Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

IAPP CIPP-E Exam Questions
Certified Information Privacy Professional/Europe (CIPP/E) (Page 3 )

Updated On: 17-Apr-2026
Page 3 of 38
PDF with 295 Questions

SCENARIO

Please use the following to answer the next question:

Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files). Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester's Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
Under their security policy, the University encrypts all of its personal data records in transit and at rest.

In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a
program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.

One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.

Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.

Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.

Before Anna determines whether Frank's performance database is permissible, what additional information does she need?

  1. More information about Frank's data protection training.
  2. More information about the extent of the information loss.
  3. More information about the algorithm Frank used to mask student numbers.
  4. More information about what students have been told and how the research will be used.

Answer(s): D

Explanation:

Before Anna determines whether Frank's performance database is permissible, she needs to know more information about the following aspects of the data processing:
The purpose and legal basis of the data processing, which should be clearly defined and documented in a data protection impact assessment (DPIA) or a similar document12. The nature and extent of the personal data involved, which should be limited to what is necessary for the purpose and not retained longer than necessary12.
The measures taken to ensure the security and confidentiality of the personal data, such as encryption, pseudonymization, access control, etc12.
The rights and interests of the data subjects, such as their right to access, rectify, erase or restrict their personal data, as well as their right to object or withdraw consent12. The potential risks and consequences of the data processing for the rights and freedoms of the data subjects, such as identity theft, discrimination, reputational damage, etc12. In this case, Anna needs to know more information about what students have been told and how the research will be used. This is because:
The purpose of using student records for research purposes is not clear from Frank's description. He does not specify whether he has obtained consent from the students or their parents/guardians, or whether he has informed them about his research objectives and methods. The nature and extent of using student records for research purposes is not clear from Frank's description. He does not specify which student records he is using (e.g., by name or by reference number), how many records he is using (e.g., by cohort or by class), or how long he will keep them (e.g., until graduation or indefinitely).
The measures taken to ensure the security and confidentiality of using student records for research purposes are not clear from Frank's description. He does not specify whether he has encrypted his program or his laptop before transferring it to his home device, whether he has backed up his program or his laptop before losing it on the train, or whether he has reported his lost laptop to his IT department.
Therefore, Anna needs more information about these aspects before she can determine whether Frank's performance database is permissible under the GDPR.


Reference:

1: Free CIPP/E Study Guide - International Association of Privacy Professionals 2: CIPP/E Certification - International Association of Privacy Professionals



SCENARIO

Please use the following to answer the next question:

Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files). Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester's Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
Under their security policy, the University encrypts all of its personal data records in transit and at rest.

In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a
program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.

One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.

Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.

Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.

Anna will find that a risk analysis is NOT necessary in this situation as long as?

  1. The data subjects are no longer current students of Frank's
  2. The processing will not negatively affect the rights of the data subjects
  3. The algorithms that Frank uses for the processing are technologically sound
  4. The data subjects gave their unambiguous consent for the original processing

Answer(s): A

Explanation:

A risk analysis is a process of identifying, assessing and mitigating the potential threats and vulnerabilities that may affect the personal data processing activities of an organization. A risk
analysis is not a one-time activity, but a continuous and dynamic process that requires regular monitoring and updating. A risk analysis is also not a substitute for compliance with the GDPR, but a tool to help ensure compliance by identifying and addressing the legal obligations and best practices. According to the GDPR, an organization must conduct a data protection impact assessment (DPIA) before starting any new or significantly increased processing activity that may pose a high risk to the rights and freedoms of the data subjects. A DPIA is a systematic and documented process that aims to identify, evaluate and mitigate the risks associated with such processing activities. A DPIA must be carried out by or on behalf of the controller (the person or entity that determines the purposes and means of processing) or by another person acting on their behalf. In this scenario, Frank is conducting a DPIA for his new processing activity of analyzing his students' performance data in relation to Department for Education expectations. This processing activity poses a high risk to the rights and freedoms of his students, as it involves collecting, storing, using and transferring their personal data without their explicit consent or knowledge. Therefore, Frank must conduct a DPIA before starting this processing activity. However, there are some exceptions to this requirement. One of them is when the processing activity involves personal data that are no longer relevant for the original purpose for which they were collected or otherwise processed. In this case, Frank can use existing personal data without conducting a DPIA, as long as he ensures that they are adequate, relevant and limited to what is necessary for his new purpose.
Therefore, in this situation, Anna will find that a risk analysis is NOT necessary in this situation as long as the data subjects are no longer current students of Frank's. This means that Frank can use his existing student records without conducting a DPIA, as long as he ensures that they are adequate, relevant and limited to what is necessary for his new purpose.


