FAQ about the DPO certification exam

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
1What is the DPO certification exam?

It is an exam in 150-question test mode. This questions have four possible answers, of which only one is correct. The exam lasts four hours.

You can consult all the information related to the certification exam by clicking here

2What kind of questions are asked in the certification exam

The Spanish Data Protection Agency has provided an example of the questions that the exam consists of . This questions can be theoretical or can describe a scenario, as follows:




The controller and the processor shall designate a data protection officer in any case where:

a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or>c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences according to the General Data Protection Regulation.

a) Only in case c)
b) In the cases a) and b)
c) In the cases b) and c)
d) In all cases a), b) and c)


The DPO of a company is asked by the managing director about the possibility that the departments´ chiefs accede to the corporate mail of the employees. What should the DPO answer?

a) The employer needs to inform the workers that this control will be made and must obtain the consent of each one of them, since it is a procedure to control the workers´ activity in the labor field and is protected by the Workers´ Statute.
b) The employer can inform and implement a control on the use of the computers by workers, including access to the email and the web addresses visited whenever the company has previously established the rules of use.
c) This procedure to control the workers´ activity in the labor field does not have its protection in the Workers´ Statute, therefore it is necessary to inform the workers and obtain their consent.
d) As it is a procedure to control the workers´ activity in the labor field that is covered by the Workers´ Statute it is not necessary to inform them, just obtain their consent.


When the processing operations involve a high risk for the rights and freedoms of natural persons, it is incumbent upon the data controller to carry out an impact assessment related to data protection, which evaluates, in particular:

a) The origin, frequency, nature and severity of such risk.
b) The origin, nature, particularity and severity of such risk.
c) The origin, nature, level and severity of such risk.
d) The origin, nature, particularity and impact of the risk.

An entity that has branches in several Member States of the European Union wants to carry out a high-risk processing. According to this purpose an impact assessment was completed and the result indicated there is a high residual risk for the rights and freedoms of natural persons that cannot be mitigated with appropriate measures in terms of available technology and application costs.

a) The entity can carry out the processing but previously should find out about the existence of codes of conduct that are applicable to it.
b) It is not necessary for the entity to consult the control authority if, before carrying out the impact assessment, it informed the control authority about the importance and need of the pocessing it was going to perform.
c) The entity should consult the supervisory authority before performing the processing.
d) It is not necessary for the entity to consult the supervisory authority if the controller or processor previously obtained the opinion of the interested parties or their representatives regarding the processing planned.


Data protection audits:

a) Allow a transfer to be made through adequate guarantees.
b) Must be done every two years.
c) Are included in the mechanisms established within the business group or the union of companies engaged in a joint economic activity to ensure verification of compliance with binding corporate standards.
d) Should be done only if there is high risk.

An energetic sector company has been affected by a cyber attack and there has been a leak of personal data from a large number of its customers. Should this security breach be notified to the Spanish Data Protection Agency by controllers or processors?

a) No it should not, because they are not telecommunications operators and these are the ones that must communicate security breaches.
b) No, the company just has to establish an internal procedure so that any person who detects the violation will notify the managers of the company involved so they can resolve it within 72 hours.
c) Only the control authority should be informed within 24 hours after the security breach was recorded and the first analysis about facts take place and the possible damages on personal data are detected.
d) Only the competent control authority should be informed within 72 hours after the security breach was recorded or a first analysis about facts is take place.

3 How are the 150 exam questions distributed?

- Domain 1 - 50%, 75 questions, 15 with a scenario.
- Domain 2 - 30%, 45 questions, 9 with a scenario.
- Domain 3 - 20%, 30 questions, 6 with a scenario.

4How much is each question worth?

Each question, whether scenario or test, will count as 1 point. No points are awarded for questions incorrectly answered or left unanswered.

5What score should I get to pass the exam?

You must reach at least 113 points to pass, which means that 50% of the questions in each block or field must be answered correctly. By each domain the number of minimum questions correctly answered will be:

Domain 1: 38 correct answers of the 75 questions made.
Domain 2: 23 correct answers of the 45 questions made.
Domain 3: 15 correct answers of the 30 questions made.

Up to the 113 points required will be computed the questions of the set of domains.

6Can I leave the room while exam is taking place?
No, you can not. Once the exam has begun, leaving the room could presuppose that the Supervisor has canceled the candidate participation in the
7Can I get a copy of the test?
No, you can not. The exam can not be copied by any means.
8Can I leave the room even before 4 hours have elapsed once the exam is completed and signed?
Yes, you can. At the time of concluding and signing the final exam, the candidates can leave the room.
9How long does the evaluator take to inform about the test results?
A period of 15 days is established, though for justified reasons, it could be extended up to 30 days.
10In which countries are exam calls held?
They are usually held in Madrid and Barcelona though may be held in other countries where there is a minimum number of interested people in submitting to the DPO certification exam.
11What happens if I fail the exam?
Exam fees entitle you to participate in a second call.
12Can I request a review If I fail the exam?

Yes, you can request a review. This review is free of charges and is performed by the same evaluator who issued the result. If once the review is issued you are not satisfied with the result, you have the possibility of making an appeal to the Scheme Committee.

The review and appeal processes are not face-to-face.

If you are not agree with the evaluation result, you can file a complaint before the Spanish Data Protection Agency.

13Can I access the test I took and checked the answers I failed during the review process or exam appeal?
No. None of these processes is face-to-face, in order to preserve the independence of the evaluator and members of the Committee of Experts in decision-making. The exam is intended to evaluate the acquisition of knowledge of the candidate, it is not considered as a means to acquire knowledge.
14Can I meet and contact the evaluator?
No, you can not. The evaluator is not aware of the identity of the candidate whose exam is being evaluated. They must ensure the independence of their judgement, issuing a report with the result of the assessment, which is the basis for the decision to award the certificate to the candidate being assessed.
15What If I have doubts about the validity of the questions?
The questions and answers have been reviewed and approved by the Spanish Data Protection Agency.
16How is the exam evaluated?
The control of the evaluation process implanted, is designed to prevent both human and programming error. Besides, it has a review procedure carried out by an accredited experts. However If candidates are in disagreement about the results or decisions they can freely appeal to the Scheme Committee as an independent body of the EC, which will carry out a new evaluation.