Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

IAPP CIPP-E Exam
Certified Information Privacy Professional/Europe (CIPP/E) (Page 4 )

Updated On: 1-Feb-2026
Page 4 of 55
PDF with 307 Questions

SCENARIO
Please use the following to answer the next question:
Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy and Data Governance. Through her first initiative in conducting a data inventory, Sandy learned that Market4U maintains a list of 19 million global contacts that were collected throughout the course of Market4U's existence. Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered into Market4U's systems prior to May 2018, unless such contacts had a more recent interaction with Market4U content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide useful information regarding successful marketing campaigns and trends in industry verticals for Market4U's clients. Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and entertainment industry. To assist with this behavior, Market4U's marketing team decided to add several new fields to Market4U's website forms, including forms for downloading white papers, creating accounts to participate in Market4U's forum, and attending events. Such fields include birth date and salary.
What is the best way that Sandy can gain the insights that Dan seeks while still minimizing risks for Market4U?

  1. Conduct analysis only on anonymized personal data.
  2. Conduct analysis only on pseudonymized personal data.
  3. Delete all data collected prior to May 2018 after conducting the trend analysis.
  4. Procure a third party to conduct the analysis and delete the data from Market4U's systems.

Answer(s): B

Explanation:

According to the GDPR, pseudonymization is a technique that replaces or removes information in a data set that identifies an individual. Pseudonymized data can no longer be attributed to a specific data subject without the use of additional information, which is kept separately and subject to technical and organizational measures to ensure non-attribution. Pseudonymization is not a method of anonymization, which means that the data is irreversibly altered in such a way that a data subject can no longer be identified. Pseudonymized data is still considered personal data and subject to the GDPR, but it benefits from some relaxations of the rules, such as the possibility of further processing for compatible purposes, the exemption from some data subject rights, and the facilitation of data transfers.
In this scenario, Market4U is an advertising technology company that collects and processes a large amount of personal data from its contacts, including sensitive data such as birth date and salary. This data can be used to gain insights into the preferences and behavior of its potential customers, as well as to identify trends and opportunities in different industry verticals. However, this data also poses significant risks for Market4U, such as data breaches, non-compliance, reputational damage, and legal liability. Therefore, Market4U needs to apply the principle of data minimization, which means that it should only collect and process the data that is necessary and relevant for its purposes, and delete the data that is no longer needed.
One of the ways that Market4U can achieve data minimization is by pseudonymizing the personal data that it uses for analysis. By doing so, Market4U can reduce the risks associated with the processing of personal data, while still retaining the utility and value of the data for its purposes. Pseudonymization can also help Market4U to comply with other GDPR principles, such as purpose limitation, storage limitation, and integrity and confidentiality. Pseudonymization can also enable Market4U to rely on legitimate interests as a legal basis for the processing of personal data for analysis, as long as it conducts a balancing test and respects the rights and interests of the data subjects.
Therefore, the best way that Sandy can gain the insights that Dan seeks while still minimizing risks for Market4U is to conduct analysis only on pseudonymized personal data. This option would allow Market4U to use the data for its legitimate business purposes, without compromising the privacy and security of the data subjects.
The other options are incorrect because:
A) Conducting analysis only on anonymized personal data would not be feasible or effective for Market4U, as anonymization is a very difficult and complex process that requires the removal or alteration of any information that can identify an individual, directly or indirectly. Anonymization may also result in the loss of accuracy, quality, and utility of the data, which would undermine the value and purpose of the analysis. Moreover, anonymization is irreversible, which means that Market4U would not be able to restore the original data if needed.
C) Deleting all data collected prior to May 2018 after conducting the trend analysis would not be compliant with the GDPR, as it would violate the principle of storage limitation, which requires that personal data should be kept only for as long as necessary for the purposes for which it is processed. Market4U cannot justify the retention of the data for longer than needed, especially if the data is outdated, irrelevant, or excessive. Moreover, deleting the data after the analysis would not eliminate the risks associated with the processing of the data, such as data breaches or unauthorized access.
D) Procuring a third party to conduct the analysis and delete the data from Market4U's systems would not be a good solution for Market4U, as it would involve the transfer of personal data to another data controller or processor, which would require additional safeguards and obligations under the GDPR. Market4U would still be responsible for ensuring the compliance and security of the data, and would have to enter into a data processing agreement with the third party, as well as inform and obtain the consent of the data subjects, if applicable. Furthermore, procuring a third party would entail additional costs and risks for Market4U, such as losing control and visibility over the data, or exposing the data to unauthorized or unlawful processing by the third party.


Reference:

Article 4(5) of the GDPR2 Anonymisation | ICO23 Pseudonymisation | ICO34 Data minimisation | ICO45 Guidelines 4/2019 on Article 25 Data Protection by Design and by Default | European Data Protection Board56 Legitimate interests | ICO67 Contracts | ICO7.



A data controller appoints a data protection officer.
Which of the following conditions would NOT result in an infringement of Articles 37 to 39 of the GDPR?

  1. If the data protection officer lacks ISO 27001 auditor certification.
  2. If the data protection officer is provided by the data processor.
  3. If the data protection officer also manages the marketing budget.
  4. If the data protection officer receives instructions from the data controller.

