1.3 The Body of Knowledge Blueprint
Key Takeaways
- The CIPP/E blueprint has five domains, and 75 scored questions are distributed across them in published ranges.
- European Data Protection Law and Regulation is the largest domain at 18-28 scored questions.
- European Data Processing is next at 13-21 scored questions, so Domains II and III together dominate the exam.
- Introduction to European Data Protection is the smallest domain at 7-13 scored questions.
- The five domains are stated as min-max question ranges, not fixed percentages, so plan your study by relative weight.
The CIPP/E Body of Knowledge Blueprint
Quick Answer: The exam covers five domains, and the 75 scored questions are spread across them in published min-max ranges. The biggest is European Data Protection Law and Regulation (18-28 questions), followed by European Data Processing (13-21 questions). Together these two domains are the majority of the exam, so they deserve the most study time.
IAPP publishes the blueprint as question ranges, not fixed percentages. The ranges overlap and the exact split varies by form, so use them to prioritize effort, not to predict a precise count. The principle is simple: spend the most hours where the most points live. A useful mental model is that Domains II + III are the GDPR engine, Domain IV is the scope-and-consequences layer, Domain V is the applied-context layer, and Domain I is the foundations.
Domain Weights
| # | Domain | Scored questions | What it covers |
|---|---|---|---|
| I | Introduction to European Data Protection | 7-13 | History of EU privacy, Convention 108/108+, EU institutions, the Charter, the legislative framework |
| II | European Data Protection Law and Regulation | 18-28 | Core GDPR concepts, data subject rights, security obligations, controller/processor roles |
| III | European Data Processing | 13-21 | Processing principles, the six lawful bases, transparency, special categories, international transfers |
| IV | European Data Protection: Scope and Accountability | 8-18 | Territorial/material scope (Art. 3-4), accountability, DPIAs, DPOs, supervision, enforcement, fines |
| V | Compliance with European Data Protection Law and Regulation | 8-16 | Employment, surveillance, direct marketing, cookies/ePrivacy, cloud, social media, search |
Across all five domains the scored questions total 75. Because the ranges overlap, exact counts vary by exam form. Notice that the minimums add to roughly 54 and the maximums far exceed 75 — that is normal for a min-max blueprint and confirms the ranges are guidance, not a fixed allocation.
How to Read the Weights
- Domains II and III are the core. Combined they can account for well over half of scored questions. Master the controller vs. processor vs. joint-controller distinction, the six lawful bases (Article 6: consent, contract, legal obligation, vital interests, public task, legitimate interests), the special-category conditions (Article 9), the transparency duties (Articles 12-14), the data subject rights (Articles 15-22), and the transfer toolkit (Chapter V: adequacy, SCCs, BCRs, derogations).
- Domain IV is mid-weight but high-leverage: territorial scope under Article 3, accountability documentation (ROPAs under Article 30), when a DPIA is mandatory (Article 35), DPO rules (Articles 37-39), the one-stop-shop and lead supervisory authority, and the two-tier fine structure.
- Domain V rewards applied reasoning, blending GDPR with the ePrivacy Directive on cookies, e-marketing consent, workplace monitoring, and cloud.
- Domain I is the smallest. Learn the institutions, the European Data Protection Board (EDPB), the Charter, and Convention 108+, but do not over-invest.
The two-tier fine structure (memorize this)
| Tier | Maximum fine | Typical triggers |
|---|---|---|
| Lower tier | €10 million or 2% of global annual turnover, whichever is higher | Records (Art. 30), security (Art. 32), breach notification (Art. 33-34), DPO appointment |
| Upper tier | €20 million or 4% of global annual turnover, whichever is higher | Principles (Art. 5), lawful basis/consent (Art. 6-9), data subject rights, transfer rules (Chapter V) |
The "whichever is higher" mechanic and the 2% vs. 4% split are perennial exam items — get the tiers exactly right.
Don't Ignore the Smaller Domains
Every domain contributes scored questions, and the cut score is close enough that a few targeted hours on Domains I, IV, and V can be the difference between a borderline fail and a clear pass. A common failure pattern is a candidate who knows lawful bases cold but loses easy points on cookie consent, the difference between the GDPR and the ePrivacy Directive, or which institution does what.
A pointed study allocation
| Domain | Suggested share of study time | Why |
|---|---|---|
| II — Law and Regulation | ~30% | Largest range (18-28) |
| III — Data Processing | ~25% | Second largest (13-21); lawful bases and transfers are dense |
| IV — Scope and Accountability | ~20% | High-leverage, exact-rule questions (Art. 3, 35, fines) |
| V — Specific Contexts | ~15% | Applied scenarios, easy to mine for points |
| I — Introduction | ~10% | Smallest range (7-13); foundational facts |
Cross-domain themes to weave through every topic
- Roles drive obligations — almost every domain asks who is the controller.
- Lawful basis + transparency travel together — you rarely test one without the other.
- Accountability is the GDPR's organizing principle — documentation appears across II, IV, and V.
Studying by these threads, rather than domain-by-domain in isolation, mirrors how the scenario questions are actually written.
High-yield facts that span domains
- The 72-hour breach-notification clock starts when the controller becomes aware, not when the breach occurred.
- A DPIA is mandatory for high-risk processing, including large-scale special-category processing and systematic monitoring of public areas.
- Consent must be as easy to withdraw as to give, and pre-ticked boxes are never valid.
- The lead supervisory authority and one-stop-shop apply only to cross-border processing within the EU.
- An adequacy decision removes the need for additional Chapter V safeguards; SCCs and BCRs fill the gap when no adequacy exists. Memorizing these recurring anchors pays back across Domains II, III, IV, and V simultaneously.
Based on the CIPP/E blueprint, which two domains carry the most scored questions and should receive the most study time?
Under the GDPR's two-tier penalty structure, which infringement falls under the higher (upper-tier) maximum of €20 million or 4% of global annual turnover?