PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free CDPO/BR Practice Questions

Pass your IAPP Certified Data Protection Officer — Brazil (CDPO/BR) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

The LGPD requires security measures to be 'compatible with the nature of the information processed and the risks.' This reflects which security standard approach?

A
B
C
D
to track
Same family resources

Explore More IAPP Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CIPP/E

Practice QuestionsStudy GuideCheat SheetFlashcards1 video1 blog

AIGP

Practice Questions1 video1 blog

CIPP/US

Practice Questions1 video1 blog

CIPT

Practice Questions1 video1 blog

CIPM

Practice Questions

IAPP Certified Data Protection Officer — France (CDPO/FR)

Practice Questions

More From This Family

Videos and articles for deeper review.

VideoAIGP Exam Guide 2026: FREE IAPP AI Governance PrepVideoAIGP Exam Guide 2026: FREE IAPP AI Governance PrepVideoAIGP Exam Guide 2026: FREE IAPP AI Governance PrepVideoAIGP Exam Guide 2026: FREE IAPP AI Governance PrepArticleAIGP Exam Guide 2026: FREE IAPP AI Governance Prep28 min read
2026 Statistics

Key Facts: CDPO/BR Exam

60 questions / 2 hours

Exam Format

IAPP

75% (45/60)

Passing Score

IAPP

10 legal bases

LGPD Processing Bases

LGPD Article 7

9 rights

Data Subject Rights (Article 18)

LGPD Article 18

R$50M / 2% Brazilian revenue

Max Fine per Infraction

LGPD Article 52

3 working days

Breach Notification Deadline

CD/ANPD 15/2024

The CDPO/BR LGPD exam consists of 60 multiple-choice questions in 2 hours, requires 75% (45/60) to pass, and is delivered entirely in Brazilian Portuguese. Candidates must also hold or pass the CIPM examination. The exam covers Brazil's LGPD from foundations through enforcement, with particular emphasis on how it differs from the GDPR.

