PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free CDPO/FR Practice Questions

Pass your IAPP Certified Data Protection Officer — France (CDPO/FR) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Under the French Loi Informatique et Libertés, which category of processing requires CNIL authorisation (rather than mere declaration or direct application of GDPR)?

A
B
C
D
to track
Same family resources

Explore More IAPP Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CIPP/E

Practice QuestionsStudy GuideCheat SheetFlashcards1 video1 blog

AIGP

Practice Questions1 video1 blog

CIPP/US

Practice Questions1 video1 blog

CIPT

Practice Questions1 video1 blog

CIPM

Practice Questions

IAPP Certified Data Protection Officer — Brazil (CDPO/BR)

Practice Questions

More From This Family

Videos and articles for deeper review.

VideoAIGP Exam Guide 2026: FREE IAPP AI Governance PrepVideoAIGP Exam Guide 2026: FREE IAPP AI Governance PrepVideoAIGP Exam Guide 2026: FREE IAPP AI Governance PrepVideoAIGP Exam Guide 2026: FREE IAPP AI Governance PrepArticleAIGP Exam Guide 2026: FREE IAPP AI Governance Prep28 min read
2026 Statistics

Key Facts: CDPO/FR Exam

100

Exam Questions

IAPP CDPO/FR Program

75% / 50%

Passing Threshold (overall / per domain)

IAPP CDPO/FR Program

35 hours

Training Prerequisite (or 2 years experience)

IAPP CDPO/FR Program

Jan 6, 1978

Founding Date of Loi Informatique et Libertés

French Parliament

18

CNIL Members

Loi Informatique et Libertés

€20M / 4%

Maximum GDPR Fine (Article 83(5))

GDPR Article 83

72 hours

Breach Notification Deadline to CNIL

GDPR Article 33

15 years

Digital Consent Age in France

Loi Informatique et Libertés Art. 45-II

The CDPO/FR exam contains 100 questions (approximately one-third practical case studies) and requires 75% overall plus 50% per domain to pass. Prerequisites are 35 hours of approved training or 2 years of professional experience. The exam is delivered at Pearson VUE and covers GDPR applied through the lens of French national law and CNIL practice, making it the primary certification for DPOs serving as Délégué à la Protection des Données (DPD) in France.

