des comptences du DPO (CDPO) Exam
1. Which regulation is primarily known for its strict requirements on data protection in the European
Union?
A. HIPAA
B. CCPA
C. GDPR
D. PIPEDA
Answer: C
Explanation: The GDPR (General Data Protection Regulation) is the EU regulation that imposes strict
rules on data protection and privacy for individuals within the EU.
2. Under the GDPR, who is responsible for ensuring that data processing complies with the regulation?
A. Data Processor
B. Data Controller
C. Data Subject
D. Third-Party Vendor
Answer: B
Explanation: The data controller is responsible for ensuring that data processing complies with the
GDPR, as they determine the purposes and means of processing personal data.
3. What is the term used for the legal basis that permits the processing of personal data with the
consent of the data subject?
A. Contractual necessity
B. Legitimate interests
C. Consent
D. Public interest
Answer: C
Explanation: Consent is a lawful basis under the GDPR that allows personal data processing when a data
subject explicitly agrees to it.
4. Which of the following is a key principle of data protection?
A. Unlimited retention of data
B. Data minimization
C. Processing without transparency
D. Purpose expansion
Answer: B
Explanation: Data minimization requires that only the minimum necessary data is collected and
processed, a fundamental principle of data protection.
5. What is the primary role of a Data Protection Officer (DPO) as specified in Article 37 of the GDPR?
A. To handle IT support requests
B. To oversee and advise on data protection compliance
C. To manage marketing campaigns
D. To develop new software applications
Answer: B
,Explanation: A DPO’s main role is to monitor compliance with data protection laws, advise the
organization, and act as a contact point for data subjects and supervisory authorities.
6. Which of the following rights is granted to data subjects under data protection laws?
A. Right to data manipulation
B. Right to data commercialization
C. Right to access their personal data
D. Right to unlimited data retention
Answer: C
Explanation: Data subjects have the right to access their personal data as part of their rights under
various data protection laws.
7. What does the term “privacy by design” refer to in data protection governance?
A. Adding privacy features after product launch
B. Embedding privacy into the design and development of processes
C. Ignoring privacy during system design
D. Outsourcing privacy compliance
Answer: B
Explanation: Privacy by design means that privacy is integrated into the design and development of
systems and processes from the start.
8. Which document outlines the processing activities and data flows within an organization?
A. Data Breach Report
B. Data Mapping and Record of Processing Activities
C. Privacy Notice
D. Incident Response Plan
Answer: B
Explanation: Data mapping and record of processing activities document the flow and management of
personal data within an organization.
9. What is a key responsibility of a DPO in relation to internal audits?
A. Approving marketing strategies
B. Conducting regular audits to ensure data protection compliance
C. Managing payroll and HR policies
D. Designing product features
Answer: B
Explanation: A DPO conducts regular audits to verify that data processing activities comply with
applicable data protection laws and internal policies.
10. Which mechanism can be used to ensure the secure transfer of personal data across borders?
A. Data retention policies
B. Standard Contractual Clauses (SCCs)
C. Data anonymization
D. Encryption only
Answer: B
Explanation: Standard Contractual Clauses (SCCs) are one mechanism that ensures the secure transfer of
personal data to countries outside the EU.
,11. Which of the following is NOT considered a sensitive category of data under the GDPR?
A. Health information
B. Biometric data
C. Publicly available contact information
D. Racial or ethnic origin
Answer: C
Explanation: Publicly available contact information is not classified as sensitive data, while health,
biometric data, and racial or ethnic origin are considered sensitive.
12. What is the first step in a Data Protection Impact Assessment (DPIA)?
A. Implementing encryption protocols
B. Assessing the necessity and proportionality of the processing
C. Reporting the incident to authorities
D. Conducting a supplier audit
Answer: B
Explanation: The first step in a DPIA is to assess the necessity and proportionality of the data processing
activity with respect to its intended purpose.
13. In data processing, what does the principle of “purpose limitation” mean?
A. Data must be processed for any purpose once collected
B. Data can be reused for different purposes without restrictions
C. Data must be collected for explicit, specified, and legitimate purposes
D. Data must be stored indefinitely
Answer: C
Explanation: The purpose limitation principle mandates that data is collected for specific, explicit, and
legitimate purposes and not further processed in incompatible ways.
