1.4 How CIPP/E Items Are Written

Key Takeaways

  • CIPP/E questions are scenario-driven and reward applying the GDPR, not memorizing article numbers.
  • Many items hinge on role assignment: controller vs. processor vs. joint controller vs. recipient vs. third party.
  • Lawful basis questions often test why one basis fails even when another sounds plausible.
  • Distractors are usually true GDPR statements that are simply wrong for the specific facts given.
  • Read the facts carefully for timing, who decides the purposes and means, and which obligation actually triggers.
Last updated: June 2026

How CIPP/E Items Are Written

Quick Answer: CIPP/E questions are scenario-based. They give you a short business situation and ask what the GDPR requires, allows, or prohibits. The skill tested is application, not recall. You rarely need to cite an article number; you need to reason from the facts to the correct obligation.

This is the single most important strategic insight for the exam. The IAPP classifies its items along Bloom's Taxonomy, and CIPP/E leans heavily on the Apply/Analyze levels rather than Knowledge/Comprehension. A Knowledge item might ask "What is the breach-notification deadline?" An Apply item gives you a breach timeline and asks "Has the controller met its obligations?" — which requires you to spot when the controller became aware, whether the risk threshold is met, and which deadline applies. Candidates who treat the GDPR as a flashcard deck of facts tend to struggle, because the right answer depends on the details.

Common Question Pivots

Most scenario questions turn on one of a handful of decision points:

  1. Role assignment — Is the organization a controller (decides the purposes and means), a processor (acts only on documented instructions), a joint controller (jointly determines purposes and means, Article 26), a recipient, or a third party? Obligations shift with the role.
  2. Lawful basis — Which of the six Article 6 bases applies? The exam loves to make consent look right when contract or legitimate interests is the better fit, or vice versa. Remember consent must be freely given, specific, informed, and unambiguous, and is rarely valid in an employment power-imbalance.
  3. Transparency timing — Under Article 13 (data collected from the subject) information is given at the time of collection; under Article 14 (data obtained indirectly) it is given within a reasonable period, at most one month.
  4. Transfers — Is an adequacy decision (Article 45), SCCs/BCRs (Article 46), or a derogation (Article 49) the right mechanism, and does it need a transfer impact assessment?
  5. Trigger questions — Does this situation require a DPIA (Article 35), a breach notification within 72 hours (Article 33), notice to data subjects without undue delay for high-risk breaches (Article 34), or appointment of a DPO (Article 37)?

How Distractors Are Built

The wrong answers (distractors) are rarely nonsense. They are usually true statements about the GDPR that do not apply to the specific facts. That is what makes them tempting — your eye recognizes a correct-sounding rule and wants to pick it.

Distractor patternExample trap
True but irrelevantA correct rule about processors offered when the entity is actually a controller
Right rule, wrong thresholdCiting the 72-hour authority-notification clock when the question asks about informing data subjects
Plausible lawful basisConsent looks defensible, but the facts point to contract or legitimate interests
Over-broad obligationTreating an optional safeguard as mandatory, or a mandatory one as optional
Right concept, wrong instrumentChoosing SCCs when an adequacy decision already covers the destination country
Outdated ruleCiting Safe Harbor or Privacy Shield instead of the EU-U.S. Data Privacy Framework

The defense is to read the facts first, decide what the scenario actually asks, and only then evaluate the options. Watch for absolute words — always, never, must, only — which often mark an over-broad distractor.

A Reading Routine for Each Item

Use a disciplined five-step routine on every question:

  1. Identify the parties and roles. Who decides the purposes and means? That party is the controller and usually owns the obligation in the question.
  2. Pin down what is actually asked. A duty? A lawful basis? A timeline? A transfer mechanism? Underline the operative verb ("must," "may," "is not required to").
  3. Predict the answer before reading the options. This inoculates you against attractive distractors.
  4. Eliminate. Cross out true-but-irrelevant and right-rule-wrong-facts options. Two of four options usually fall fast.
  5. Choose the best fit for the specific scenario, not the most familiar rule.

Worked micro-example

A hospital uses an external payroll provider that processes staff salary data strictly per the hospital's written instructions. A breach hits the provider's servers. Who must notify the supervisory authority?

  • Step 1: hospital = controller (decides purposes/means); provider = processor.
  • Step 2: the question asks who notifies the supervisory authority.
  • Step 3: predict — the controller notifies within 72 hours; the processor notifies the controller without undue delay.
  • Step 4: eliminate "the processor notifies the authority directly" (true that the processor acts, but it reports to the controller, not the authority).
  • Step 5: answer — the hospital (controller) notifies the supervisory authority. This is the controller/processor pivot plus the right-rule-wrong-actor trap in one item.

Time-management while reading

Do not let the routine slow you down. With about 100 seconds per question, aim to spend the first 15-20 seconds on steps 1-3 (parties, ask, prediction) and the rest eliminating. Long stems with multiple paragraphs usually bury one decisive fact — the date of awareness, who signs the contract, whether consent was obtained — so train yourself to hunt for that pivot fact rather than re-reading the whole vignette. If a question genuinely turns on a fine numeric rule you cannot recall (a notification window, a fine tier, a transparency deadline), flag it, make your best application of the surrounding facts, and move on; the scenario context often makes one option clearly better even without the exact figure.

Test Your Knowledge

A retailer hires a cloud email vendor that processes customer data strictly under the retailer's written instructions. A CIPP/E item asks which party must respond to a customer's access request. Why is 'the vendor must respond directly' likely a distractor?

A
B
C
D
Test Your Knowledge

A scenario describes a controller transferring data to a vendor in a country already covered by a European Commission adequacy decision. Which option is the classic 'right concept, wrong instrument' distractor?

A
B
C
D