Sample CDPO/FR Practice Questions

Try these sample questions to test your CDPO/FR exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which French law first established the CNIL and created the foundational framework for personal data protection in France?
A.Loi n°78-17 du 6 janvier 1978 (Loi Informatique et Libertés)
B.Loi n°2004-801 relative à la protection des personnes physiques
C.Ordonnance n°2018-1125 transposing the Law Enforcement Directive
D.Loi n°2016-1321 pour une République numérique
Explanation: The Loi Informatique et Libertés of 6 January 1978 created the CNIL (Commission Nationale de l'Informatique et des Libertés) and established France's foundational data protection regime. This landmark law predates the GDPR by nearly four decades, making France one of the world's most mature data protection jurisdictions. It has been substantially amended — most recently by Ordonnance n°2018-1125 — to align with GDPR requirements.
2Under the GDPR, which of the following is NOT listed in Article 6(1) as a valid lawful basis for processing personal data?
A.The data subject has given consent
B.Processing is necessary for the legitimate interests of the controller
C.Processing is in the national security interest of a Member State
D.Processing is necessary for compliance with a legal obligation
Explanation: Article 6(1) GDPR provides six lawful bases: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. National security is explicitly excluded from the GDPR's scope under Article 2(2)(a), which excludes processing in the course of an activity that falls outside the scope of Union law, including activities concerning national security.
3What is the CNIL's maximum sanctioning power for a serious GDPR violation by a large organisation?
A.€20 million or 4% of global annual turnover, whichever is higher
B.€10 million or 2% of global annual turnover, whichever is higher
C.€50 million or 10% of global annual turnover, whichever is higher
D.€100 million flat fine with no turnover component
Explanation: Under Article 83(5) GDPR, the upper-tier maximum fine for violations of core provisions — such as the basic principles, conditions for consent, and data subjects' rights — is €20 million or 4% of the undertaking's total worldwide annual turnover of the preceding financial year, whichever is higher. The CNIL applies this scale directly as the competent French supervisory authority.
4Under GDPR Article 37, which of the following organisations is MANDATORILY required to designate a Data Protection Officer (DPO)?
A.A hospital processing patient health records on a large scale
B.A small e-commerce retailer that processes customer purchase history
C.A law firm representing clients in data protection disputes
D.A consulting firm with 49 employees providing general business advice
Explanation: Article 37(1)(c) GDPR mandates a DPO where the core activities of the controller or processor consist of processing, on a large scale, special categories of data (Article 9) or personal data relating to criminal convictions. Health records are special category data under Article 9(1), and hospitals process them at large scale as a core activity, making DPO designation mandatory.
5Within what timeframe must a controller notify the CNIL of a personal data breach under GDPR Article 33?
A.72 hours of becoming aware of the breach, where feasible
B.24 hours of becoming aware of the breach
C.7 calendar days of becoming aware of the breach
D.30 days of the breach occurring
Explanation: Article 33(1) GDPR requires that controllers notify the competent supervisory authority (the CNIL in France) without undue delay and, where feasible, not later than 72 hours after becoming aware of a personal data breach. If notification is made after 72 hours, the controller must provide reasons for the delay. Notification is not required if the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
6Under GDPR Article 9, which of the following is classified as 'special category' personal data?
A.Financial account numbers and salary information
B.Home addresses and telephone numbers
C.Biometric data processed to uniquely identify a natural person
D.Professional employment history and job titles
Explanation: Article 9(1) GDPR defines special categories of personal data as those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, data concerning sex life or sexual orientation. Biometric data used for unique identification is specifically enumerated.
7A French company processing employee biometric data for access control purposes wishes to rely on consent as the lawful basis. Under CNIL guidance, what is the primary concern with this approach?
A.Consent in the employment context is rarely freely given due to the power imbalance between employer and employee
B.Biometric data for access control is entirely prohibited under French law and no basis is valid
C.Biometric data may only be processed under the legitimate interests basis in France
D.Employment-related processing always requires an explicit decision by the Conseil d'État
Explanation: The CNIL and EDPB have repeatedly cautioned that consent in the employment relationship is problematic because employees face an inherent power imbalance with their employer, making it difficult for consent to be 'freely given' as required by Article 7 GDPR. For biometric access control in the workplace, French law (Article 9 of the French Data Protection Act) requires a specific legal basis such as a collective agreement (accord collectif) or express employee consent where genuinely voluntary, but CNIL guidance emphasises that employer-employee consent is inherently suspect.
8What does GDPR Article 30 require controllers and processors to maintain?
A.Records of processing activities (RoPA) containing specified information about each processing operation
B.A public register of all processing operations published on their website
C.Annual data protection reports filed with the CNIL
D.Mandatory audit trails of every individual access to personal data systems
Explanation: Article 30 GDPR requires controllers to maintain a record of processing activities (RoPA) containing: controller identity and DPO contact, purposes of processing, categories of data subjects and personal data, categories of recipients, international transfers and safeguards, retention periods, and security measures. Processors must maintain their own records. The RoPA is an internal accountability tool, not a public register.
9Under GDPR Article 17, a data subject exercises the right to erasure ('right to be forgotten'). In which scenario would the controller be justified in refusing?
A.The data is necessary for establishing, exercising or defending legal claims
B.The data subject previously gave explicit consent to processing
C.The data was collected directly from the data subject rather than from a third party
D.The controller is located in France and the data subject is located in another EU Member State
Explanation: Article 17(3)(e) GDPR provides that the right to erasure does not apply where processing is necessary for the establishment, exercise or defence of legal claims. Other exceptions include processing for exercising the right of freedom of expression and information, compliance with a legal obligation, public health, archiving/research in the public interest, and historical or scientific purposes.
10When is a Data Protection Impact Assessment (DPIA) mandatory under GDPR Article 35?
A.For every new processing operation regardless of the risk level
B.Only when processing genetic data in a research context
C.When processing is likely to result in a high risk to the rights and freedoms of natural persons
D.Only when the organisation has more than 250 employees
Explanation: Article 35(1) GDPR requires a DPIA prior to processing where the processing is likely to result in a high risk to the rights and freedoms of natural persons. Article 35(3) specifies three cases that always require a DPIA: systematic and extensive automated evaluation including profiling, large-scale processing of special categories or criminal data, and systematic monitoring of a publicly accessible area on a large scale. The CNIL has also published a list of processing operations that require a mandatory DPIA in France.

