Intro to European DP
9-17%of exam
DP Law and Regulation
24-37%of exam
European Data Processing
17-28%of exam
Special CategoriesTransparencyInternational TransfersProcessor ContractsDPIA + DPO
Scope and Accountability
11-24%of exam
Material ScopeTerritorial ScopeAccountabilitySupervisionFines + Remedies
Compliance Contexts
11-21%of exam
Quick Facts
- Credential
- IAPP CIPP/E
- Questions
- 90 (75 scored)
- Time
- 150 min
- Pass
- 300 scaled (100-500)
- Format
- Computer-based MCQ
- Fee
- $550
- Maintain
- CPE every 2 years
- Blueprint
- Sep 1 2025
DP History + Sources
- Convention 108
- 1981 Council of EuropeFirst treaty
- Directive 95/46/EC
- Old DP Directive
- GDPR 2016/679
- Applies 25 May 2018
- Charter Art 8
- Data protection right
- ECHR Art 8
- Private life right
- TFEU Art 16
- DP legal base
- LED 2016/680
- Law enforcement directive
EU Institutions
- EDPB
- Consistency + guidelines
- EDPS
- EU bodies supervisor
- Commission
- Proposes, adequacy decisions
- CJEU
- Interprets EU law
- ECtHR
- Enforces ECHR
- WP29
- Pre-GDPR predecessor
Six Lawful Bases
Consent Contract Legal Vital Public Legitimate
Consent: opt-inContract: neededLegal: obligationVital: lifePublic: taskLegitimate: balance
Consent vs Legitimate Interest
Consent
- Opt-in
- Revocable
- Granular
Legit. interest
- Balancing test
- No public bodies
- Right to object
Permission vs justified need
Lawful Basis Picker
- Service the user requested→Contract(Art 6(1)(b))
- Required by EU law→Legal obligation(Statutory)
- Life at risk→Vital interests(Emergency only)
- Public authority task→Public task(Official authority)
- Business benefit, low risk→Legitimate interests(Balancing test)
- None fit, free choice→Consent(Revocable)
- Special category data→Art 9 condition(Plus Art 6)
Key Definitions
- Personal data
- Identifies a personArt 4(1)
- Processing
- Any data operationArt 4(2)
- Controller
- Decides purposes, means
- Processor
- Acts on instructions
- Pseudonymisation
- Reversible with key
- Anonymisation
- Outside GDPR scope
- Consent
- Freely given, specific
- Profiling
- Automated evaluation
Article 5 Principles
Lawful Purpose Minimise Accurate Store Secure Account
Purpose limitedData minimisedStorage limitedAccountability shown
Pseudonymised vs Anonymised
Pseudonymised
- Reversible
- Still personal data
- GDPR applies
Anonymised
- Irreversible
- Not personal data
- Outside GDPR
Re-identifiable or not
Article 5 Principles
- Lawfulness
- Fair, transparent
- Purpose limitation
- Specified, not incompatible
- Data minimisation
- Adequate, relevant only
- Accuracy
- Kept up to date
- Storage limitation
- Not kept indefinitely
- Integrity
- Security of data
- Accountability
- Demonstrate compliance
Data Subject Rights
Inform Access Rectify Erase Restrict Port Object ADM
Access: Art 15Erase: Art 17Port: Art 20ADM: Art 22
Six Lawful Bases
- Consent
- Freely given opt-inArt 6(1)(a)
- Contract
- Necessary for performance
- Legal obligation
- Required by EU law
- Vital interests
- Protect life
- Public task
- Official authority
- Legitimate interests
- Balancing testNot public bodies
Data Subject Rights
- Information
- Arts 13-14 notice
- Access
- Copy of dataArt 15
- Rectification
- Correct inaccuracies
- Erasure
- Right to forgetArt 17
- Restriction
- Pause processing
- Portability
- Machine-readable, consent/contract
- Object
- Stop, esp. marketing
- ADM safeguard
- Art 22 automated decisions
Key Deadlines
- DSR response
- 1 monthArt 12(3)
- DSR extension
- +2 months complex
- Breach to DPA
- 72 hoursArt 33
- Breach to subject
- Without undue delay
- Records of processing
- On request
- DPA complaint
- Any time
Transfer Tools Order
Adequacy then SCC BCR then Art 49
Adequacy: Art 45SCC/BCR: Art 46-47Derogation: Art 49
Adequacy vs SCC vs BCR
Adequacy
- Commission decision
- No extra tool
- Country-level
SCC / BCR
- Contractual safeguard
- TIA needed
- Org-level
Country status vs contract
Transfer Mechanism Picker
- Country has adequacy→Adequacy decision(No extra tool)
- US firm, certified→Data Privacy Framework(Treated adequate)
- Same corporate group→BCRs(DPA-approved)
- Ad hoc third party→SCCs + TIA(Plus safeguards)
- Rare, no tool→Art 49 derogation(Occasional only)
- Onward transfer→Same safeguards(Chain holds)
Accountability Tools
- ROPA
- Records, Art 30
- DPIA
- High-risk, Art 35
- Prior consultation
- DPA, Art 36
- DPbDD
- By design/default, Art 25
- DPO
- Appointed, Art 37
- Codes of conduct
- Art 40
- Certification
- Art 42
DPIA Required?