Reference:

Risks and data protection impact assessments (DPIAs) | ICO What Are GDPR Risk Assessments and Why Are They Important? GDPR Compliance Risk Assessment Best Practices | Accountable Why risk assessments are essential for GDPR compliance



Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country?

  1. The European Parliament
  2. The European Commission
  3. The Article 29 Working Party
  4. The European Council

Answer(s): B

Explanation:

According to Article 45 of the GDPR, the European Commission has the power to determine, on the basis of an assessment, whether a non-EU country, a territory or a sector within that country, or an international organisation ensures an adequate level of data protection. This means that the data protection rules and standards in that country or organisation are equivalent to those in the EU. The effect of an adequacy decision is that personal data can flow freely from the EU to that country or organisation without any further safeguards or authorisations. The European Commission has adopted adequacy decisions for several countries and organisations, such as Japan, Canada, and the EU-US Data Privacy Framework.


Reference:

Data protection adequacy for non-EU countries, Adequate Level of Protection



What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108?

  1. Both govern international transfers of personal data
  2. Both govern the manual processing of personal data
  3. Both only apply to European Union countries
  4. Both require notification of processing activities to a supervisory authority

Answer(s): D

Explanation:

The GDPR and the Convention 108 are two important data protection instruments that aim to protect the rights and freedoms of individuals with regard to their personal data. They both have some similarities and some differences, but one common feature is that they both require notification of processing activities to a supervisory authority.
A supervisory authority is an independent public body that monitors and enforces compliance with data protection laws. In the EU, there are 47 national data protection authorities (DPAs) that have the power to impose administrative fines, issue guidelines, conduct investigations, and cooperate with other authorities1. In the Council of Europe, there are 54 parties to the Convention 108 that have established their own supervisory authorities or have agreed to be supervised by an external authority2.
Notification of processing activities is a requirement for any controller or processor of personal data that falls under the scope of the GDPR or the Convention 108. A controller is a natural or legal person who determines the purposes and means of the processing of personal data3. A processor is a natural or legal person who processes personal data on behalf of a controller3. Notification means informing the supervisory authority about certain aspects of the processing, such as:
The identity and contact details of the controller and processor The categories and sources of personal data
The purposes and legal basis for processing

The recipients or categories of recipients of personal data The retention period or criteria for determining it
The existence of any automated decision-making or profiling The rights of data subjects and how they can exercise them Notification can be done in various ways, such as:
Submitting a written notification form
Publishing a notice on a website or other platform
Sending an email or other electronic message
Using an online system or portal
Notification should be done as soon as possible after becoming aware of any relevant information about the processing. It should also be updated whenever there are significant changes in relation to the processing4.

Therefore, both the GDPR and the Convention 108 require notification of processing activities to a supervisory authority. This is one way to ensure transparency, accountability, and compliance with data protection laws.


Reference:

https://rm.coe.int/090000168093b851



Which aspect of the GDPR will likely have the most impact on the consistent implementation of data protection

laws throughout the European Union?