About the CDPO/FR Exam

The IAPP CDPO/FR certifies the competencies of Data Protection Officers operating in the French market. The exam covers the intersection of EU GDPR and the French Loi Informatique et Libertés (n°78-17 du 6 janvier 1978 as amended), CNIL authority and enforcement powers, DPO (DPD) role and obligations, and France-specific sector rules including health data (HDS), workplace biometric processing, cookie consent, and health research methodologies.

Questions

100 scored questions

Time Limit

Not officially published; estimated 2-3 hours at Pearson VUE

Passing Score

75% overall and 50% per domain

Exam Fee

Contact IAPP for current pricing (IAPP / Pearson VUE)

CDPO/FR Exam Content Outline

Core

GDPR and French Data Protection Act

GDPR principles (Article 5), six lawful bases, special categories (Article 9), accountability, consent, children's digital consent age (15 in France), criminal data (Article 10), and French Loi Informatique et Libertés national derogations and adaptations

Core

CNIL Authority, Role and Powers

CNIL composition (18 members), investigative and corrective powers (Article 58), sanctioning (Article 83 fine tiers), one-stop-shop and lead supervisory authority, consistency mechanism (Article 63), prior consultation (Article 36), and 2024 expanded powers under law n°2024-449

Core

DPO (DPD) Role and Obligations

Mandatory DPO criteria (Article 37), DPO tasks (Article 39), independence and anti-conflict-of-interest requirements (Article 38), CNIL notification procedure, shared DPO for public bodies, required qualifications, and the French term Délégué à la Protection des Données (DPD)

Significant

Data Subject Rights

Rights to information (Articles 13-14), access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), portability (Article 20), objection (Article 21), and automated decision-making (Article 22), including one-month response timeline, exceptions, and Article 19 third-party notification

Significant

Lawful Processing and Records

Six lawful bases (Article 6), consent validity requirements (Article 7), legitimate interest assessment, data processing agreements (Article 28), joint controllers (Article 26), sub-processor authorisation, record of processing activities (Article 30), purpose limitation, data minimisation, and storage limitation

Core

Data Protection Impact Assessment (DPIA)

DPIA triggers (Article 35) and CNIL mandatory lists, DPIA content requirements (Article 35(7)), prior consultation (Article 36) and the 8-week CNIL response period, CNIL Référentiels and health research Méthodologies de Référence, and the DPO's advisory role in the DPIA process

Significant

Security and Breach Notification

Personal data breach definition (Article 4(12)), risk-based security (Article 32), 72-hour CNIL notification (Article 33), high-risk data subject notification (Article 34), breach documentation register, and availability breach analysis including ransomware scenarios

Core

International Transfers

Adequacy decisions (Article 45), SCCs plus Transfer Impact Assessment post-Schrems II (Article 46), Binding Corporate Rules (Article 47), Article 49 derogations, EU-US Data Privacy Framework (July 2023), CNIL TIA practical guide (January 2025), and transfer chain documentation

Significant

Sector-Specific French Rules

HDS certification for health data hosting (Article L.1111-8 Public Health Code), CNIL health research MRs (MR-001 to MR-008), cookie consent CNIL guidelines (including equal accept/refuse prominence), biometric workplace processing and collective agreements (accord collectif), employee monitoring and CSE consultation (Labour Code L.2312-38), direct marketing ePrivacy rules

How to Pass the CDPO/FR Exam

What You Need to Know

  • Passing score: 75% overall and 50% per domain
  • Exam length: 100 questions
  • Time limit: Not officially published; estimated 2-3 hours at Pearson VUE
  • Exam fee: Contact IAPP for current pricing