Sample CDPO/BR Practice Questions

Try these sample questions to test your CDPO/BR exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Brazil's Lei Geral de Proteção de Dados (LGPD) was originally enacted as which federal law?
A.Lei nº 13.709/2018
B.Lei nº 12.965/2014
C.Lei nº 13.853/2019
D.Decreto nº 8.771/2016
Explanation: The LGPD was enacted as Lei nº 13.709 on August 14, 2018. Lei nº 13.853/2019 is a subsequent amendment that, among other changes, formally created the ANPD. Lei nº 12.965/2014 is the Marco Civil da Internet, and Decreto 8.771/2016 implements the Marco Civil.
2Which of the following activities is explicitly EXCLUDED from the LGPD's scope of application?
A.Processing of personal data by a private company to offer services to Brazilian residents
B.Processing of employee data by an employer in Brazil
C.Processing carried out exclusively for journalistic, artistic, or literary purposes
D.Cross-border transfer of personal data from a Brazilian controller to an overseas processor
Explanation: Article 4 of the LGPD explicitly excludes processing carried out exclusively for journalistic, artistic, or literary purposes, as well as academic research (with appropriate safeguards) and national security/public safety activities. Commercial processing, employment data, and international transfers are all within scope.
3Under the LGPD, how many legal bases exist for the lawful processing of personal data?
A.Six, the same as the GDPR
B.Eight
C.Ten
D.Twelve
Explanation: Article 7 of the LGPD lists ten legal bases for processing ordinary personal data. This is broader than the GDPR's six legal bases, with LGPD additions including health protection, credit protection, exercise of rights in judicial/administrative/arbitration proceedings, and protection by research entities.
4A company needs to process personal data to fulfill a purchase contract entered into by a data subject. Which LGPD legal basis applies?
A.Legitimate interest
B.Legal or regulatory obligation
C.Execution of a contract or preliminary procedures at the data subject's request
D.Consent
Explanation: Article 7, item V of the LGPD permits processing that is necessary for the execution of a contract or preliminary contractual procedures at the data subject's request. This directly covers processing personal data to deliver goods or services under an agreement with the data subject.
5Under the LGPD, consent as a legal basis for processing personal data must meet which standard?
A.It must be free, informed, and unequivocal, expressed in writing or by other means that demonstrate the data subject's will
B.It must be implied from the data subject's conduct and need not be explicit
C.A single broad consent covers all future processing activities regardless of purpose
D.Consent for general marketing is sufficient to cover sensitive data processing as well
Explanation: Article 8 of the LGPD defines valid consent as a free, informed, and unequivocal manifestation by the data subject agreeing to the processing of their personal data for a specific purpose. Consent may be in writing or another format that demonstrates the data subject's will, but a single blanket consent does not cover different purposes or sensitive data.
6The LGPD recognises a legal basis called 'legitimate interest.' Which constraint applies specifically to this basis?
A.It may be used freely without any balancing test
B.It applies only to government entities processing data for public administration
C.It cannot be invoked to justify processing sensitive personal data
D.It requires prior approval from the ANPD before processing begins
Explanation: Article 11 of the LGPD restricts the legal bases available for sensitive personal data, expressly excluding legitimate interest as a permissible basis. For ordinary personal data, legitimate interest is available but requires balancing against the data subject's fundamental rights and expectations.
7Which category of data qualifies as 'sensitive personal data' under the LGPD?
A.Racial or ethnic origin, religious belief, health data, and biometric data used for individual identification
B.Name, address, and email address combined in a single record
C.Transactional purchase history linked to a loyalty card
D.Public professional biographical information posted on a company website
Explanation: Article 5, item II of the LGPD defines sensitive personal data as data on racial or ethnic origin, religious belief, political opinion, trade union or religious/philosophical/political organization membership, health or sex life, genetic data, and biometric data used for identification. These categories require heightened protection and stricter legal bases.
8Under the LGPD, which legal bases may be used to process sensitive personal data? (Select the BEST answer.)
A.Only consent and legal obligation — legitimate interest, credit protection, and contract are excluded
B.Any of the ten bases listed in Article 7 apply equally to sensitive data
C.Sensitive data cannot be processed under any basis; it requires full anonymization first
D.Only legitimate interest and consent are available for sensitive data
Explanation: Article 11 of the LGPD permits sensitive data processing only under a narrower set of bases, which includes specific consent, legal or regulatory obligation, shared policy by competent authorities, health-related research (with anonymization where possible), exercise of rights in judicial/arbitration/administrative proceedings, health/life protection by professionals, fraud prevention/data security, and protection of the data subject. Legitimate interests, credit protection, and standard contract performance are explicitly excluded.
9A data subject submits a request to access all personal data held about them by a company. What does the LGPD require the controller to do?
A.Confirm the existence of processing and provide access to the data in a simplified or complete format within 15 days
B.Respond within 30 calendar days with a summary of categories of data held
C.Route the request to the ANPD, which will then respond to the data subject
D.Acknowledge the request and respond only when the data is related to financial transactions
Explanation: Article 18 grants data subjects the right to confirmation of processing and access to their data. The LGPD requires controllers to respond in a simplified format within 15 days from the date of request, or to provide the full information within 15 days via a complete declaration. The controller responds directly, not via the ANPD.
10Which of the following is a data subject right recognized under LGPD Article 18?
A.Right to demand compensation directly from the ANPD for any data breach
B.Right to have all their data deleted regardless of the legal basis used for processing
C.Right to prevent any processing of their data by asserting an objection
D.Right to portability of their personal data to another service or product provider upon express request
Explanation: Article 18, item V grants data subjects the right to portability of their personal data to another service or product provider through an express request, subject to commercial and industrial secrets. This right mirrors a similar right in the GDPR but with specific LGPD nuances.

About the CDPO/BR Exam

The IAPP CDPO/BR (Certified Data Protection Officer — Brazil) is the leading credential for privacy professionals working under Brazil's LGPD. The LGPD exam component tests knowledge of Brazil's Lei Geral de Proteção de Dados, including its ten legal bases, nine data subject rights, the encarregado role, ANPD enforcement powers, and international transfer mechanisms.