- Systematic profiling→DPIA needed(Art 35(3)(a))
- Large-scale special data→DPIA needed(Art 35(3)(b))
- Public area monitoring→DPIA needed(Art 35(3)(c))
- High residual risk→Prior consultation(Art 36)
- Low-risk routine→No DPIA(Document why)
Special Category Data
- Health
- Art 9 sensitive
- Biometric
- Unique identification
- Genetic
- Inherited characteristics
- Race/ethnic
- Prohibited by default
- Political/religious
- Belief data
- Sex life
- Or orientation
- Explicit consent
- Art 9(2)(a) exception
- Criminal data
- Art 10, official control
Transfer Mechanisms
- Adequacy
- Commission decisionArt 45
- SCCs
- Standard contractual clausesArt 46
- BCRs
- Intra-group, Art 47
- TIA
- Transfer impact assessment
- Derogations
- Art 49, occasional
- Codes/cert
- With binding commitments
- DPF
- EU-US Data Privacy Framework
Controller vs Processor
Controller
- Decides purposes
- Primary liability
- Handles DSRs
Processor
- Follows instructions
- Art 28 contract
- Assists controller
Decides vs executes
Controller or Processor?
- Decides why and how→Controller(Sets purpose)
- Shares purpose decision→Joint controllers(Art 26 arrangement)
- Acts on instructions→Processor(Art 28 contract)
- Sets own new purpose→Becomes controller(Art 28(10))
- Receives data→Recipient(Not third party)
Scope of GDPR
- Material scope
- What data, Art 2
- Territorial scope
- Who, Art 3
- Establishment
- EU activities context
- Targeting
- Offering goods/monitoring
- Household exemption
- Purely personal use
- Representative
- Non-EU controller, Art 27
Material vs Territorial Scope
Material
- What data
- Article 2
- Exemptions
Territorial
- Who/where
- Article 3
- Targeting test
What applies vs to whom
Supervision + Fines
- DPA / SA
- National supervisory authority
- Lead authority
- One-stop-shop
- Main establishment
- Central admin location
- Tier 1 fine
- €10M or 2%Art 83(4)
- Tier 2 fine
- €20M or 4%Art 83(5)
- Compensation
- Material/non-material, Art 82
- Judicial remedy
- Arts 78-79
GDPR vs ePrivacy
GDPR
- General regime
- All personal data
- Lawful bases
ePrivacy
- Lex specialis
- Cookies, comms
- Often consent
General vs specific rule
Employment Privacy
- Consent weak
- Power imbalance
- Monitoring
- Proportionate, transparent
- Background checks
- Necessity limited
- BYOD
- Separate work/personal
- Whistleblowing
- Confidential, minimised
- Member State law
- Art 88 specifics
Cloud + Internet Tech
- Cloud = processor
- Usually, Art 28 DPA
- Sub-processor
- Prior authorisation
- Location tracking
- Consent typical
- Search engines
- Controller, RTBF
- Big data/AI
- Purpose + transparency
- IoT
- Notice, minimisation
Common Traps
Consent not default
Pick best basis ≠ Consent often last
Pseudonymised is personal
Still GDPR ≠ Only anonymised exits
Processor liability
Controller primary ≠ Processor still liable
72h is to DPA
DPA: 72 hours ≠ Subject: undue delay
DPF is not SCC
DPF = adequacy-like ≠ SCC = contract
Legit interest limits
No public bodies ≠ Object right applies
Cookies = ePrivacy
Consent first ≠ GDPR also applies
Last Minute
- 1.GDPR = Regulation 2016/679
- 2.Six lawful bases (Art 6)
- 3.Special data needs Art 9
- 4.DSR response: 1 month
- 5.Breach to DPA: 72 hours
- 6.Fines: €20M or 4%
- 7.Lower tier: €10M or 2%
- 8.Transfers: adequacy, SCC, BCR
- 9.Controller decides; processor executes
- 10.DPIA when high-risk (Art 35)
- 11.Territorial scope = Art 3 targeting
Buy on Amazon
Take courses on UdemySame family resources
Explore More IAPP Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
More From This Family
Videos and articles for deeper review.