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

CDPO/FR Study Tips from Top Performers

1Learn the GDPR article numbers alongside their substance — CDPO/FR case studies often describe a scenario and ask which article applies or has been violated
2Master the three-part legitimate interest assessment (purpose / necessity / balancing) and know exactly which bases cannot be used for special category data
3Know the dual CDPO/FR threshold: 75% overall AND 50% per domain — a strong score in one domain cannot compensate for below-50% in another
4Study the CNIL's specific guidance documents: the GDPR DPO practical guide, DPIA guidelines, cookie referential, and TIA guide — these are frequently referenced in case-study questions
5Practice distinguishing pseudonymisation (still personal data, GDPR applies) from anonymisation (no longer personal data, GDPR does not apply)
6Know French-specific additions to GDPR: digital consent age 15; biometric employment processing rules; health research MRs; HDS certification; CNIL compositions and 2024 powers
7Map each data subject right to its article, response deadline, exceptions, and downstream notification obligations for third parties
8Drill international transfer scenarios: know when an adequacy decision applies (no further steps), when SCCs plus TIA are needed, when Article 49 derogations are available, and the EU-US DPF mechanics

Frequently Asked Questions

What is the IAPP CDPO/FR certification?

The IAPP CDPO/FR (Certified Data Protection Officer — France) certifies professionals who serve as Data Protection Officers (Délégué à la Protection des Données / DPD) in the French market. The exam covers GDPR as implemented through the French Loi Informatique et Libertés (1978 law as amended), CNIL authority and enforcement, DPO obligations, data subject rights, DPIAs, breach notification, international transfers, and French sector-specific rules including health data (HDS) and workplace biometric processing.

What is the CDPO/FR passing score and exam format?

Candidates must achieve 75% correct overall AND at least 50% correct in each of the three exam domains. The exam contains 100 questions, with approximately one-third being practical case studies. It is delivered at Pearson VUE test centres. Prerequisites are 35 hours of approved CDPO training or at least 2 years of professional experience in data protection.

How is the CDPO/FR different from the CIPP/E?

The CIPP/E covers EU GDPR and the European data protection landscape broadly across all Member States. The CDPO/FR is a role-specific certification focused on the DPO function in France specifically, covering the French Loi Informatique et Libertés national derogations, CNIL authority and enforcement practice, French sector-specific rules (HDS health data hosting, biometric workplace law, CNIL health research MRs), and French employment law requirements for monitoring. Many French DPOs hold both credentials.

What is the CNIL and why is it central to the CDPO/FR exam?

The Commission Nationale de l'Informatique et des Libertés (CNIL) is France's independent data protection authority, established by the landmark Loi n°78-17 of 6 January 1978. The CNIL is the lead supervisory authority for GDPR enforcement in France, with powers to investigate, issue fines up to €20 million or 4% of global turnover, conduct inspections, issue guidance and referentials, and consult on high-risk processing. The 2024 law n°2024-449 expanded the CNIL's powers to include document seizure during dawn raids. The CNIL's guidance and enforcement practice are extensively tested on the CDPO/FR exam.

Is the CDPO/FR required to work as a DPO in France?

The CDPO/FR certification is not legally required by GDPR or French law to be appointed as a DPO (DPD). GDPR Article 37(5) requires 'expert knowledge of data protection law and practices' but specifies no particular certification. However, the CDPO/FR is specifically designed to demonstrate the competencies required by GDPR Section 4, Chapter IV and French data protection regulations, and is increasingly valued by organisations appointing DPDs in France.

Which key French national rules differ from standard GDPR that the CDPO/FR tests?

Key French-specific rules tested include: the digital consent age of 15 (not 16); specific authorisation requirements for biometric and genetic data; CNIL Méthodologies de Référence for health research (MR-001 to MR-008); HDS certification for health data hosting; biometric workplace processing requiring a collective agreement (accord collectif); works council (CSE) consultation before implementing monitoring technologies; cookie consent rules requiring equal ease for accept and refuse; and special provisions for automated decision-making by public administrations under Article 47 of the French Loi Informatique et Libertés.