14. Which right allows a data subject to request the deletion of their personal data?
A. Right to access
B. Right to be informed
C. Right to erasure (right to be forgotten)
D. Right to object
Answer: C
Explanation: The right to erasure, or the right to be forgotten, allows data subjects to request that their
personal data be deleted.
15. What is one of the main reasons for conducting regular security assessments?
A. To delay compliance efforts
B. To identify and mitigate data security risks
C. To increase data volume
D. To reduce transparency in data processing
Answer: B
Explanation: Regular security assessments help identify vulnerabilities and mitigate risks to data
security, ensuring robust protection measures are in place.
16. Which of the following best describes pseudonymization?
A. Encrypting data with a public key
, B. Replacing private identifiers with artificial identifiers
C. Deleting data completely
D. Publishing data openly
Answer: B
Explanation: Pseudonymization replaces identifying fields with artificial identifiers to protect personal
data while still allowing some level of analysis.
17. What is an essential component of a privacy notice?
A. Detailed technical specifications
B. Clear information on how personal data is collected and used
C. Confidential internal memos
D. Marketing slogans
Answer: B
Explanation: A privacy notice should clearly explain how personal data is collected, used, stored, and
shared, ensuring transparency.
18. Which entity is primarily responsible for investigating data breaches?
A. The data subject
B. The data controller
C. The local law enforcement
D. The DPO in collaboration with supervisory authorities
Answer: D
Explanation: The DPO, in collaboration with supervisory authorities, is typically involved in investigating
and managing data breaches.
19. What is the significance of “data minimization” in data protection?
A. Collecting as much data as possible
B. Limiting data collection to only what is necessary
C. Using data without restrictions
D. Sharing data freely with third parties
Answer: B
Explanation: Data minimization means only collecting data that is strictly necessary for the specified
purpose, reducing potential risks.
20. Which of the following is a recommended technical measure for data security?
A. Regular password changes without additional controls
B. Implementing access controls and user authentication
C. Allowing shared user accounts
D. Storing all data in unencrypted formats
Answer: B
Explanation: Access controls and robust user authentication are key technical measures that protect
data from unauthorized access.
21. What is the purpose of a Data Protection Impact Assessment (DPIA)?
A. To design marketing campaigns
B. To evaluate the impact of processing on the protection of personal data
C. To increase the amount of data collected
1. Which regulation is primarily known for its strict requirements on data protection in the European
Union?
A. HIPAA
B. CCPA
C. GDPR
D. PIPEDA
Answer: C
Explanation: The GDPR (General Data Protection Regulation) is the EU regulation that imposes strict
rules on data protection and privacy for individuals within the EU.
2. Under the GDPR, who is responsible for ensuring that data processing complies with the regulation?
A. Data Processor
B. Data Controller
C. Data Subject
D. Third-Party Vendor
Answer: B
Explanation: The data controller is responsible for ensuring that data processing complies with the
GDPR, as they determine the purposes and means of processing personal data.
3. What is the term used for the legal basis that permits the processing of personal data with the
consent of the data subject?
A. Contractual necessity
B. Legitimate interests
C. Consent
D. Public interest
Answer: C
Explanation: Consent is a lawful basis under the GDPR that allows personal data processing when a data
subject explicitly agrees to it.
4. Which of the following is a key principle of data protection?
A. Unlimited retention of data
B. Data minimization
C. Processing without transparency
D. Purpose expansion
Answer: B
Explanation: Data minimization requires that only the minimum necessary data is collected and
processed, a fundamental principle of data protection.
5. What is the primary role of a Data Protection Officer (DPO) as specified in Article 37 of the GDPR?
A. To handle IT support requests
B. To oversee and advise on data protection compliance
C. To manage marketing campaigns
D. To develop new software applications
Answer: B
,Explanation: A DPO’s main role is to monitor compliance with data protection laws, advise the
organization, and act as a contact point for data subjects and supervisory authorities.
6. Which of the following rights is granted to data subjects under data protection laws?
A. Right to data manipulation
B. Right to data commercialization
C. Right to access their personal data
D. Right to unlimited data retention
Answer: C
Explanation: Data subjects have the right to access their personal data as part of their rights under
various data protection laws.
7. What does the term “privacy by design” refer to in data protection governance?
A. Adding privacy features after product launch
B. Embedding privacy into the design and development of processes
C. Ignoring privacy during system design
D. Outsourcing privacy compliance
Answer: B
Explanation: Privacy by design means that privacy is integrated into the design and development of
systems and processes from the start.
