It is an exam in 150-question test mode. This questions have four possible answers, of which only one is correct. The exam lasts four hours.
You can consult all the information related to the certification exam by clicking here
The Spanish Data Protection Agency has provided an example of the questions that the exam consists of . This questions can be theoretical or can describe a scenario, as follows:
The controller and the processor shall designate a data protection officer in any case where:
a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or>c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences according to the General Data Protection Regulation.
a) Only in case c)
b) In the cases a) and b)
c) In the cases b) and c)
d) In all cases a), b) and c)
The DPO of a company is asked by the managing director about the possibility that the departments´ chiefs accede to the corporate mail of the employees. What should the DPO answer?
a) The employer needs to inform the workers that this control will be made and must obtain the consent of each one of them, since it is a procedure to control the workers´ activity in the labor field and is protected by the Workers´ Statute.
b) The employer can inform and implement a control on the use of the computers by workers, including access to the email and the web addresses visited whenever the company has previously established the rules of use.
c) This procedure to control the workers´ activity in the labor field does not have its protection in the Workers´ Statute, therefore it is necessary to inform the workers and obtain their consent.
d) As it is a procedure to control the workers´ activity in the labor field that is covered by the Workers´ Statute it is not necessary to inform them, just obtain their consent.
When the processing operations involve a high risk for the rights and freedoms of natural persons, it is incumbent upon the data controller to carry out an impact assessment related to data protection, which evaluates, in particular:
a) The origin, frequency, nature and severity of such risk.
b) The origin, nature, particularity and severity of such risk.
c) The origin, nature, level and severity of such risk.
d) The origin, nature, particularity and impact of the risk.
An entity that has branches in several Member States of the European Union wants to carry out a high-risk processing. According to this purpose an impact assessment was completed and the result indicated there is a high residual risk for the rights and freedoms of natural persons that cannot be mitigated with appropriate measures in terms of available technology and application costs.
a) The entity can carry out the processing but previously should find out about the existence of codes of conduct that are applicable to it.
b) It is not necessary for the entity to consult the control authority if, before carrying out the impact assessment, it informed the control authority about the importance and need of the pocessing it was going to perform.
c) The entity should consult the supervisory authority before performing the processing.
d) It is not necessary for the entity to consult the supervisory authority if the controller or processor previously obtained the opinion of the interested parties or their representatives regarding the processing planned.
Data protection audits:
a) Allow a transfer to be made through adequate guarantees.
b) Must be done every two years.
c) Are included in the mechanisms established within the business group or the union of companies engaged in a joint economic activity to ensure verification of compliance with binding corporate standards.
d) Should be done only if there is high risk.
An energetic sector company has been affected by a cyber attack and there has been a leak of personal data from a large number of its customers. Should this security breach be notified to the Spanish Data Protection Agency by controllers or processors?
a) No it should not, because they are not telecommunications operators and these are the ones that must communicate security breaches.
b) No, the company just has to establish an internal procedure so that any person who detects the violation will notify the managers of the company involved so they can resolve it within 72 hours.
c) Only the control authority should be informed within 24 hours after the security breach was recorded and the first analysis about facts take place and the possible damages on personal data are detected.
d) Only the competent control authority should be informed within 72 hours after the security breach was recorded or a first analysis about facts is take place.
- Domain 1 - 50%, 75 questions, 15 with a scenario.
- Domain 2 - 30%, 45 questions, 9 with a scenario.
- Domain 3 - 20%, 30 questions, 6 with a scenario.
Each question, whether scenario or test, will count as 1 point. No points are awarded for questions incorrectly answered or left unanswered.
You must reach at least 113 points to pass, which means that 50% of the questions in each block or field must be answered correctly. By each domain the number of minimum questions correctly answered will be:
• Domain 1: 38 correct answers of the 75 questions made.
• Domain 2: 23 correct answers of the 45 questions made.
• Domain 3: 15 correct answers of the 30 questions made.
Up to the 113 points required will be computed the questions of the set of domains.
Yes, you can request a review. This review is free of charges and is performed by the same evaluator who issued the result. If once the review is issued you are not satisfied with the result, you have the possibility of making an appeal to the Scheme Committee.
The review and appeal processes are not face-to-face.
If you are not agree with the evaluation result, you can file a complaint before the Spanish Data Protection Agency.