Answer(s): A


Reference:

https://www.itgovernance.eu/fr-lu/data-protection-officer-dpo-under-the-gdpr-lu A data controller appointing a data protection officer who lacks ISO 27001 auditor certification would not result in an infringement of Articles 37 to 39 of the GDPR. According to Article 37 (5) of the GDPR, the data protection officer must be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39 1. However, the GDPR does not specify any formal qualifications or certifications that the data protection officer must have, and leaves it to the discretion of the controller or the processor to determine the level of expertise required, depending on the complexity and sensitivity of the data processing activities 2. Therefore, the lack of ISO 27001 auditor certification, which is a standard for information security management systems, does not necessarily mean that the data protection officer is not qualified or competent for the role. The other options are incorrect because they would result in an infringement of Articles 37 to 39 of the GDPR. According to Article 37 (6) of the GDPR, the data protection officer may be a staff member of the controller or the processor, or fulfil the tasks on the basis of a service contract 1. However, the data protection officer must be independent and report directly to the highest management level of the controller or the processor 3. Therefore, if the data protection officer is provided by the data processor, there may be a conflict of interest or a lack of autonomy, which would violate Article 38 (3) and (6) of the GDPR 4.
According to Article 38 (6) of the GDPR, the data protection officer may fulfil other tasks and duties, provided that they do not result in a conflict of interests 4. However, managing the marketing budget would likely involve a conflict of interests, as the data protection officer would have to oversee and advise on the data processing activities related to marketing, which may not be compatible with his or her role as a data protection officer 5. Therefore, if the data protection officer also manages the marketing budget, this would infringe Article 38 (6) of the GDPR 4. According to Article 38 (3) of the GDPR, the data protection officer must not receive any instructions regarding the exercise of his or her tasks 4. The data protection officer must act in an independent manner and perform the tasks assigned by the GDPR, such as informing and advising the controller or the processor and the employees, monitoring compliance, cooperating with the supervisory authority, and acting as the contact point for data subjects and the supervisory authority 6. Therefore, if the data protection officer receives instructions from the data controller, this would infringe Article 38 (3) of the GDPR 4.

1: Article 37 of the GDPR 2: Guidelines on Data Protection Officers (`DPOs') 3: Article 38 (2) of the GDPR 4: Article 38 of the GDPR 5: Data protection officer (DPO) | European Commission 6: Article 39 of the GDPR



Data retention in the EU was underpinned by a legal framework established by the Data Retention Directive (2006/24/EC).
Why is the Directive no longer part of EU law?

  1. The Directive was superseded by the EU Directive on Privacy and Electronic Communications.
  2. The Directive was superseded by the General Data Protection Regulation.
  3. The Directive was annulled by the Court of Justice of the European Union.
  4. The Directive was annulled by the European Court of Human Rights.

Answer(s): C

Explanation:

The Data Retention Directive (2006/24/EC) was a legal framework that required Member States to ensure that providers of publicly available electronic communications services or of public communications networks retained certain data for a period of between six months and two years, for the purpose of the prevention, investigation, detection and prosecution of serious crime. However, on 8 April 2014, the Court of Justice of the European Union (CJEU) declared the Directive invalid, as it entailed a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without limiting the access of the competent national authorities to the data retained to what was strictly necessary. The CJEU also found that the Directive did not provide sufficient safeguards to ensure effective protection of the data against the risk of abuse and against any unlawful access and use of the data. Therefore, the Directive is no longer part of EU law.


Reference:

Directive 2006/24/EC of the European Parliament and of the Council Court of Justice of the European Union PRESS RELEASE No 54/14 I hope this helps you understand the GDPR and data retention better. If you have any other questions, please feel free to ask me.



Which of the following is the weakest lawful basis for processing employee personal data?

  1. Processing based on fulfilling an employment contract.
  2. Processing based on employee consent.
  3. Processing based on legitimate interests.
  4. Processing based on legal obligation.

Answer(s): B


Reference:

https://www.itgovernance.co.uk/blog/gdpr-lawful-bases-for-processing-with-examples According to the GDPR, consent is one of the six lawful bases for processing personal data, but it is not always the most appropriate one. Consent must be freely given, specific, informed and unambiguous, and the data subject must have the right to withdraw it at any time. In the context of employment, consent is often not a valid lawful basis, because there is a clear imbalance of power between the employer and the employee, which means that the consent is not freely given. Moreover, consent can be difficult to manage and document, and it can pose practical problems if the employee withdraws it. Therefore, consent is the weakest lawful basis for processing employee personal data, and employers should rely on other lawful bases, such as contract, legal obligation, vital interests, public task or legitimate interests, depending on the purpose and necessity of the processing.

1: Article 4(11) and Article 7 of the GDPR; 2: [EDPB Guidelines], page 6; 3: A Guide to Lawful Basis for Processing Employee Personal Data.



An organization receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal data. Under what condition can the organization charge the data subject a fee for processing the request?

  1. Only where the organization can show that it is reasonable to do so because more than one request was made.
  2. Only to the extent this is allowed under the restrictions on data subjects' rights introduced under Art 23 of GDPR.
  3. Only where the administrative costs of taking the action requested exceeds a certain threshold.
  4. Only if the organization can demonstrate that the request is clearly excessive or misguided.

Answer(s): D


Reference:

https://gdpr-info.eu/art-23-gdpr/
According to the GDPR, data subjects have the right to access, rectify, erase, restrict, port and object to the processing of their personal data. These rights are not absolute and may be subject to limitations and conditions. One of these conditions is that the controller may charge a reasonable fee for the administrative costs of complying with the request if it is manifestly unfounded or excessive, in particular because of its repetitive character (Art 12(5) of GDPR). The controller has the burden of proving the manifestly unfounded or excessive character of the request. The fee must not exceed the actual costs incurred by the controller and must not prevent the exercise of the data subject's rights.

GDPR, Art 12(5)
Free CIPP/E Study Guide, p. 13
European Data Protection Law & Practice, p. 121



Viewing page 4 of 55
Viewing questions 16 - 20 out of 307 questions



Post your Comments and Discuss IAPP CIPP-E exam prep with other Community members:

Join the CIPP-E Discussion