8. Which document outlines the processing activities and data flows within an organization?
A. Data Breach Report
B. Data Mapping and Record of Processing Activities
C. Privacy Notice
D. Incident Response Plan
Answer: B
Explanation: Data mapping and record of processing activities document the flow and management of
personal data within an organization.
9. What is a key responsibility of a DPO in relation to internal audits?
A. Approving marketing strategies
B. Conducting regular audits to ensure data protection compliance
C. Managing payroll and HR policies
D. Designing product features
Answer: B
Explanation: A DPO conducts regular audits to verify that data processing activities comply with
applicable data protection laws and internal policies.
10. Which mechanism can be used to ensure the secure transfer of personal data across borders?
A. Data retention policies
B. Standard Contractual Clauses (SCCs)
C. Data anonymization
D. Encryption only
Answer: B
Explanation: Standard Contractual Clauses (SCCs) are one mechanism that ensures the secure transfer of
personal data to countries outside the EU.
,11. Which of the following is NOT considered a sensitive category of data under the GDPR?
A. Health information
B. Biometric data
C. Publicly available contact information
D. Racial or ethnic origin
Answer: C
Explanation: Publicly available contact information is not classified as sensitive data, while health,
biometric data, and racial or ethnic origin are considered sensitive.
12. What is the first step in a Data Protection Impact Assessment (DPIA)?
A. Implementing encryption protocols
B. Assessing the necessity and proportionality of the processing
C. Reporting the incident to authorities
D. Conducting a supplier audit
Answer: B
Explanation: The first step in a DPIA is to assess the necessity and proportionality of the data processing
activity with respect to its intended purpose.
13. In data processing, what does the principle of “purpose limitation” mean?
A. Data must be processed for any purpose once collected
B. Data can be reused for different purposes without restrictions
C. Data must be collected for explicit, specified, and legitimate purposes
D. Data must be stored indefinitely
Answer: C
Explanation: The purpose limitation principle mandates that data is collected for specific, explicit, and
legitimate purposes and not further processed in incompatible ways.
14. Which right allows a data subject to request the deletion of their personal data?
A. Right to access
B. Right to be informed
C. Right to erasure (right to be forgotten)
D. Right to object
Answer: C
Explanation: The right to erasure, or the right to be forgotten, allows data subjects to request that their
personal data be deleted.
15. What is one of the main reasons for conducting regular security assessments?
A. To delay compliance efforts
B. To identify and mitigate data security risks
C. To increase data volume
D. To reduce transparency in data processing
Answer: B
Explanation: Regular security assessments help identify vulnerabilities and mitigate risks to data
security, ensuring robust protection measures are in place.
16. Which of the following best describes pseudonymization?
A. Encrypting data with a public key
, B. Replacing private identifiers with artificial identifiers
C. Deleting data completely
D. Publishing data openly
Answer: B
Explanation: Pseudonymization replaces identifying fields with artificial identifiers to protect personal
data while still allowing some level of analysis.
17. What is an essential component of a privacy notice?
A. Detailed technical specifications
B. Clear information on how personal data is collected and used
C. Confidential internal memos
D. Marketing slogans
Answer: B
Explanation: A privacy notice should clearly explain how personal data is collected, used, stored, and
shared, ensuring transparency.
18. Which entity is primarily responsible for investigating data breaches?
A. The data subject
B. The data controller
C. The local law enforcement
D. The DPO in collaboration with supervisory authorities
Answer: D
Explanation: The DPO, in collaboration with supervisory authorities, is typically involved in investigating
and managing data breaches.
19. What is the significance of “data minimization” in data protection?
A. Collecting as much data as possible
B. Limiting data collection to only what is necessary
C. Using data without restrictions
D. Sharing data freely with third parties
Answer: B
Explanation: Data minimization means only collecting data that is strictly necessary for the specified
purpose, reducing potential risks.
20. Which of the following is a recommended technical measure for data security?
A. Regular password changes without additional controls
B. Implementing access controls and user authentication
C. Allowing shared user accounts
D. Storing all data in unencrypted formats
Answer: B
Explanation: Access controls and robust user authentication are key technical measures that protect
data from unauthorized access.
21. What is the purpose of a Data Protection Impact Assessment (DPIA)?
A. To design marketing campaigns
B. To evaluate the impact of processing on the protection of personal data
C. To increase the amount of data collected
