5.5 Integrated Practice & Final Readiness

Key Takeaways

  • Most CIPP/E questions are scenario-based and require you to apply rules across domains at once, e.g., picking a lawful basis, classifying the controller/processor role, and identifying the right obligation in a single fact pattern
  • Domains on European Data Protection Law and Regulation and on European Data Processing carry the most scored questions, so weight your final review toward GDPR concepts, lawful bases, rights, transparency, and transfers
  • The most common mistakes are confusing the Article 33 risk threshold with the Article 34 high-risk threshold, mislabelling controller versus processor, and choosing consent when a stronger lawful basis applies
  • Read each scenario for the specific actor (controller, processor, DPA, data subject) and the specific obligation before evaluating the options; eliminate answers that are true statements but do not answer the question asked
  • In the final week, drill mixed timed sets, review article-number triggers (37, 35, 36, 33, 34, 56, 83), and practice elimination strategy rather than memorising new material
Last updated: June 2026

How the CIPP/E Actually Tests You

The CIPP/E is a 90-question, 2.5-hour exam (75 scored, 15 unscored pre-test items) delivered through Pearson VUE either at a test centre or via OnVUE online proctoring. The passing score is 300 on a scaled range of 100-500, and results are pass/fail — you are not told your numeric score breakdown. The exam is not a recall test of article numbers; it is a test of application. A typical question gives a business scenario and asks you to identify the right obligation, role, lawful basis, or remedy.

The most efficient way to read a question:

  1. Identify the actor — controller, processor, joint controllers, DPA, EDPB, or data subject.
  2. Identify the activity — collecting, profiling, transferring, marketing, monitoring employees, etc.
  3. Identify the obligation or right in play, then map it to the governing article.
  4. Eliminate options that are true statements but do not answer this question, then choose the best remaining answer.

Weight your review toward the GDPR-heavy domains — European Data Protection Law and Regulation and European Data Processing — which carry the largest share of scored questions. The foundational Chapter I scope and definitions surface as the backbone of almost every scenario.

How the Domains Combine in One Question

The defining feature of the CIPP/E is that a single item usually pulls from several domains at once. A typical "hard" question might describe a US analytics vendor processing EU employees' data and force you to chain four decisions in sequence:

StepQuestion to askGoverning rule
1. ScopeDoes the GDPR even apply here?Territorial scope, Article 3 (establishment or targeting/monitoring)
2. RolesWho is controller vs processor?Articles 4(7)-(8), 28
3. Lawful basisWhat legitimises the processing?Article 6 (and Art. 9 if special-category)
4. Obligation/rightWhat must happen now?Transfer safeguards (Ch. V), DSAR, breach, DPIA, etc.

Train yourself to spot which step the question is really testing — the wrong answers are usually correct statements about a different step. If you can name the actor, the activity, and the article, the right option almost always selects itself, and you avoid the classic trap of picking a true-but-irrelevant distractor.

Common Mistakes to Avoid

MistakeCorrection
Confusing the 72-hour DPA notification with notifying individualsArticle 33 (DPA, risk) and Article 34 (data subjects, high risk) are separate triggers; only the DPA has a 72-hour figure
Defaulting to consent as the lawful basisConsent is often the weakest choice; check legitimate interests, contract, legal obligation, vital interests, or public task first
Treating the processor as the breach notifier to the DPAThe processor notifies the controller; the controller notifies the DPA and individuals
Assuming any high-risk DPIA needs prior consultationArticle 36 applies only to high residual risk the controller cannot mitigate
Picking the registered HQ as the main establishmentThe main establishment follows where processing decisions are made and implemented (Article 4(16))
Confusing the EDPB with the EDPSEDPB harmonises all DPAs; EDPS supervises the EU institutions
Treating anonymised data like pseudonymised dataTruly anonymised data is out of GDPR scope; pseudonymised data is still personal data
Forgetting the one-month DSAR deadlineRights requests under Arts. 12-22 are answered within one month, extendable by two further months for complex requests
Test Your Knowledge

A French retailer uses a US cloud provider to host its customer database and instructs that provider on how the data may be used. The provider suffers a breach exposing customer names and payment details. Which combination is correct?

A
B
C
D
Test Your Knowledge

A company wants to send marketing emails to its existing customers and also to a purchased list of new prospects. Which approach best reflects GDPR and ePrivacy reasoning?

A
B
C
D
Test Your Knowledge

An employer wants to install always-on video and keystroke monitoring of all staff to deter misconduct. Which analysis is most consistent with the GDPR?

A
B
C
D

Final-Week Readiness Checklist

In the last week, consolidate rather than learn new material:

  • Drill mixed, timed sets of 30-45 questions to build the controller/processor and lawful-basis reflex under time pressure; aim to spend under 100 seconds per question so you bank time for the hard ones.

  • Lock in the trigger articles: DPO (37), DPIA (35), prior consultation (36), breach to DPA in 72 hours (33), breach to individuals on high risk (34), lead authority/main establishment (56, 4(16)), and the two fine tiers (83).

  • Review the six lawful bases (Art. 6) and the special-category conditions (Art. 9), focusing on when consent is not the best answer.

  • Re-read the data subject rights (Arts. 12-22) and the response timeline of one month (extendable by two further months for complex or numerous requests).

  • Confirm the transfer toolkit: adequacy (Art. 45, including the EU-US Data Privacy Framework), appropriate safeguards incl. SCCs and BCRs (Arts. 46-47), and derogations (Art. 49).

  • Rest and logistics: confirm your Pearson VUE / OnVUE setup, valid ID, and a quiet, well-lit environment; you may take the scheduled mid-exam break.

  • Skim the surrounding law: know how the ePrivacy Directive layers on top of the GDPR for cookies and electronic marketing, and that the Law Enforcement Directive (2016/680) governs police/criminal-justice processing rather than the GDPR.

  • Flag-and-return: answer easy items first, mark genuinely uncertain ones, and revisit them with the time you banked rather than stalling.

Go in expecting applied judgment calls, eliminate distractors first, and trust your trained reflexes on roles, bases, and thresholds rather than second-guessing every answer.

Congratulations!

You've completed this section

Continue exploring other exams