Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free PECB CDPO Practice Questions

Pass your PECB Certified Data Protection Officer (GDPR CDPO) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

A controller wishes to use legitimate interests for direct marketing to existing customers. Which key elements must be documented in the Legitimate Interests Assessment (LIA)?

A
B
C
D
to track
Same family resources

Explore More PECB Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

PECB / EXIN ISO/IEC 20000 Foundation

Practice Questions

PECB Certified ISO/IEC 27001 Foundation

Practice Questions

PECB Certified ISO/IEC 27032 Lead Cybersecurity Manager

Practice Questions

PECB Certified ISO/IEC 27701 Lead Implementer (PIMS)

Practice Questions

PECB Certified ISO/IEC 42001 Lead Implementer (AI Management)

Practice Questions

PECB Certified Lead Cloud Security Manager (ISO/IEC 27017 + 27018)

Practice Questions
2026 Statistics

Key Facts: PECB CDPO Exam

70%

Passing Score

PECB

150

Exam Questions

3 hours / 180 minutes

72 hr

Breach Notification Deadline

GDPR Article 33

$1,100

Exam Fee (USD)

PECB

€20M / 4%

Higher Fine Tier

GDPR Article 83(5)

3 years

Certification Validity

PECB

PECB CDPO is the leading PECB credential for Data Protection Officers under the GDPR. The exam consists of 150 multiple-choice questions over 3 hours, requiring 70% to pass, at a fee of $1,100 USD. Content spans seven domains: GDPR fundamentals, principles and lawful basis, data subject rights, controller/processor obligations, DPIA and DPO role, international transfers, and supervision/enforcement. The credential is recognized internationally and aligns with Article 37-39 DPO requirements. Recertification every 3 years (CPD credits). Comparable credentials include IAPP CIPP/E and CIPM.

Sample PECB CDPO Practice Questions

Try these sample questions to test your PECB CDPO exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1What does the acronym GDPR stand for?
A.General Data Protection Regulation
B.Global Data Privacy Rules
C.General Digital Privacy Requirements
D.Government Data Protection Requirements
Explanation: GDPR stands for General Data Protection Regulation. It is officially known as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. It became enforceable on 25 May 2018 and repealed Directive 95/46/EC.
2Under Article 4(1) of the GDPR, what is the definition of 'personal data'?
A.Only data identifying living natural persons by name
B.Any information relating to an identified or identifiable natural person
C.Information stored in electronic form only
D.Sensitive data such as health or biometric data
Explanation: Article 4(1) defines personal data as any information relating to an identified or identifiable natural person ('data subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.
3Which body acts as the data controller under the GDPR?
A.The third party processing data on behalf of an organization
B.The natural or legal person determining the purposes and means of processing
C.The supervisory authority
D.The data protection officer
Explanation: Per Article 4(7), a 'controller' is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The controller bears primary responsibility for GDPR compliance and accountability. Processors act on behalf of controllers.
4What is the definition of a 'processor' under Article 4(8) of the GDPR?
A.A computer system that handles data
B.A natural or legal person processing personal data on behalf of the controller
C.A data subject whose data is processed
D.The data protection officer of the controller
Explanation: Article 4(8) defines a processor as a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. Common processor examples include cloud-hosting providers, payroll service vendors, and marketing-email platforms. Processors must operate under a written Article 28 contract (DPA).
5How many principles relating to the processing of personal data are listed in Article 5(1) of the GDPR?
A.Five
B.Six
C.Seven
D.Eight
Explanation: Article 5(1) lists six processing principles: (a) lawfulness, fairness and transparency; (b) purpose limitation; (c) data minimisation; (d) accuracy; (e) storage limitation; (f) integrity and confidentiality. A seventh overarching principle of accountability appears in Article 5(2), requiring the controller to be responsible for, and able to demonstrate, compliance with the other six.
6Which Article of the GDPR establishes the six lawful bases for processing personal data?
A.Article 5
B.Article 6
C.Article 7
D.Article 9
Explanation: Article 6(1) sets out the six lawful bases for processing personal data: (a) consent of the data subject; (b) contract necessity; (c) legal obligation; (d) vital interests; (e) public task; and (f) legitimate interests. At least one of these grounds must apply for processing to be lawful. Article 9 governs special category data with additional conditions.
7Which of the following is NOT a lawful basis for processing under Article 6 of the GDPR?
A.Performance of a contract
B.Vital interests of the data subject
C.Compliance with a legal obligation
D.Maximizing shareholder profit
Explanation: The six Article 6 lawful bases are consent, contract, legal obligation, vital interests, public task, and legitimate interests. 'Maximizing shareholder profit' is not a lawful basis. Legitimate interests is the most commonly used flexible basis but requires a documented balancing test (LIA) and is not available to public authorities performing public tasks.
8What does Article 4(11) require of consent under the GDPR?
A.Consent must be in writing only
B.Freely given, specific, informed, and unambiguous indication
C.Verbal consent is sufficient in all cases
D.Consent by silence is permitted
Explanation: Article 4(11) defines consent as any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by statement or by clear affirmative action, signify agreement to processing. Pre-ticked boxes, silence, or inactivity do not constitute valid consent. Consent must be as easy to withdraw as it is to give (Article 7(3)).
9What is the maximum administrative fine under the higher tier of Article 83(5) of the GDPR?
A.€10 million or 2% of annual worldwide turnover, whichever is higher
B.€20 million or 4% of annual worldwide turnover, whichever is higher
C.€50 million flat
D.€100 million or 10% of EU turnover
Explanation: Article 83(5) establishes the higher tier of administrative fines at up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year — whichever is higher. This tier applies to violations of the basic principles, data subject rights, transfer rules, and certain orders by supervisory authorities. The lower tier (Article 83(4)) is €10 million or 2%.
10Within how many hours must a controller notify the supervisory authority of a personal data breach where feasible?
A.24 hours
B.48 hours
C.72 hours
D.7 days
Explanation: Article 33(1) requires controllers, where feasible, to notify the competent supervisory authority of a personal data breach not later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where notification exceeds 72 hours, it must be accompanied by reasons for the delay.

