CIPP/E Exam Flashcards

Q: What is the CIPP/E exam format?

The CIPP/E is a 90-question multiple-choice exam with a 2.5-hour time limit. IAPP scores 75 of the questions and uses the remaining 15 as unscored pretest items. The passing score is 300 on a scaled range of 100 to 500. The exam is delivered through Pearson VUE either at a test center or via OnVUE online proctoring.

Q: Which blueprint area carries the most CIPP/E questions?

European Data Protection Law and Regulation is the largest area at 18-28 scored questions, followed by European Data Processing at 13-21 scored questions. Together they cover core GDPR concepts, lawful bases, data subject rights, transparency, security, and international transfers, so most study time should go there.

Q: Does the CIPP/E require work experience or sponsorship?

No. There is no formal education, experience, or sponsorship prerequisite to sit the CIPP/E. Anyone can register and take it. After passing, you maintain the credential through continuing privacy education plus either IAPP membership or the certification maintenance fee.

Q: Is the CIPP/E only about memorizing GDPR articles?

No. The exam is scenario-driven and tests application of the rules. Many questions hinge on controller versus processor roles, selecting the correct lawful basis, transparency timing, transfer safeguards, and how GDPR interacts with ePrivacy and other EU rules in practical business situations.

Q: What is the GDPR breach notification deadline tested on the CIPP/E?

Under GDPR Article 33, a controller must notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of it. If the breach is likely to result in a high risk to individuals, affected data subjects must also be notified under Article 34.

Q: How large are GDPR fines under the rules the CIPP/E tests?

GDPR has two fine tiers. The lower tier reaches up to 10 million euros or 2% of total worldwide annual turnover, whichever is higher. The upper tier, for the most serious infringements such as violating data subject rights or transfer rules, reaches up to 20 million euros or 4% of total worldwide annual turnover, whichever is higher.

Question 1

Personal data (GDPR Art. 4)

Accepted Answer

Any information relating to an identified or identifiable natural person. Identifiability can be direct (name) or indirect (an ID number, location data, online identifier, or factors specific to the person's identity).

Question 2

Processing (GDPR Art. 4)

Accepted Answer

Any operation performed on personal data, whether automated or not — including collection, storage, use, disclosure, structuring, erasure, and destruction. Almost everything done with data counts as processing.

Question 3

Difference between anonymisation and pseudonymisation

Accepted Answer

Anonymised data can no longer identify anyone and falls outside the GDPR. Pseudonymised data replaces identifiers with a key but can still be re-linked, so it remains personal data and stays in scope.

Question 4

Special categories of personal data (GDPR Art. 9)

Accepted Answer

Sensitive data needing extra protection: racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data for ID, health data, and data on sex life/orientation. Processing is prohibited unless an Art. 9(2) condition applies.

Question 5

Natural person vs legal person under the GDPR

Accepted Answer

The GDPR protects only natural persons (living individuals). It does not apply to legal persons such as companies, nor to data about deceased individuals (though member states may add national rules for the deceased).

Question 6

Privacy as a fundamental right in Europe

Accepted Answer

EU privacy rests on two rights in the Charter of Fundamental Rights: Art. 7 (respect for private and family life) and Art. 8 (protection of personal data). This rights-based foundation distinguishes the EU model from sectoral US law.

Question 7

Convention 108

Accepted Answer

The 1981 Council of Europe treaty — the first binding international instrument on data protection. Its 2018 update (Convention 108+) modernised it. It influenced EU law but is separate from the GDPR.

Question 8

Relationship between the Data Protection Directive (95/46/EC) and the GDPR

Accepted Answer

The 1995 Directive required national implementing laws, producing fragmentation. The GDPR replaced it in 2018 as a directly applicable Regulation, harmonising rules across the EU without needing transposition.

Question 9

Difference between an EU Regulation and an EU Directive

Accepted Answer

A Regulation (like the GDPR) is directly applicable in all member states with no national transposition. A Directive (like the ePrivacy Directive) sets goals each state must implement through its own national law, allowing variation.

Question 10

ePrivacy Directive ('cookie law')

Accepted Answer

2002/58/EC (amended 2009) governs confidentiality of electronic communications, cookies/tracking, and unsolicited marketing. It is lex specialis — it overrides the GDPR where they overlap, e.g. consent for non-essential cookies.

Question 11

Role of the Court of Justice of the EU (CJEU) in data protection

Accepted Answer

The CJEU interprets EU law and issues binding rulings. Landmark cases include Google Spain (right to be forgotten), Schrems I (struck Safe Harbor), and Schrems II (struck Privacy Shield, conditioned SCC use).

Question 12

What the Schrems II ruling (2020) decided

Accepted Answer

The CJEU invalidated the EU-US Privacy Shield and held that Standard Contractual Clauses remain valid only if exporters assess the destination country's law and add supplementary measures where protection is inadequate (a transfer impact assessment).

