Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

IAPP CIPP-E Exam Questions
Certified Information Privacy Professional/Europe (CIPP/E) (Page 2 )

Updated On: 17-Apr-2026
Page 2 of 38
PDF with 295 Questions

Through a combination of hardware failure and human error, the decryption key for a bank's customer account transaction database has been lost. An investigation has determined that this was not the result of hacking or malfeasance, simply an unfortunate combination of circumstances. Which of the following accurately indicates the nature of this incident?

  1. A data breach has not occurred because the loss was not the result of hacking.
  2. A data breach has not occurred because no data was exposed to any unauthorized individual.
  3. A data breach has occurred because the loss of the key has resulted in the data no longer being accessible.
  4. A data breach has occurred because the loss of the key has resulted in the loss of confidentiality or integrity of the data.

Answer(s): D

Explanation:

A data breach is broadly defined as any incident that leads to the unauthorized access, disclosure, alteration, or destruction of personal data. While options A and B might seem plausible at first glance, they focus on a narrow interpretation of a breach. The key here is the loss of confidentiality and/or integrity. Even though no one has actively stolen the data, the bank can no longer guarantee the confidentiality of the information, nor can it ensure the integrity of the data since it cannot be accessed or modified securely. This constitutes a loss of control over the data and thus qualifies as a data breach.


Reference:

IAPP CIPP/E textbook, Chapter 5: Data Breach Notification (specifically, the definition of a personal data breach)
GDPR Article 4(12) - Definition of a personal data breach



A private company has establishments in France, Poland, the United Kingdom, and most prominently, Germany, where its headquarters is established. The company offers its services worldwide. Most of the services are designed in Germany and supported in the other establishments. However, one of the services, a Software as a Service (SaaS) application, was defined and implemented by the Polish establishment. It is also supported by the other establishments. What is the lead supervisory authority for the SaaS service?

  1. The supervisory authority of Germany at the federal level.
  2. The supervisory authority of Germany at the regional level.
  3. The supervisory authority of the Republic of Poland.
  4. The supervisory authority of the European Union.

Answer(s): C

Explanation:

Under the GDPR, the lead supervisory authority is determined by where the main establishment related to the processing activity is located.
In this case, even though the company's headquarters is in Germany, the SaaS application was specifically defined and implemented by the Polish establishment. This indicates that the Polish establishment has the primary role in determining the purposes and means of processing personal data related to that SaaS service. Therefore, the supervisory authority of Poland would be the lead supervisory authority for this specific processing activity.


Reference:

GDPR Article 56 - Competence of the lead supervisory authority IAPP CIPP/E textbook, Chapter 3: EU General Data Protection Regulation (specifically, sections on One-Stop Shop mechanism and lead supervisory authority)



Which statement is correct when considering the right to privacy under Article 8 of the European Convention on Human Rights (ECHR)?

  1. The right to privacy is an absolute right
  2. The right to privacy has to be balanced against other rights under the ECHR
  3. The right to freedom of expression under Article 10 of the ECHR will always override the right to privacy
  4. The right to privacy protects the right to hold opinions and to receive and impart ideas without
    interference

Answer(s): B

Explanation:

Article 8 of the ECHR protects the right to respect for private and family life, home and correspondence. However, this right is not absolute and can be subject to limitations by a public authority in accordance with the law and for a legitimate aim. The European Court of Human Rights (ECtHR) has developed a two-stage test to determine whether such limitations are justified. First, the court must examine whether there is a legitimate aim pursued by the public authority, such as national security, public safety or the prevention of crime. Second, the court must assess whether the means used by the public authority are appropriate and necessary to achieve that aim, taking into account all relevant factors such as proportionality, necessity and less restrictive alternatives12. Therefore, the right to privacy is not an absolute right but a qualified one that has to be balanced against other rights under the ECHR.


Reference:

Article 8 - Protection of personal data
Your right to respect for private and family life
Right to respect for private and family life
Guide on Article 8 of the European Convention on Human Rights European Convention on Human Rights - Article 8

https://www.echr.coe.int/Documents/Guide_Art_8_ENG.pdf (15)



What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive
/EC) all had in common but largely failed to achieve in Europe?

  1. The establishment of a list of legitimate data processing criteria
  2. The creation of legally binding data protection principles
  3. The synchronization of approaches to data protection
  4. The restriction of cross-border data flow

Answer(s): C

Explanation:

The OECD Guidelines, Convention 108 and the Data Protection Directive (Directive
/EC) all aimed to harmonize the national data protection laws of the member states of the European Economic Community (EEC) and to establish a common framework for the protection of personal data. However, they largely failed to achieve this goal due to several reasons, such as:
The lack of political will and commitment from the member states to implement the directives fully and consistently12.
The divergent interpretations and applications of the directives by different national authorities, courts and regulators12.
The emergence of new technologies and challenges that required new or updated legal solutions, such as electronic communications, cookies, biometrics, cloud computing, etc12. The influence of other regional or international initiatives that addressed some aspects of data protection differently or in conflict with the directives, such as the US Privacy Shield Framework3.


Reference:

1: Free CIPP/E Study Guide - International Association of Privacy Professionals
2: CIPP/E Certification - International Association of Privacy Professionals
3: Schrems II: A Critical Analysis - European Data Protection Board

https://ico.org.uk/media/about-the-ico/documents/1042349/review-of-eu-dp- directive.pdf (99)



A key component of the OECD Guidelines is the "Individual Participation Principle". What parts of the General Data Protection Regulation (GDPR) provide the closest equivalent to that principle?

