Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

IAPP CIPP-E Exam
Certified Information Privacy Professional/Europe (CIPP/E) (Page 5 )

Updated On: 1-Feb-2026
Page 5 of 55
PDF with 307 Questions

To receive a preliminary interpretation on provisions of the GDPR, a national court will refer its case to which of the following?

  1. The Court of Justice of the European Union.
  2. The European Data Protection Supervisor.
  3. The European Court of Human Rights.
  4. The European Data Protection Board.

Answer(s): A


Reference:

https://www.privacy-regulation.eu/en/recital-143-GDPR.htm The Court of Justice of the European Union (CJEU) is the judicial body of the EU that makes decisions on issues of EU law and enforces European decisions either in respect to actions taken by the European Commission against a member state or actions taken by individuals to enforce their rights under EU law. The CJEU consists of two courts: the Court of Justice and the General Court. The CJEU ensures the uniform interpretation and application of EU law across the EU and settles disputes between EU institutions, member states, and individuals. According to the EU Treaties, EU Member-States' courts may ­ or, in case no appeal from their decisions is possible, must ­ ask the CJEU to rule on the interpretation and validity of disputed provisions of EU law. Such decisions are known as preliminary rulings, by which the CJEU expresses its ultimate authority to interpret EU law and which are binding for all national courts in the EU when they apply those specific provisions in individual cases. Since May 2018 ­ when the GDPR became applicable across the EU -, the CJEU has played an important role in clarifying the meaning and scope of some of its key concepts. For instance, the Court notably ruled that two parties as different as a website owner that has embedded a Facebook plugin and Facebook may be qualified as joint controllers by taking converging decisions ( Fashion ID case ), that consent for online data processing is not validly expressed through pre-ticked boxes ( Planet49 case) and that the European Commission Decision to grant adequacy to the EU-US Privacy Shield framework is invalid as a mechanism for international data transfers, and supplemental measures may be necessary to lawfully transfer data outside of the EU on the basis of Commission-vetted model clauses (in the Schrems II case ). Therefore, to receive a preliminary interpretation on provisions of the GDPR, a national court will refer its case to the Court of Justice of the European Union, which is the ultimate authority on EU law and the GDPR.


GDPR
Court of Justice of the European Union
Court of Justice of the European Union - International Association of Privacy Professionals Judicial enforcement of EU law | European Foundation for the Improvement of Living and Working Conditions
[Competences of the Court of Justice of the European Union]



A grade school is planning to use facial recognition to track student attendance.
Which of the following may provide a lawful basis for this processing?

  1. The school places a notice near each camera.
  2. The school gets explicit consent from the students.
  3. Processing is necessary for the legitimate interests pursed by the school.
  4. A state law requires facial recognition to verify attendance.

Answer(s): B


Reference:

https://www.jdsupra.com/legalnews/let-s-face-it-facial-recognition-1134180/ The use of facial recognition technology to track student attendance involves the processing of biometric data, which is a special category of personal data under the GDPR. Such data can only be processed under certain conditions, one of which is the explicit consent of the data subject. Therefore, the school may provide a lawful basis for this processing if it obtains the explicit consent of the students (or their legal guardians, if the students are minors). The consent must be freely given, specific, informed and unambiguous, and the students must have the right to withdraw their consent at any time. The other options do not provide a lawful basis for this processing, as they do not meet the requirements for processing special categories of data. Placing a notice near each camera does not constitute consent, nor does it comply with the transparency principle. Processing for the legitimate interests of the school may be a valid basis for processing personal data in general, but not for processing biometric data, unless it is authorised by a specific law that provides suitable safeguards. A state law that requires facial recognition to verify attendance may also be a valid basis for processing personal data in general, but not for processing biometric data, unless it is necessary for reasons of substantial public interest and provides suitable safeguards.

Free CIPP/E Study Guide, page 24, section 3.2

CIPP/E Certification, page 19, section 3.2
Cipp-e Study guides, Class notes & Summaries, page 17, section 3.2 Special categories of personal data - General Data Protection Regulation (GDPR), Article 9 Consent - General Data Protection Regulation (GDPR), Article 7 Principles - General Data Protection Regulation (GDPR), Article 5 Lawfulness of processing - General Data Protection Regulation (GDPR), Article 6 Special categories of personal data - General Data Protection Regulation (GDPR), Article 9



SCENARIO

Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data. Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain's locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.
What is the time period in which Mike should receive a response to his request?

  1. Not more than one month of receipt of Mike's request.
  2. Not more than two months after verifying Mike's identity.
  3. When all the information about Mike has been collected.
  4. Not more than thirty days after submission of Mike's request.