About the PECB CDPO Exam

The PECB Certified Data Protection Officer (CDPO) certification validates expertise in applying the EU General Data Protection Regulation (Regulation (EU) 2016/679) in operational and strategic contexts. The exam covers GDPR scope and principles, lawful basis, data subject rights, controller/processor obligations, DPIAs, the DPO role (designation, independence, tasks), personal data breach management, international transfers post-Schrems II, supervisory authority cooperation under the one-stop-shop, and administrative fines. The credential is widely held by data protection officers, privacy program managers, and GRC professionals across the EU and globally.

Questions

150 scored questions

Time Limit

180 minutes

Passing Score

70%

Exam Fee

$1100 USD (PECB)

PECB CDPO Exam Content Outline

15%

GDPR Fundamentals and Scope

Regulation (EU) 2016/679 structure, Articles 1-4 (subject matter, material scope, territorial scope including Article 3.2 targeting/monitoring test, definitions)

15%

Principles and Lawful Basis

Article 5 processing principles, Article 6 lawful basis (six grounds), Article 7 consent conditions, Article 8 children, Article 9 special category, Article 10 criminal data

15%

Data Subject Rights

Articles 12-22: transparency, information (Art 13-14), access (Art 15), rectification (Art 16), erasure (Art 17), restriction (Art 18), portability (Art 20), objection (Art 21), automated decision-making (Art 22)

20%

Controller and Processor Obligations

Articles 24-32: accountability, privacy by design and default (Art 25), joint controllers (Art 26), EU representative (Art 27), processor agreements (Art 28 DPA), RoPA (Art 30), security of processing (Art 32 TOMs)

15%

DPIA, DPO, and Breach Management

Article 33 breach notification (72-hour rule) and Article 34 data subject communication; Article 35 DPIA and Article 36 prior consultation; Articles 37-39 DPO designation, position, tasks; EDPB guidelines WP243 and WP248

10%

International Data Transfers

Articles 44-50: Article 45 adequacy decisions, Article 46 appropriate safeguards (SCCs, BCRs, codes, certifications), Article 47 BCRs, Article 49 derogations; Schrems II implications; Transfer Impact Assessments; EU-US Data Privacy Framework

10%

Supervision, Enforcement, and Remedies

Articles 51-83: supervisory authorities, one-stop-shop and lead SA (Art 56), EDPB role, cooperation and consistency (Art 60-65), administrative fines (Art 83: 2% / €10M and 4% / €20M tiers), remedies (Art 77-79), compensation (Art 82)