Question 13

The seven GDPR principles (Art. 5)

Accepted Answer

Lawfulness, fairness & transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity & confidentiality (security); and accountability. Accountability requires the controller to demonstrate compliance with the other six.

Question 14

Purpose limitation principle

Accepted Answer

Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes. Reusing data for a new, incompatible purpose generally needs a fresh legal basis.

Question 15

Data minimisation principle

Accepted Answer

Personal data must be adequate, relevant, and limited to what is necessary for the stated purpose. Controllers should not collect 'just in case' data that exceeds the actual need.

Question 16

Storage limitation principle

Accepted Answer

Personal data must be kept in identifiable form no longer than necessary for the purpose. This drives retention schedules and timely deletion or anonymisation once the purpose is met.

Question 17

The six lawful bases for processing (GDPR Art. 6)

Accepted Answer

Consent; contract; legal obligation; vital interests; public task (public interest/official authority); and legitimate interests. A controller must identify the appropriate basis before processing — at least one must apply.

Question 18

Requirements for valid consent under the GDPR

Accepted Answer

Consent must be freely given, specific, informed, and unambiguous, shown by a clear affirmative act. Pre-ticked boxes and silence are invalid. It must be as easy to withdraw as to give, and the controller must be able to prove it.

Question 19

Legitimate interests basis and the three-part test

Accepted Answer

Legitimate interests requires a balancing test: (1) identify a legitimate interest, (2) show processing is necessary for it, and (3) confirm it is not overridden by the individual's interests, rights, and freedoms. It cannot be used by public authorities for their tasks.

Question 20

Lawful basis for processing special category data

Accepted Answer

An Art. 6 basis is not enough — you also need a separate Art. 9(2) condition (e.g. explicit consent, employment/social-security law, vital interests, substantial public interest, or health/medical purposes) to process sensitive data lawfully.

Question 21

Consent for children's online services (GDPR Art. 8)

Accepted Answer

For information society services offered directly to children, consent is valid only if the child is at least 16, or the parent/guardian consents below that. Member states may lower the threshold but not below 13.

Question 22

Right of access (GDPR Art. 15)

Accepted Answer

Data subjects can confirm whether their data is processed and obtain a copy plus information such as purposes, categories, recipients, retention, and their rights. Normally fulfilled free of charge within one month.

Question 23

Right to rectification (GDPR Art. 16)

Accepted Answer

Data subjects can have inaccurate personal data corrected and incomplete data completed without undue delay. Where feasible, the controller must inform recipients of the correction.

Question 24

Right to erasure / 'right to be forgotten' (GDPR Art. 17)

Accepted Answer

Individuals can require deletion when data is no longer needed, consent is withdrawn, they object successfully, or processing was unlawful. It is not absolute — it yields to free expression, legal obligations, and public-interest grounds.

Question 25

Right to data portability (GDPR Art. 20)

Accepted Answer

Where processing is based on consent or contract and is automated, individuals can receive their data in a structured, commonly used, machine-readable format and transmit it to another controller. It does not apply to data processed under legitimate interests or legal obligation.

Question 26

Right to object (GDPR Art. 21)

Accepted Answer

Individuals can object to processing based on legitimate interests or public task, forcing the controller to stop unless it shows compelling legitimate grounds. For direct marketing, an objection is absolute — processing must stop immediately.

Question 27

Right to restriction of processing (GDPR Art. 18)

Accepted Answer

In certain situations (e.g. contested accuracy or a pending objection) the data may be stored but not otherwise processed. It acts as a temporary 'pause' while a dispute is resolved.

Question 28

Rights around automated decision-making and profiling (GDPR Art. 22)

Accepted Answer

Individuals have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, unless it is necessary for a contract, authorised by law, or based on explicit consent — with safeguards including human intervention.

Question 29

Standard timeframe to respond to a data subject request

Accepted Answer

Controllers must respond without undue delay and within one month of receiving the request. This can be extended by up to two further months for complex or numerous requests, with notice to the individual.

Question 30

Controller vs processor (GDPR Art. 4)

Accepted Answer

The controller determines the purposes and means of processing. The processor processes data on the controller's behalf and instructions. The controller carries primary accountability; the processor has direct obligations only for specific duties.

Question 31

Joint controllers (GDPR Art. 26)

Accepted Answer

Two or more controllers that jointly determine purposes and means. They must agree, in a transparent arrangement, who is responsible for which obligations — but data subjects may exercise their rights against any of them.

Question 32

Data processing agreement requirements (GDPR Art. 28)

Accepted Answer

A controller may only use processors giving sufficient guarantees, bound by a written contract covering subject matter, duration, nature, purpose, data types, confidentiality, security, sub-processor rules, assistance, deletion/return, and audit rights.

Question 33

Privacy by design and by default (GDPR Art. 25)

Accepted Answer

Controllers must build data protection into systems from the outset (by design) and ensure that, by default, only data necessary for each purpose is processed (by default) — e.g. the most privacy-friendly settings on without user action.

