5.5 Integrated Practice & Final Readiness
Key Takeaways
- Most CIPP/E questions are scenario-based and require you to apply rules across domains at once, e.g., picking a lawful basis, classifying the controller/processor role, and identifying the right obligation in a single fact pattern
- Domains on European Data Protection Law and Regulation and on European Data Processing carry the most scored questions, so weight your final review toward GDPR concepts, lawful bases, rights, transparency, and transfers
- The most common mistakes are confusing the Article 33 risk threshold with the Article 34 high-risk threshold, mislabelling controller versus processor, and choosing consent when a stronger lawful basis applies
- Read each scenario for the specific actor (controller, processor, DPA, data subject) and the specific obligation before evaluating the options; eliminate answers that are true statements but do not answer the question asked
- In the final week, drill mixed timed sets, review article-number triggers (37, 35, 36, 33, 34, 56, 83), and practice elimination strategy rather than memorising new material
How the CIPP/E Actually Tests You
The CIPP/E is a 90-question, 2.5-hour exam (75 scored, 15 unscored pre-test items) delivered through Pearson VUE either at a test centre or via OnVUE online proctoring. The passing score is 300 on a scaled range of 100-500, and results are pass/fail — you are not told your numeric score breakdown. The exam is not a recall test of article numbers; it is a test of application. A typical question gives a business scenario and asks you to identify the right obligation, role, lawful basis, or remedy.
The most efficient way to read a question:
- Identify the actor — controller, processor, joint controllers, DPA, EDPB, or data subject.
- Identify the activity — collecting, profiling, transferring, marketing, monitoring employees, etc.
- Identify the obligation or right in play, then map it to the governing article.
- Eliminate options that are true statements but do not answer this question, then choose the best remaining answer.
Weight your review toward the GDPR-heavy domains — European Data Protection Law and Regulation and European Data Processing — which carry the largest share of scored questions. The foundational Chapter I scope and definitions surface as the backbone of almost every scenario.
How the Domains Combine in One Question
The defining feature of the CIPP/E is that a single item usually pulls from several domains at once. A typical "hard" question might describe a US analytics vendor processing EU employees' data and force you to chain four decisions in sequence:
| Step | Question to ask | Governing rule |
|---|---|---|
| 1. Scope | Does the GDPR even apply here? | Territorial scope, Article 3 (establishment or targeting/monitoring) |
| 2. Roles | Who is controller vs processor? | Articles 4(7)-(8), 28 |
| 3. Lawful basis | What legitimises the processing? | Article 6 (and Art. 9 if special-category) |
| 4. Obligation/right | What must happen now? | Transfer safeguards (Ch. V), DSAR, breach, DPIA, etc. |
Train yourself to spot which step the question is really testing — the wrong answers are usually correct statements about a different step. If you can name the actor, the activity, and the article, the right option almost always selects itself, and you avoid the classic trap of picking a true-but-irrelevant distractor.
Common Mistakes to Avoid
| Mistake | Correction |
|---|---|
| Confusing the 72-hour DPA notification with notifying individuals | Article 33 (DPA, risk) and Article 34 (data subjects, high risk) are separate triggers; only the DPA has a 72-hour figure |
| Defaulting to consent as the lawful basis | Consent is often the weakest choice; check legitimate interests, contract, legal obligation, vital interests, or public task first |
| Treating the processor as the breach notifier to the DPA | The processor notifies the controller; the controller notifies the DPA and individuals |
| Assuming any high-risk DPIA needs prior consultation | Article 36 applies only to high residual risk the controller cannot mitigate |
| Picking the registered HQ as the main establishment | The main establishment follows where processing decisions are made and implemented (Article 4(16)) |
| Confusing the EDPB with the EDPS | EDPB harmonises all DPAs; EDPS supervises the EU institutions |
| Treating anonymised data like pseudonymised data | Truly anonymised data is out of GDPR scope; pseudonymised data is still personal data |
| Forgetting the one-month DSAR deadline | Rights requests under Arts. 12-22 are answered within one month, extendable by two further months for complex requests |
A French retailer uses a US cloud provider to host its customer database and instructs that provider on how the data may be used. The provider suffers a breach exposing customer names and payment details. Which combination is correct?
A company wants to send marketing emails to its existing customers and also to a purchased list of new prospects. Which approach best reflects GDPR and ePrivacy reasoning?
An employer wants to install always-on video and keystroke monitoring of all staff to deter misconduct. Which analysis is most consistent with the GDPR?
Final-Week Readiness Checklist
In the last week, consolidate rather than learn new material:
-
Drill mixed, timed sets of 30-45 questions to build the controller/processor and lawful-basis reflex under time pressure; aim to spend under 100 seconds per question so you bank time for the hard ones.
-
Lock in the trigger articles: DPO (37), DPIA (35), prior consultation (36), breach to DPA in 72 hours (33), breach to individuals on high risk (34), lead authority/main establishment (56, 4(16)), and the two fine tiers (83).
-
Review the six lawful bases (Art. 6) and the special-category conditions (Art. 9), focusing on when consent is not the best answer.
-
Re-read the data subject rights (Arts. 12-22) and the response timeline of one month (extendable by two further months for complex or numerous requests).
-
Confirm the transfer toolkit: adequacy (Art. 45, including the EU-US Data Privacy Framework), appropriate safeguards incl. SCCs and BCRs (Arts. 46-47), and derogations (Art. 49).
-
Rest and logistics: confirm your Pearson VUE / OnVUE setup, valid ID, and a quiet, well-lit environment; you may take the scheduled mid-exam break.
-
Skim the surrounding law: know how the ePrivacy Directive layers on top of the GDPR for cookies and electronic marketing, and that the Law Enforcement Directive (2016/680) governs police/criminal-justice processing rather than the GDPR.
-
Flag-and-return: answer easy items first, mark genuinely uncertain ones, and revisit them with the time you banked rather than stalling.
Go in expecting applied judgment calls, eliminate distractors first, and trust your trained reflexes on roles, bases, and thresholds rather than second-guessing every answer.
You've completed this section
Continue exploring other exams