  1. That it essentially functions as a one-stop shop mechanism
  2. That it takes the form of a Regulation as opposed to a Directive
  3. That it makes notification of large-scale data breaches mandatory
  4. That it makes appointment of a data protection officer mandatory

Answer(s): B

Explanation:

One of the main differences between a Regulation and a Directive in the EU law is that a Regulation is directly applicable and binding in all EU member states, without the need for national implementing measures, while a Directive sets out the objectives and principles that the member states must achieve, but leaves them the choice of form and methods to transpose it into their national laws. Therefore, by taking the form of a Regulation, the GDPR aims to harmonize and unify the data protection rules across the EU, and to ensure a consistent implementation and enforcement of the data protection laws throughout the EU. The other aspects of the GDPR listed in the question, such as the one-stop shop mechanism, the mandatory notification of large-scale data breaches, and the mandatory appointment of a data protection officer, are also important features of the GDPR, but they do not have the same impact on the consistency of the data protection laws as the form of a Regulation.


Reference:

Difference between A Regulation And Directive (European Law)1; EUR-Lex - 310401_2 - EN - EUR-Lex2; EU GDPR vs. European Data Protection Directive
/EC - Advisera3; Difference between GDPR and Data Protection Directive - Profolus



How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?

  1. The ePrivacy Directive allows individual EU member states to engage in such data retention.
  2. The ePrivacy Directive harmonizes EU member states' rules concerning such data retention.
  3. The Data Retention Directive's annulment makes such data retention now permissible.
  4. The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.

Answer(s): B

Explanation:

The ePrivacy Directive is a European Union (EU) directive that aims to protect the confidentiality of electronic communications and prevent their indiscriminate interception or monitoring. It was adopted in 2002 and amended in 2009. It applies to all providers of electronic communication services, such as internet service providers, mobile network operators, and online platforms12. One of the main objectives of the ePrivacy Directive is to ensure that the retention of communications traffic data for law enforcement purposes is subject to strict conditions and safeguards. Communications traffic data refers to any information relating to the transmission or routing of electronic communications, such as IP addresses, timestamps, and metadata3. Such data can be used by competent national authorities for the prevention, investigation, detection or prosecution of criminal offences and safeguarding national security4. However, the ePrivacy Directive does not allow individual EU member states to engage in such data retention without harmonizing their rules. Article 6(1)(b) of the directive states that "Member States shall ensure that any measures taken by them in relation to the retention of traffic data are consistent with this Directive". Therefore, each EU member state must adopt a national law that complies with the requirements and limitations set by the directive12. The Data Retention Directive (DRD) was a previous EU directive that aimed to establish a common framework for the retention of communications traffic data for law enforcement purposes across all EU member states. It was adopted in 2006 and amended in 2010. However, it was annulled by the Court of Justice of the European Union (CJEU) in 2014 on procedural grounds. The CJEU found that some provisions of the DRD were inconsistent with other EU directives and principles, such as Article 8(2) of the Charter of Fundamental Rights (CFR), which protects individuals from arbitrary interference with their privacy56.
The GDPR is a new EU regulation that implements some aspects of the DRD into national law through its provisions on processing personal data. However, it does not address directly the issue of communications traffic data retention for law enforcement purposes. Instead, it requires providers to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing personal data. These measures include encryption, pseudonymisation, access control, and accountability7 . The GDPR also grants individuals certain rights regarding their personal data, such as access, rectification, erasure, portability, and objection7 .

Therefore, under current EU law, there is no single legal basis for retaining communications traffic data for law enforcement purposes across all EU member states. Each member state must adopt its own national law that respects the principles and limitations established by the ePrivacy Directive.


Reference:

ePrivacy Directive
ePrivacy Regulation
What is Communications Traffic Data?
How is Communications Traffic Data Retained?
Data Retention Directive
Data Retention Directive annulled by CJEU
General Data Protection Regulation
What are your rights regarding your personal data?

https://www.law.kuleuven.be/citip/en/archive/copy_of_publications/440retention-of- traffic-data- dumortier-goemans2f90.pdf (9)



What type of data lies beyond the scope of the General Data Protection Regulation?

