1.3 The Body of Knowledge Blueprint

Key Takeaways

  • The CIPP/E blueprint has five domains, and 75 scored questions are distributed across them in published ranges.
  • European Data Protection Law and Regulation is the largest domain at 18-28 scored questions.
  • European Data Processing is next at 13-21 scored questions, so Domains II and III together dominate the exam.
  • Introduction to European Data Protection is the smallest domain at 7-13 scored questions.
  • The five domains are stated as min-max question ranges, not fixed percentages, so plan your study by relative weight.
Last updated: June 2026

The CIPP/E Body of Knowledge Blueprint

Quick Answer: The exam covers five domains, and the 75 scored questions are spread across them in published min-max ranges. The biggest is European Data Protection Law and Regulation (18-28 questions), followed by European Data Processing (13-21 questions). Together these two domains are the majority of the exam, so they deserve the most study time.

IAPP publishes the blueprint as question ranges, not fixed percentages. The ranges overlap and the exact split varies by form, so use them to prioritize effort, not to predict a precise count. The principle is simple: spend the most hours where the most points live. A useful mental model is that Domains II + III are the GDPR engine, Domain IV is the scope-and-consequences layer, Domain V is the applied-context layer, and Domain I is the foundations.

Domain Weights

#DomainScored questionsWhat it covers
IIntroduction to European Data Protection7-13History of EU privacy, Convention 108/108+, EU institutions, the Charter, the legislative framework
IIEuropean Data Protection Law and Regulation18-28Core GDPR concepts, data subject rights, security obligations, controller/processor roles
IIIEuropean Data Processing13-21Processing principles, the six lawful bases, transparency, special categories, international transfers
IVEuropean Data Protection: Scope and Accountability8-18Territorial/material scope (Art. 3-4), accountability, DPIAs, DPOs, supervision, enforcement, fines
VCompliance with European Data Protection Law and Regulation8-16Employment, surveillance, direct marketing, cookies/ePrivacy, cloud, social media, search

Across all five domains the scored questions total 75. Because the ranges overlap, exact counts vary by exam form. Notice that the minimums add to roughly 54 and the maximums far exceed 75 — that is normal for a min-max blueprint and confirms the ranges are guidance, not a fixed allocation.

How to Read the Weights

  • Domains II and III are the core. Combined they can account for well over half of scored questions. Master the controller vs. processor vs. joint-controller distinction, the six lawful bases (Article 6: consent, contract, legal obligation, vital interests, public task, legitimate interests), the special-category conditions (Article 9), the transparency duties (Articles 12-14), the data subject rights (Articles 15-22), and the transfer toolkit (Chapter V: adequacy, SCCs, BCRs, derogations).
  • Domain IV is mid-weight but high-leverage: territorial scope under Article 3, accountability documentation (ROPAs under Article 30), when a DPIA is mandatory (Article 35), DPO rules (Articles 37-39), the one-stop-shop and lead supervisory authority, and the two-tier fine structure.
  • Domain V rewards applied reasoning, blending GDPR with the ePrivacy Directive on cookies, e-marketing consent, workplace monitoring, and cloud.
  • Domain I is the smallest. Learn the institutions, the European Data Protection Board (EDPB), the Charter, and Convention 108+, but do not over-invest.

The two-tier fine structure (memorize this)

TierMaximum fineTypical triggers
Lower tier€10 million or 2% of global annual turnover, whichever is higherRecords (Art. 30), security (Art. 32), breach notification (Art. 33-34), DPO appointment
Upper tier€20 million or 4% of global annual turnover, whichever is higherPrinciples (Art. 5), lawful basis/consent (Art. 6-9), data subject rights, transfer rules (Chapter V)

The "whichever is higher" mechanic and the 2% vs. 4% split are perennial exam items — get the tiers exactly right.

Don't Ignore the Smaller Domains

Every domain contributes scored questions, and the cut score is close enough that a few targeted hours on Domains I, IV, and V can be the difference between a borderline fail and a clear pass. A common failure pattern is a candidate who knows lawful bases cold but loses easy points on cookie consent, the difference between the GDPR and the ePrivacy Directive, or which institution does what.

A pointed study allocation

DomainSuggested share of study timeWhy
II — Law and Regulation~30%Largest range (18-28)
III — Data Processing~25%Second largest (13-21); lawful bases and transfers are dense
IV — Scope and Accountability~20%High-leverage, exact-rule questions (Art. 3, 35, fines)
V — Specific Contexts~15%Applied scenarios, easy to mine for points
I — Introduction~10%Smallest range (7-13); foundational facts

Cross-domain themes to weave through every topic

  • Roles drive obligations — almost every domain asks who is the controller.
  • Lawful basis + transparency travel together — you rarely test one without the other.
  • Accountability is the GDPR's organizing principle — documentation appears across II, IV, and V.

Studying by these threads, rather than domain-by-domain in isolation, mirrors how the scenario questions are actually written.

High-yield facts that span domains

  • The 72-hour breach-notification clock starts when the controller becomes aware, not when the breach occurred.
  • A DPIA is mandatory for high-risk processing, including large-scale special-category processing and systematic monitoring of public areas.
  • Consent must be as easy to withdraw as to give, and pre-ticked boxes are never valid.
  • The lead supervisory authority and one-stop-shop apply only to cross-border processing within the EU.
  • An adequacy decision removes the need for additional Chapter V safeguards; SCCs and BCRs fill the gap when no adequacy exists. Memorizing these recurring anchors pays back across Domains II, III, IV, and V simultaneously.
Test Your Knowledge

Based on the CIPP/E blueprint, which two domains carry the most scored questions and should receive the most study time?

A
B
C
D
Test Your Knowledge

Under the GDPR's two-tier penalty structure, which infringement falls under the higher (upper-tier) maximum of €20 million or 4% of global annual turnover?

A
B
C
D