How to Pass the PECB CDPO Exam

What You Need to Know

  • Passing score: 70%
  • Exam length: 150 questions
  • Time limit: 180 minutes
  • Exam fee: $1100 USD

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

PECB CDPO Study Tips from Top Performers

1Read the GDPR text (Regulation EU 2016/679) cover-to-cover at least twice — articles, recitals, and the chapter structure. The exam expects article-number-level recall.
2Memorise the six Article 6 lawful bases, the ten Article 9(2) conditions for special category processing, and the six Article 17 grounds for erasure plus exemptions.
3Know the Article 33/34 breach lifecycle cold: 72-hour SA notification when becoming aware, Article 34 data subject communication when high risk, Article 33(5) documentation always.
4Master DPO topics: Article 37 designation triggers, Article 38 position (independence, conflict of interest, no penalty, direct report to top management), Article 39 tasks (advise, monitor, train, cooperate with SA).
5Study EDPB guidelines actively: WP243 DPOs, WP248 DPIAs, Guidelines 05/2020 consent, Recommendations 01/2020 supplementary measures (Schrems II), Guidelines 9/2022 breach notification.
6Practice international transfer scenarios — adequacy vs Article 46 safeguards vs Article 49 derogations — and apply the Transfer Impact Assessment lens post-Schrems II.
7Drill the fines structure: two tiers (Art 83(4) €10M/2%; Art 83(5) €20M/4%) and the 11 Article 83(2) factors used in setting fines.

Frequently Asked Questions

What is the PECB Certified Data Protection Officer (CDPO) exam format?

The PECB CDPO exam consists of 150 multiple-choice questions to be completed in 3 hours (180 minutes), requiring a 70% score to pass. The exam is delivered online through the PECB Exams platform or at PECB-approved test centers worldwide. Questions assess applied knowledge of the GDPR (Regulation EU 2016/679), including articles, EDPB guidelines, and the DPO's operational role. The exam fee is $1,100 USD.

What are the prerequisites for the PECB CDPO certification?

PECB does not impose strict prerequisites to sit the multiple-choice CDPO exam. To obtain the full Certified Data Protection Officer credential, candidates need approximately 5 years of professional experience with 2 years specifically in data protection or privacy, plus completion of a DPO-related project of at least 200 hours. Foundational knowledge of GDPR and EDPB guidance is strongly recommended.

Is PECB CDPO different from IAPP CIPP/E?

Yes. PECB CDPO focuses on the operational role of the Data Protection Officer (designation, independence, tasks, monitoring) within an organization, aligned with Articles 37-39 of the GDPR. IAPP CIPP/E is a broader information privacy professional certification covering EU privacy law in depth. Many DPOs hold both credentials. CDPO is widely chosen by professionals in organisations using PECB training and certification frameworks; CIPP/E is recognised globally and complements CIPM/CIPT for a full privacy career pathway.

When is a DPO mandatory under the GDPR?

Article 37(1) makes DPO designation mandatory in three cases: (a) processing is carried out by a public authority or body (except courts acting judicially); (b) the core activities of the controller or processor consist of large-scale regular and systematic monitoring of data subjects; or (c) the core activities consist of large-scale processing of special category data (Article 9) or criminal-conviction data (Article 10). Member state law may impose additional cases. EDPB Guidelines WP243 clarify 'core activities', 'large scale', and 'regular and systematic monitoring'.

How much does the PECB CDPO exam cost in 2026?

The PECB CDPO exam fee is $1,100 USD as listed on the official PECB page. Many candidates take a 5-day instructor-led training plus exam package from a PECB-accredited training partner, which typically costs $3,000-$4,500. PECB offers a free exam retake within 12 months of a first failed attempt; subsequent retakes incur the full fee.

Is PECB CDPO worth it in 2026?

Yes for professionals in or moving into DPO, privacy program manager, GRC lead, or data-protection consulting roles — especially in organisations operating in or with the EU. GDPR enforcement continues to scale (Meta €1.2bn in 2023, large 2024-2025 fines on tech firms), creating sustained demand for credentialed DPOs. CDPO is widely accepted alongside IAPP credentials and demonstrates Article 38(5) 'expert knowledge of data protection law and practices' to employers and supervisory authorities.