  1. Pseudonymized
  2. Anonymized
  3. Encrypted
  4. Masked

Answer(s): B

Explanation:

The General Data Protection Regulation (GDPR) is a data protection law that applies to the processing of personal data of individuals in the European Union (EU) and the European Economic

Area (EEA). Personal data is any information relating to an identified or identifiable natural person, such as name, address, email, phone number, etc12. The GDPR does not apply to personal data that is anonymized, meaning that it cannot be linked back to a specific individual12. Anonymization can be achieved by removing or masking any identifying information from the data, such as using pseudonyms, aggregating or generalizing the data, or applying statistical methods12. Therefore, the type of data that lies beyond the scope of the GDPR is anonymized data.


Reference:

1: Free CIPP/E Study Guide - International Association of Privacy Professionals
2: CIPP/E Certification - International Association of Privacy Professionals

https://www.datainspektionen.se/other-lang/in-english/the-general-data-protection- regulation-gdpr/ the-purposes-and-scope-of-the-general-data-protection-regulation/ https://commission.europa.eu/law/law-topic/data-protection/reform/what-personal-

data_en#:~:text=Different%20pieces%20of%20information%2C%20which,the%20scope%20of%20th e%20GDPR. B. ANONYMIZED Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Personal data that has been de- identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR. Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.



Under what circumstances would the GDPR apply to personal data that exists in physical form, such as information contained in notebooks or hard copy files?

  1. Only where the personal data is produced as a physical output of specific automated processing activities, such as printing, labelling, or stamping.
  2. Only where the personal data is to be subjected to specific computerized processing, such as image
    scanning or optical character recognition.
  3. Only where the personal data is treated by automated means in some way, such as computerized distribution or filing.
  4. Only where the personal data is handled in a sufficiently structured manner so as to form part of a filing system.

Answer(s): D

Explanation:

The GDPR applies to all personal data, regardless of whether it exists in physical form or not. The GDPR defines personal data as any information relating to an identified or identifiable natural person, such as names, identification numbers, location data, or online identifiers1. Therefore, any information that can be linked directly or indirectly to a natural person is considered personal data under the GDPR.
However, the GDPR also distinguishes between different types of processing activities and their legal bases. Processing activities are the operations performed on personal data, such as collection, storage, use, disclosure, or deletion. Processing activities can be either automated or manual. Automated processing means using technology to perform processing activities without human intervention. Manual processing means using human intervention to perform processing activities. The GDPR requires that any processing activity that involves personal data must comply with certain principles and conditions, such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. These principles and conditions apply to both automated and manual processing activities.

Therefore, the GDPR applies to personal data that exists in physical form only when it is processed by an automated means in some way that affects its rights and freedoms. For example, if a company scans paper documents and stores them electronically in a database without deleting them after a certain period of time or when they are no longer needed for the original purpose for which they were collected (Article 6), then this would be considered an automated processing activity that involves personal data in physical form.
However, the GDPR does not apply to personal data that exists in physical form when it is handled in a sufficiently structured manner so as to form part of a filing system. For example, if a company keeps paper documents in folders labeled with names and dates on their office shelves without scanning them or storing them electronically anywhere else (Article 5), then this would not be considered an automated processing activity that involves personal data in physical form.


Reference:

Physical Data - GDPR Summary
What GDPR Means for Your Physical Records - Access
Personal Data - Data Protection Act 2018

https://www.zimmerslaw.com/english-1/data-protection/



Viewing page 3 of 38
Viewing questions 17 - 24 out of 295 questions



Post your Comments and Discuss IAPP CIPP-E exam dumps with other Community members:

CIPP-E Exam Discussions & Posts

AI Tutor AI Tutor 👋 I’m here to help!