Questions

60 scored questions

Time Limit

2 hours

Passing Score

45/60 (75%)

Exam Fee

Included in CDPO/BR package (contact IAPP for pricing) (IAPP)

CDPO/BR Exam Content Outline

~20%

LGPD Foundations and Scope

Enactment history, territorial scope, personal and sensitive data definitions, ten processing principles, exclusions

~20%

Legal Bases for Processing

Ten Article 7 bases, Article 11 sensitive data bases, consent standards, credit protection, health tutelage, legitimate interest

~15%

Data Subject Rights under LGPD

Nine rights in Article 18, 15-day response timeline, automated decision review, portability, deletion exceptions

~15%

Roles: Controller, Operator, and Encarregado

Definitions, operator liability for deviations, encarregado duties and public disclosure obligations

~15%

ANPD Authority and Enforcement

ANPD creation and functions, Article 52 sanctions, fine dosimetry, graduated enforcement hierarchy

~8%

International Data Transfers

Adequacy decisions, ANPD SCCs, BCRs, specific contractual clauses, current adequacy status

~7%

Security and Incident Reporting

Article 46 security obligations, CD/ANPD 15/2024 notification framework, 3-working-day deadline, preliminary reports

How to Pass the CDPO/BR Exam

What You Need to Know

  • Passing score: 45/60 (75%)
  • Exam length: 60 questions
  • Time limit: 2 hours
  • Exam fee: Included in CDPO/BR package (contact IAPP for pricing)

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

CDPO/BR Study Tips from Top Performers

1Memorize the ten LGPD legal bases in Article 7 and the restricted bases for sensitive data in Article 11 — these appear frequently
2Know the nine data subject rights in Article 18 and the 15-day response deadline; contrast with the GDPR's one-month standard
3Understand that legitimate interest CANNOT be used for sensitive data under the LGPD — a key LGPD-GDPR difference
4Study the ANPD's graduated sanction structure: lighter sanctions must precede suspension and prohibition
5Know the 3-working-day breach notification rule under CD/ANPD 15/2024 and how it differs from GDPR's 72-hour rule
6Remember that Brazil's fine cap is based on Brazilian revenue (2%, R$50M max) — not global revenue like the GDPR

Frequently Asked Questions

What is the IAPP CDPO/BR exam format?

The CDPO/BR LGPD exam consists of 60 multiple-choice questions with a 2-hour time limit. Candidates must answer at least 45 of the 60 questions correctly (75%) to pass. All materials and questions are delivered in Brazilian Portuguese. Candidates must also hold or concurrently pass the CIPM examination.

What is the LGPD and why does it matter for the CDPO/BR?

The LGPD (Lei Geral de Proteção de Dados, Lei 13.709/2018) is Brazil's comprehensive personal data protection law, inspired by the GDPR. It provides ten legal bases for processing, nine data subject rights, requires controllers to appoint an encarregado (DPO), and is enforced by the ANPD. The CDPO/BR exam tests deep knowledge of the LGPD's structure, obligations, and enforcement mechanisms.

How does the LGPD differ from the GDPR?

The LGPD has ten legal bases for processing versus the GDPR's six, including unique bases for credit protection and health tutelage. The LGPD fines are based on Brazilian revenue (2%, capped at R$50 million) rather than global revenue (GDPR: 4% global). The LGPD lacks a direct equivalent to the GDPR's right to object. Breach notification uses a 3-working-day risk-based threshold rather than the GDPR's 72-hour rule.

What is the encarregado and what are their duties?

The encarregado is the Brazilian equivalent of the GDPR's Data Protection Officer (DPO), required by Article 41. Their duties include acting as the contact point for data subjects and the ANPD, receiving and handling privacy complaints, implementing ANPD communications, and guiding employees on data protection practices. The encarregado's contact information must be publicly disclosed.

What sanctions can the ANPD impose for LGPD violations?

Article 52 of the LGPD allows the ANPD to impose: warnings with corrective deadlines, simple fines up to 2% of Brazilian annual revenue (max R$50 million per infraction), daily fines, public disclosure of the infraction, blocking or deletion of the personal data involved, and partial or total suspension of database operations. More severe sanctions (suspension, prohibition) can only follow a prior lesser sanction in the same case.

How do LGPD international data transfers work?

Personal data may be transferred internationally through: ANPD adequacy decisions (no country has yet received one), ANPD-issued Standard Contractual Clauses (adopted without modification), Binding Corporate Rules for intra-group transfers, or specific contractual clauses approved by the ANPD. When none of these apply, controllers may rely on derogations such as explicit consent or contract necessity.