What is the main difference between GDPR and EUDPR for this test?

GDPR (Regulation 2016/679) provides general rules for protecting natural persons across the Union, while EUDPR (Regulation 2018/1725) specifically governs the processing of personal data by Union institutions and bodies.

Do I need to know the specific powers of the EDPS?

Yes. The EDPS has tasks and effective powers similar to national supervisory authorities, including investigation, corrective powers, sanctions, and the ability to bring infringements to the Court of Justice.

Is a Data Protection Officer (DPO) required in all EU bodies?

According to Regulation 2018/1725, a data protection officer should be present in all Union institutions and bodies to ensure the Regulation is applied and to advise controllers and processors.

How is the passing score calculated for the FRMCQ?

The test consists of 30 questions with a pass mark of 15/30. You have 40 minutes to complete the assessment.

← BlogSpecialist Competitions

Mastering the EPSO Data Protection Specialist Competition

4 June 2026·6 min·EU·Now Editorial

Key takeaways

Distinguish clearly between the application of GDPR for private entities and EUDPR for EU institutions.
Memorise the seven data subject rights and the specific obligations of controllers versus processors.
Study the mandate of the European Data Protection Supervisor (EDPS) and their corrective powers.
Review the latest data frameworks including the Data Governance Act and the Data Act.

Dossier labelled Data Protection on a Brussels desk, EU flag and a GDPR dashboard glowing on a tablet at dusk

Why this specialty matters

The Logic: In the EU, data protection isn't a bureaucratic hurdle. It is a fundamental right. Stop seeing yourself as a "compliance officer." You are a rights guardian.

The Impact: You translate abstract legal principles into operational reality. Imagine a Directorate-General launching a new public consultation portal. You ensure "privacy by design" is more than a buzzword by setting technical constraints that stop the over-collection of data.

The Ecosystem: You live at the intersection of law and technology. You are the bridge between technical developers and the European Data Protection Supervisor (EDPS). Your goal is simple: mitigate legal risks for the Union while upholding the global gold standard of privacy.

What EPSO actually tests

The Logic: EPSO doesn't care if you can memorize articles. They want to see if you can apply them to a messy, real-world scenario. Can you navigate the hierarchy of norms without getting lost?

The Core: You must distinguish between the General Data Protection Regulation (GDPR) and Regulation 2018/1725 (EUDPR). They are siblings, but the EUDPR is tailored for EU institutions. If a scenario involves an EU body processing data and you apply the GDPR instead of the EUDPR, you've made a critical error.

The Perimeter: EPSO also evaluates your grasp of the evolving data ecosystem:

Data Governance Act (Reg. 2022/868) and Data Act (Reg. 2023/2854): The shift from protecting data to sharing it securely.
ePrivacy Directive (2002/58/EC): Specific rules for cookies and electronic communications.
International Transfers: How data moves beyond the EEA via Adequacy, SCCs, and BCRs.

The seven core areas

Processing data without a legal basis is an automatic infringement. Under Regulation 2016/679, you need the correct "hook." Don't just list the bases. Learn to choose between them. For instance, if an institution processes data because a specific EU law requires it, the basis is "legal obligation," not "consent." Consent is your last resort. It must be freely given, specific, informed, and unambiguous.

2. Data subject rights and exemptions

Rights give citizens control over their data. Master the seven core ones: access, rectification, erasure, restriction, portability, objection, and automated decision-making. Focus on the limits because no right is absolute. The "right to erasure" (the right to be forgotten) can be denied if the data is necessary for freedom of expression and information.

3. Controller and Processor obligations

Responsibility follows power. The entity deciding why data is processed carries the heaviest burden. Article 24 of the GDPR mandates that the controller implements technical and organisational measures. Use the "Decision Test." If you decide the purpose (the why) and the means (the how), you are the Controller. If you simply follow instructions to store that data, you are the Processor.

4. DPO appointment and tasks

The Data Protection Officer (DPO) is the internal conscience of the organization. In all Union institutions, a DPO is mandatory under Regulation 2018/1725. Remember the DPO's dual nature: they advise the controller but must remain independent. They don't "own" compliance; they monitor it and guide the institution toward it.

5. EDPS mandate and powers

The European Data Protection Supervisor (EDPS) is the ultimate referee for EU bodies. Under Regulation 2018/1725, the EDPS has investigation and corrective powers. Distinguish between advisory roles (DPO) and enforcement roles (EDPS). The EDPS can impose sanctions and bring infringements before the Court of Justice. A DPO cannot do this.

6. Data Governance Act and Data Act

The EU is moving toward a "Single Market for Data." Reg. 2022/868 (DGA) and Reg. 2023/2854 (Data Act) focus on data altruism and accessibility. These complement the GDPR. While GDPR says "don't share without a reason," the DGA and Data Act provide the framework for sharing data legally to foster innovation.

7. ePrivacy and international transfers

Data doesn't stop at borders or inside a browser. The ePrivacy Directive (2002/58/EC) handles cookies and confidentiality. International transfer mechanisms—SCCs, BCRs, Adequacy—handle the "Schrems II" challenge. When analyzing a transfer to a non-EU country, check for an Adequacy Decision first. If none exists, look for "appropriate safeguards" like Standard Contractual Clauses (SCCs).

Format and timing

The Challenge: 30 multiple-choice questions in 40 minutes. The Math: You have about 80 seconds per question. This isn't a test of deep reflection. It is pattern recognition. The Threshold: You need 15/30 to pass. Precision in technical terminology is non-negotiable, especially if you are testing in a second language.

A study plan that actually works

Week 1: The Foundation (The "What") Read Regulation 2016/679 (GDPR) and Regulation 2018/1725 (EUDPR). Create a "Delta Table." List the GDPR rule in one column and the EUDPR variation in the next. Focus on how EU institutions differ from private companies.

Weeks 2-4: The Ecosystem (The "How") Spend one week each on the Data Governance Act, the Data Act, and ePrivacy/International Transfers. Stop highlighting text. Write "If-Then" statements instead. For example: "If data is transferred to the US and no adequacy decision exists, then I must check for SCCs."

Weeks 5-6: The Simulation (The "Speed") Shift to FRMCQ practice. When you get a question wrong, don't just read the correct answer. Go back to the specific Article in the Regulation. Find the exact phrase that makes the wrong answer wrong.

Common traps to inoculate against

Trap 1: The "Institutional Swap" A scenario describes an EU Agency, but the options use GDPR rules for private businesses (like mentioning "National Supervisory Authorities" instead of the EDPS). Identify the actor first. Before reading options, circle the entity. If it's a Union body, switch your brain to Regulation 2018/1725 mode.

Trap 2: The "Absolute Right" Fallacy An option states that a data subject has an "absolute right" to access or erase their data. Search for the qualifier. In EU law, almost no right is absolute. Look for words like "unless," "subject to," or "proportionate." If an answer sounds too absolute, it is likely a distractor.

You have what it takes

The volume of regulations feels like a mountain, but the logic is consistent: Transparency, Purpose Limitation, and Proportionality. Map the relationship between these laws rather than memorizing them in isolation. You aren't just studying for a test. You are training to be a specialist. Stay disciplined, stick to the official texts, and you will succeed.

Free download

Get the free EPSO AD reasoning mock test

A realistic practice PDF — verbal, numerical and abstract reasoning. Enter your email and we send it right away.

Free. No spam. Unsubscribe anytime.