationally integrated B.DPIA replaces audit if risk is low C.Audit only if DPIA identifies critical risks D.Must be conducted by different parties

Explanation

Rule 12(1) mandates both "DPIA and an audit" — separate but complementary, can be operationally integrated.

Q20Part 4: Periodic Audits

"Significant observations" in Rule 12(2) DPB reporting likely includes:

A.Only positive findings B.Every minor procedural deviation C.Material non-compliance, systemic weaknesses, high-risk findings, unresolved prior issues D.Only remediated findings

Explanation

"Significant" means findings that matter: material non-compliance, systemic weaknesses, high-risk findings, unresolved prior issues.

Q21Part 5: Algorithmic Governance

Under Rule 12(3), an SDF must verify that algorithmic software is not likely to pose a risk to:

A.The SDF's market share B.The rights of Data Principals C.The SDF's intellectual property D.Third-party vendors

Explanation

Rule 12(3): verify algorithms are "not likely to pose a risk to the rights of Data Principals."

Q22Part 5: Algorithmic Governance

Rule 12(3) applies to algorithmic software used for all EXCEPT:

A.Hosting personal data B.Sharing personal data C.Modifying personal data D.General payroll processing (not involving personal data of Data Principals)

Explanation

Rule 12(3) lists: hosting, display, uploading, modification, publishing, transmission, storage, updating, sharing of personal data. General payroll not directly listed.

Q23Part 5: Data Localization

Under Rule 12(4), data localization applies to:

A.Personal data categories specified by Central Government on committee recommendation B.All personal data processed by SDFs C.Only sensitive personal data D.Data of government employees only

Explanation

Rule 12(4): conditional localization — "personal data specified by the Central Government on the basis of the recommendations of a committee."

Q24Part 5: Data Localization

Under Rule 12(4), when specified data must be localized, the restriction applies to:

A.Only the personal data content B.Only processing operations C.Both personal data AND traffic data pertaining to its flow D.Only metadata

Explanation

Rule 12(4) covers "the personal data and the traffic data pertaining to its flow" — both content AND metadata.

Q25Part 5: Data Localization

If payment transaction data is notified for localization, can an SDF send it to a US analytics dashboard?

A.Yes — if encrypted during transfer B.No — localized data cannot be transferred outside India C.Yes — analytics isn't processing D.Yes — with data transfer agreement

Explanation

Rule 12(4): specified data "is not transferred outside the territory of India" — no exceptions for encryption or agreements.

Module 4: Significant Data Fiduciary Compliance

📋 Instructions