Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

IAPP CIPP-E Exam
Certified Information Privacy Professional/Europe (CIPP/E) (Page 3 )

Updated On: 1-Feb-2026
Page 3 of 55
PDF with 307 Questions

The European Parliament jointly exercises legislative and budgetary functions with which of the following?

  1. The European Commission.
  2. The Article 29 Working Party.
  3. The Council of the European Union.
  4. The European Data Protection Board.

Answer(s): C

Explanation:

According to the Treaty on European Union (TEU), the European Parliament shall, jointly with the Council, exercise legislative and budgetary functions. It shall also exercise functions of political control and consultation as laid down in the Treaties. The Council of the European Union, also known as the Council, is the institution that represents the governments of the Member States. Together with the European Parliament, it adopts European legislation and coordinates the policies of the Member States. The other options are not correct because: (A) The European Commission is the institution that proposes and implements EU policies, ensures the application of EU law, and represents the Union in international affairs3; (B) The Article 29 Working Party was an advisory body composed of representatives of the national data protection authorities, the European Data Protection Supervisor and the European Commission. It was replaced by the European Data Protection Board in 20184; (D) The European Data Protection Board is an independent body that ensures the consistent application of the General Data Protection Regulation and promotes cooperation among the national data protection authorities.


Reference:

1: Article 14(1) of the TEU; 2: The Council of the European Union; 3: The European Commission; 4: Article 29 Working Party; 5: [European Data Protection Board].



A U.S. company's website sells widgets.
Which of the following factors would NOT in itself subject the company to the GDPR?

  1. The widgets are offered in EU and priced in euro.
  2. The website is in English and French, and is accessible in France.
  3. An affiliate office is located in France but the processing is in the U.S.
  4. The website places cookies to monitor the EU website user behavior.

Answer(s): B

Explanation:

ccording to the GDPR, the regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. The GDPR also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. In this scenario, a U.S. company's website sells widgets to customers in the EU and places cookies to monitor their behavior. These factors would subject the company to the GDPR, as they indicate that the company is offering goods or services and monitoring the behavior of data subjects in the Union. However, the fact that the website is in English and French, and is accessible in France, would not in itself subject the company to the GDPR, as these factors do not necessarily imply an intention to target customers in the Union. The language and accessibility of the website are not sufficient to establish a relevant and sufficient degree of stability and continuity of the company's activities in the Union. Therefore, the correct answer is B.


Reference:

Art. 3 GDPR ­ Territorial scope
Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) What does territorial scope mean under the GDPR?
I hope this helps you understand the GDPR and territorial scope better. If you have any other questions, please feel free to ask me.



When does the European Data Protection Board (EDPB) recommend reevaluating whether a transfer tool is effectively providing a level of personal data protection that is in compliance with the European Union (EU) level?

  1. After a personal data breach.
  2. Every three (3) years.
  3. On an ongoing basis.
  4. Every year.

Answer(s): C


Reference:

https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_suppleme ntarymeasurestransferstools_en.pdf

According to the EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, exporters of personal data to third countries must monitor, on an ongoing basis, developments in those third countries that could affect the level of protection of the personal data they transfer. This means that exporters must reevaluate whether the transfer tool they rely on, such as standard contractual clauses, binding corporate rules, codes of conduct, or certification mechanisms, is effectively providing a level of personal data protection that is in compliance with the EU level. The EDPB recommends that exporters document this reevaluation and any changes that result from it. The EDPB does not specify a fixed time interval for this reevaluation, but rather states that it should be done on an ongoing basis, taking into account the specific circumstances of each transfer and any relevant developments in the third country.


1: EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Version 2.0, adopted on 18 June 2021, paragraphs 85-86.



Which judicial body makes decisions on actions taken by individuals wishing to enforce their rights under EU law?

  1. Court of Auditors
  2. Court of Justice of European Union
  3. European Court of Human Rights
  4. European Data Protection Board
    The Court of Justice of the European Union (CJEU) is the judicial body of the EU that makes decisions on issues of EU law and enforces European decisions either in respect to actions taken by the European Commission against a member state or actions taken by individuals to enforce their rights under EU law. The CJEU consists of two courts: the Court of Justice and the General Court. The CJEU ensures the uniform interpretation and application of EU law across the EU and settles disputes between EU institutions, member states, and individuals.
    The other options are not correct, as they are not the judicial bodies that make decisions on actions taken by individuals wishing to enforce their rights under EU law. The Court of Auditors is the EU's independent external auditor that checks the legality and regularity of the EU's revenue and expenditure, and the soundness of its financial management. The European Court of Human Rights (ECHR) is an international court that oversees the European Convention on Human Rights and Fundamental Freedoms of 1950. The ECHR is not linked to the EU institutions, and it covers human rights laws across Europe, including in many non-EU countries. The European Data Protection Board (EDPB) is an independent body that ensures the consistent application of the GDPR and issues opinions on various aspects of data protection, but it does not have judicial authority.

    Reference:
    Court of Justice of the European Union
    Court of Justice of the European Union - International Association of Privacy Professionals Judicial enforcement of EU law | European Foundation for the Improvement of Living and Working Conditions
    Competences of the Court of Justice of the European Union

Answer(s): B


Reference:

Court of Justice of the European Union
Court of Justice of the European Union - International Association of Privacy Professionals Judicial enforcement of EU law | European Foundation for the Improvement of Living and Working Conditions
Competences of the Court of Justice of the European Union

Answer(s): B


https://europa.eu/european-union/about-eu/institutions-bodies/court-justice_en



SCENARIO
Please use the following to answer the next question:
Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy and Data Governance. Through her first initiative in conducting a data inventory, Sandy learned that Market4U maintains a list of 19 million global contacts that were collected throughout the course of Market4U's existence. Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered into Market4U's systems prior to May 2018, unless such contacts had a more recent interaction with Market4U content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide useful information regarding successful marketing campaigns and trends in industry verticals for Market4U's clients. Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and entertainment industry. To assist with this behavior, Market4U's marketing team decided to add several new fields to Market4U's website forms, including forms for downloading white papers, creating accounts to participate in Market4U's forum, and attending events. Such fields include birth date and salary.
What should Sandy give as feedback to Dan and the marketing team regarding the new fields Dan wants to add to Market4U's forms?

  1. Make all the fields optional.
  2. Only request the information in brackets (i.e., age group and salary range).
  3. Eliminate the fields, as they are not proportional to the services being offered.
  4. Eliminate the fields as they are not necessary for the purposes of providing white papers or registration for events.

Answer(s): D

Explanation:

Sandy should give this feedback to Dan and the marketing team, as it reflects the principle of data minimization, which requires that personal data collected must be adequate, relevant and limited to what is necessary for the purposes of the processing. Collecting birth date and salary information from customers who want to download white papers or register for events is not necessary for those purposes, and may pose risks for data protection and security. Moreover, such information may fall under the category of special data, which requires explicit consent from the data subjects and can only be processed under certain conditions. The other options do not comply with the principle of data minimization, as they still involve collecting more data than needed, even if they are optional or in brackets.


Reference:

Free CIPP/E Study Guide, page 23, section 3.1
CIPP/E Certification, page 18, section 3.1
The Ultimate CIPP/E Study Guide for 2023, page 16, section 3.1 Principles - General Data Protection Regulation (GDPR), Article 5 Special categories of personal data - General Data Protection Regulation (GDPR), Article 9



Viewing page 3 of 55
Viewing questions 11 - 15 out of 307 questions



Post your Comments and Discuss IAPP CIPP-E exam prep with other Community members:

Join the CIPP-E Discussion