  1. The lawful processing criteria stipulated by Articles 6 to 9
  2. The information requirements set out in Articles 13 and 14
  3. The breach notification requirements specified in Articles 33 and 34
  4. The rights granted to data subjects under Articles 12 to 22

Answer(s): D

Explanation:

The Individual Participation Principle is one of the Fair Information Practice Principles (FIPPs) that are not part of any legal framework, but are widely adopted by many data privacy regulations in force today1. The FIPPs are a set of guidelines for fair information practices that aim to protect the privacy and security of personal information. The Individual Participation Principle holds that individuals have a number of rights, including the right to have their personal data corrected or erased, the right to access and obtain confirmation of their personal data, the right to be informed about how their personal data is used and who it is shared with, and the right to object or withdraw consent for certain purposes2.
The General Data Protection Regulation (GDPR) is a legal framework that implements the European Union's (EU) Data Protection Directive and provides comprehensive protection for all individuals within the EU regarding their personal data. The GDPR grants individuals a number of rights, such as the right to access, rectify, erase, restrict, port, object, or not be subject to automated decision-making based on their personal data. These rights are similar to those under the FIPPs and can be found in Articles 12 to 22 of the GDPR.
Therefore, the parts of the GDPR that provide the closest equivalent to the Individual Participation Principle are Articles 12 to 22.


Reference:

OECD Privacy Principles
What are the 7 main principles of GDPR?
Fair Information Practice Principles (FIPPs)
Individual Participation - International Association of Privacy Professionals What is the right to be forgotten? | Right to erasure | Cloudflare General Data Protection Regulation - Wikipedia



Which EU institution is vested with the competence to propose new data protection legislation on its own initiative?

  1. The European Council
  2. The European Parliament
  3. The European Commission
  4. The Council of the European Union

Answer(s): C

Explanation:

According to the CIPP/E study guide1, the European Commission is the EU institution that has the power to propose new data protection legislation on its own initiative, as well as amend or repeal existing laws. The European Commission is also responsible for implementing and enforcing the EU data protection framework, in cooperation with other institutions and national authorities.


Reference:

1: Free CIPP/E Study Guide - International Association of Privacy Professionals

https://www.tandfonline.com/doi/full/10.1080/13600834.2019.1573501



What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) in relation to their roles and functions?

  1. ECHR can rule on issues concerning privacy as a fundamental right, while the CJEU cannot.
  2. CJEU can force national governments to implement and honor EU law, while the ECHR cannot.
  3. CJEU can hear appeals on human rights decisions made by national courts, while the ECHR cannot.
  4. ECHR can enforce human rights laws against governments that fail to implement them, while the CJEU cannot.

Answer(s): B

Explanation:

The ECHR and the CJEU are part of two different legal systems: the Council of Europe and the European Union, respectively. The ECHR is a treaty that guarantees human rights and fundamental freedoms to individuals within the jurisdiction of its 47 member states. The CJEU is the judicial branch of the EU that ensures the uniform interpretation and application of EU law within its 27 member states. The ECHR can only hear complaints from individuals or states alleging violations of the rights enshrined in the convention, and it can only issue judgments that are binding on the respondent state. The CJEU, on the other hand, can hear cases from individuals, states, EU institutions, or national courts on any matter of EU law, and it can issue rulings that are binding on all EU member states and institutions. The CJEU can also impose sanctions or penalties on states that fail to comply with its judgments or EU law in general. Therefore, the CJEU has more power and authority to enforce EU law than the ECHR has to enforce human rights law.


Reference:

CIPP/E Certification, ECHR and the CJEU, The UK, the EU and a British Bill of Rights



SCENARIO

Please use the following to answer the next question:

Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:

Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files). Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester's Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
Under their security policy, the University encrypts all of its personal data records in transit and at rest.

In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a
program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.

One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.

Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.

Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.

Which of the University's records does Anna NOT have to include in her record of processing activities?

  1. Student records
  2. Staff and alumni records
  3. Frank's performance database
  4. Department for Education records

Answer(s): C

Explanation:

According to the GDPR, a record of processing activities (RoPA) is a document that provides an overview of how personal data is processed within an organisation. It must include information on the types of personal data processed, the purposes for which the data is processed, and the measures taken to ensure the security of the data123. A RoPA must be kept up to date and made available to the supervisory authority upon request1.

In this scenario, Anna does not have to include Frank's performance database in her RoPA, because it does not contain any personal data. Personal data is any information relating to an identified or identifiable natural person4. Frank's performance database only contains aggregated or anonymised data that cannot identify any individual student. Therefore, it does not fall under the definition of personal data under the GDPR.
However, Anna still has to complete her RoPA for all other types of records that are processed by Granchester University, such as student records, staff and alumni records, and Department for Education records. These records may contain personal data that needs to be minimised and protected in accordance with the GDPR principles4. Anna also has to conduct a risk analysis before processing these records, as required by Article 35(2) of the GDPR4. She also has to report any security incidents involving these records, as required by Article 33(3) of the GDPR4.


Reference:

[Art. 30 GDPR ­ Records of processing activities]
[How do we document our processing activities?]
Records of Processing (Article 30) Guidance
GDPR Records of Processing Activities | Resources
Records of Processing Activities: A Key GDPR Compliance Requirement



Viewing page 2 of 38
Viewing questions 9 - 16 out of 295 questions



Post your Comments and Discuss IAPP CIPP-E exam dumps with other Community members:

CIPP-E Exam Discussions & Posts

AI Tutor AI Tutor 👋 I’m here to help!