UPSC(2026) Practice MCQs on DPDP Act 2023, DPDP Rules 2025, data governance, privacy jurisprudence, and digital regulation.

 

UPSC(2026) Practice MCQs on DPDP Act 2023, DPDP Rules 2025, data governance, privacy jurisprudence, and digital regulation.

1. With reference to the DPDP Act, consider the following statements:

1. The Act applies even to processing of digital personal data occurring outside India, if it is connected with offering goods or services in India.

2. The Act applies only to automated processing of personal data.

3. The Act excludes personal data made publicly available by the Data Principal.

Which of the statements given above is/are correct?

(a) 1 only

(b) 1 and 3 only

(c) 2 and 3 only

(d) 1, 2 and 3

✅ Answer: (b)

Explanation:

• Extraterritorial application → True.

• Applies to manual + automated digital data → so (2) is false.

• Publicly available personal data is excluded → (3) is true.

---

2. In the context of data protection, “legitimate use” under the DPDP Act includes which of the following?

1. Processing necessary for performance of any function under law.

2. Processing of personal data for employment-related purposes.

3. Processing for enforcing legal rights or claims.

(a) 1 and 2 only

(b) 1 and 3 only

(c) 2 and 3 only

(d) 1, 2 and 3

✅ Answer: (d)

Explanation:

All three are listed under legitimate uses, where consent is not required.

---

3. Consider the following:

1. Data minimisation

2. Purpose limitation

3. Algorithmic fairness

4. Storage limitation

Which of the above are explicit principles under the DPDP Act?

(a) 1, 2 and 4 only

(b) 1, 3 and 4 only

(c) 1 and 2 only

(d) 1, 2, 3 and 4

✅ Answer: (a)

Explanation:

Algorithmic fairness is not explicitly stated in the Act.

---

4. Consider the following statements regarding the Data Protection Board (DPB):

1. It can direct any Data Fiduciary to adopt urgent measures to remedy a personal data breach.

2. The Board is empowered to issue binding directions to Data Processors even when the Data Fiduciary is compliant.

3. The Board may impose monetary penalties without conducting an inquiry.

(a) 1 only

(b) 1 and 2 only

(c) 2 and 3 only

(d) 1, 2 and 3

✅ Answer: (b)

Explanation:

• Inquiry is mandatory for penalty → statement 3 is false.

---

5. With reference to the DPDP framework, which of the following scenarios violate consent requirements?

1. Bundled consent for multiple unrelated purposes.

2. Consent given through a complicated notice that hides essential information.

3. Consent obtained from a guardian for essential healthcare services for a child.

(a) 1 only

(b) 1 and 2 only

(c) 1 and 3 only

(d) 2 and 3 only

✅ Answer: (b)

Explanation:

• Guardian consent is not required for essential services → but obtaining it does NOT violate the Act.

---

6. Under the DPDP Rules, 2025, which of the following obligations apply exclusively to Significant Data Fiduciaries (SDFs)?

1. Appointment of a Data Protection Officer.

2. Conduct of Data Protection Impact Assessments (DPIA).

3. Annual independent data audits.

4. Mandatory data localisation irrespective of sector.

(a) 1, 2 and 3 only

(b) 2 and 3 only

(c) 1 and 2 only

(d) 1, 2, 3 and 4

✅ Answer: (a)

Explanation:

• Data localisation is sector/risk-specific, not universal → (4) false.

---

7. In the context of data protection, anonymised data differs from personal data because:

(a) It cannot be re-identified under any circumstances

(b) It is outside the scope of the DPDP Act

(c) It can only be used for statistical purposes

(d) It is regulated only under sectoral laws

✅ Answer: (b)

Explanation:

• The Act explicitly excludes anonymised data.

• Re-identification is theoretically possible; Act does not claim impossibility.

---

8. Consider the following statements:

1. The amendment to Section 8(1)(j) of the RTI Act completely prohibits disclosure of all personal information.

2. Section 8(2) continues to permit disclosure of personal information in larger public interest.

3. The amendment aligns the RTI Act with the constitutional right to privacy.

Which of the above statements is/are correct?

(a) 1 only

(b) 2 and 3 only

(c) 1 and 3 only

(d) 1, 2 and 3

✅ Answer: (b)

Explanation:

• Statement 1 is false; disclosure is still permitted where public interest outweighs harm.

---

9. Consider the following situations:

1. A company deletes user data immediately upon withdrawal of consent.

2. A Data Fiduciary retains user data even after the purpose is fulfilled, citing technical constraints.

3. A bank shares customer data with a third-party processor without a formal contract.

Which of the above situations violate the DPDP framework?

(a) 1 and 2 only

(b) 2 and 3 only

(c) 1 and 3 only

(d) 1, 2 and 3

✅ Answer: (b)

Explanation:

• (1) is compliant behaviour.

• (2) violates storage limitation.

• (3) violates accountability and requirements for processor contracts.

---

10. With reference to “reasonable security safeguards” under the DPDP Act, violation of which of the following leads to the highest penalty under the Act?

(a) Inadequate encryption of stored data

(b) Failure to notify users of a breach

(c) Processing children’s data without parental consent

(d) Failure to conduct a Data Protection Impact Assessment

✅ Answer: (a)

Explanation:

• Failure to maintain “reasonable security safeguards” → ₹250 crore (highest).

• Breach notification + child violations → ₹200 crore.

• DPIA violations → not the highest.