Question 34

Record of processing activities (RoPA) (GDPR Art. 30)

Accepted Answer

Controllers and processors must maintain an internal record of their processing (purposes, categories of data and recipients, transfers, retention, security). Generally required for organisations with 250+ employees, or for risky, non-occasional, or special-category processing.

Question 35

Security of processing (GDPR Art. 32)

Accepted Answer

Controllers and processors must implement appropriate technical and organisational measures to ensure a level of security matching the risk — considering measures such as pseudonymisation, encryption, confidentiality, integrity, availability, resilience, and regular testing.

Question 36

Information to provide when collecting data directly (GDPR Art. 13)

Accepted Answer

At the point of collection, the controller must give the individual the controller's identity, contact details (and DPO if any), purposes and legal basis, recipients, transfer details, retention period, their rights, and the right to complain to a DPA.

Question 37

Adequacy decision (GDPR Art. 45)

Accepted Answer

The European Commission can decide that a non-EU country, territory, or sector ensures an adequate level of protection. Transfers there need no further safeguard. Examples include the UK, Switzerland, Japan, and the EU-US Data Privacy Framework.

Question 38

Standard Contractual Clauses (SCCs)

Accepted Answer

Pre-approved European Commission contract templates used to transfer data to countries without adequacy. After Schrems II, exporters must also run a transfer impact assessment and add supplementary measures where the destination's law is inadequate.

Question 39

Binding Corporate Rules (BCRs)

Accepted Answer

Internal data protection policies, approved by a lead supervisory authority, that permit intra-group transfers within a multinational across borders. They are legally binding and enforceable but take significant time to get approved.

Question 40

Derogations for specific transfer situations (GDPR Art. 49)

Accepted Answer

Where no adequacy decision or appropriate safeguard applies, transfers may rely on narrow exceptions such as explicit consent, contract necessity, important public interest, legal claims, or vital interests. They are interpreted strictly and not for large-scale, repetitive transfers.

Question 41

Transfer impact assessment (TIA)

Accepted Answer

Required after Schrems II when using SCCs or BCRs: assess whether the destination country's laws (especially government surveillance access) undermine EU-equivalent protection, and add supplementary technical, contractual, or organisational measures if needed.

Question 42

EU-US Data Privacy Framework (DPF)

Accepted Answer

The 2023 adequacy mechanism replacing Privacy Shield. US organisations that self-certify and comply with DPF principles can receive EU personal data without additional safeguards, supported by new US redress and surveillance limits.

Question 43

Role of a Supervisory Authority (DPA)

Accepted Answer

Each member state has an independent Data Protection Authority that monitors and enforces the GDPR — handling complaints, conducting investigations, issuing guidance, imposing corrective measures, and levying administrative fines.

Question 44

One-stop-shop mechanism and the lead supervisory authority

Accepted Answer

For cross-border processing, the DPA of the controller's main establishment acts as the single 'lead' authority. It coordinates with other concerned DPAs, giving organisations one primary regulator rather than 27 separate ones.

Question 45

European Data Protection Board (EDPB)

Accepted Answer

The EU body composed of national DPA heads and the EDPS. It ensures consistent GDPR application by issuing guidelines, opinions, and binding dispute-resolution decisions under the consistency mechanism.

Question 46

The two GDPR administrative fine tiers (Art. 83)

Accepted Answer

Lower tier: up to 10 million euros or 2% of global annual turnover (whichever is higher) for duties like records and security. Upper tier: up to 20 million euros or 4% of global annual turnover for breaches of principles, rights, or transfer rules.

Question 47

Personal data breach notification to the DPA (GDPR Art. 33)

Accepted Answer

Controllers must notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a breach, unless it is unlikely to risk individuals' rights and freedoms. Processors must notify their controller without undue delay.

Question 48

Communicating a breach to data subjects (GDPR Art. 34)

Accepted Answer

When a breach is likely to result in a high risk to individuals' rights and freedoms, the controller must inform affected data subjects without undue delay in clear language — unless data was encrypted, the risk is mitigated, or it would require disproportionate effort.

Question 49

Data Protection Impact Assessment (DPIA) (GDPR Art. 35)

Accepted Answer

A risk assessment required before processing likely to result in high risk — e.g. large-scale special-category processing, systematic monitoring, or new technologies. If high risk remains unmitigated, the controller must consult the DPA before proceeding (Art. 36).

Question 50

When a Data Protection Officer (DPO) is mandatory (GDPR Art. 37)

Accepted Answer

A DPO is required when the processor/controller is a public authority, or its core activities involve regular and systematic large-scale monitoring, or large-scale processing of special-category or criminal-conviction data. The DPO must be independent and report to top management.

Free CIPP/E Exam Flashcards

Filter by Topic

Jump to Card

About These CIPP/E Flashcards

Topics Covered

Frequently Asked Questions

CIPP/E

Explore More IAPP Certifications

AIGP

CIPP/US

CIPT

CIPM

IAPP CIPP/Asia

IAPP CIPP/Canada

More From This Family