Answer(s): A

Explanation:

: According to the GDPR, the right of access by the data subject is one of the rights granted to individuals to obtain information about the processing of their personal data by a data controller. The data controller must provide a copy of the personal data undergoing processing and additional information, such as the purposes, the categories, the recipients, the retention period, the rights, the source, and the automated decision-making of the processing. The data controller must also inform the data subject of the existence of the right to access and the means to exercise it. The GDPR also specifies the time limit for responding to a data subject access request. The data controller must provide the information without undue delay and in any event within one month of receipt of the request. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests, but the data controller must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. The data controller must also verify the identity of the data subject before providing the information, but this verification should not extend the time limit for responding to the request.
In this scenario, Mike is an EU resident who has booked travel itineraries through XYZ Travel Agency and stayed at ABC Hotel Chain's locations. Both companies are U.S.-based multinational companies that use a common platform for collecting and sharing their customer data. Mike has signed the agreement to be a rewards program member of XYZ Travel Agency. Mike wants to know what personal information the company holds about him and sends an email requesting access to his data. Assuming that both companies are subject to the GDPR, either because they offer goods or services to individuals in the EU or because they monitor the behavior of individuals in the EU4, they must comply with the right of access by the data subject and provide Mike with the information he requests. The time period in which Mike should receive a response to his request is not more than one month of receipt of his request, unless there are grounds for extending the period by two further months. The companies must also verify Mike's identity before providing the information, but this verification should not affect the time limit for responding to the request. Therefore, the correct answer is A. Not more than one month of receipt of Mike's request.


Reference:

1 Article 15 of the GDPR2 Article 13 and 14 of the GDPR3 Guidelines on the right to data portability | European Data Protection Board34 Article 3 of the GDPR.



SCENARIO
Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data. Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain's locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.
What are ABC Hotel Chain and XYZ Travel Agency's roles in this relationship?

  1. ABC Hotel Chain is the controller and XYZ Travel Agency is the processor.
  2. XYZ Travel Agency is the controller and ABC Hotel Chain is the processor.
  3. ABC Hotel Chain and XYZ Travel Agency are independent controllers.
  4. ABC Hotel Chain and XYZ Travel Agency are joint controllers.

Answer(s): D

Explanation:

ABC Hotel Chain and XYZ Travel Agency are joint controllers in this relationship, because they jointly determine the purposes and means of the processing of personal data of their customers. According to Article 26 of the GDPR, joint controllers are two or more controllers who jointly participate in the decision-making process regarding the processing of personal data 1. In this scenario, ABC Hotel Chain and XYZ Travel Agency use a common platform for collecting and sharing customer data, and they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data. Therefore, they have a common influence on the processing of personal data and share a common objective of integrating their marketing efforts. Moreover, they offer a rewards program that allows customers to sign up to accumulate points that can be redeemed for free travel, which implies a joint benefit from the processing of personal data. The other options are not correct because they do not reflect the actual roles of ABC Hotel Chain and XYZ Travel Agency in this relationship. A controller is a natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data 2. A processor is a natural or legal person who processes personal data on behalf of the controller 3. In this scenario, neither ABC Hotel Chain nor XYZ Travel Agency act solely or on behalf of the other in processing the personal data of their customers. Rather, they act together in a collaborative manner and share the responsibility and accountability for the processing of personal data. Therefore, they are joint controllers, not independent controllers or controller and processor.


Reference:

1: Article 26 of the GDPR 2: Article 4(7) of the GDPR 3: Article 4(8) of the GDPR



SCENARIO
Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data. Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain's locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights. In which of the following situations would ABC Hotel Chain and XYZ Travel Agency NOT have to honor Mike's data access request?

  1. The request is to obtain access and correct inaccurate personal data in his profile.
  2. The request is to obtain access and information about the purpose of processing his personal data.
  3. The request is to obtain access and erasure of his personal data while keeping his rewards membership.
  4. The request is to obtain access and the categories of recipients who have received his personal data to process his rewards membership.

Answer(s): C

Explanation:

According to the GDPR, the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; © the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision- making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. The data subject also has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Therefore, options A, B and D are valid data access requests that ABC Hotel Chain and XYZ Travel Agency have to honor, as they fall within the scope of the right of access and rectification. However, option C is not a valid data access request, as it involves the right to erasure, which is a separate right from the right of access. The right to erasure, also known as the right to be forgotten, entitles the data subject to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; © the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1)3. However, the right to erasure is not absolute and does not apply where processing is necessary: (a) for exercising the right of freedom of expression and information; (b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; © for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3); (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or (e) for the establishment, exercise or defence of legal claims. In this scenario, Mike's request to obtain access and erasure of his personal data while keeping his rewards membership is not a valid data access request, as it contradicts the right to erasure. If Mike wants to exercise his right to erasure, he has to withdraw his consent for the processing of his personal data by ABC Hotel Chain and XYZ Travel Agency, which means that he cannot keep his rewards membership, as it is based on the processing of his personal data. Moreover, ABC Hotel Chain and XYZ Travel Agency may have other legal grounds for retaining his personal data, such as compliance with a legal obligation or the establishment, exercise or defence of legal claims. Therefore, option C is the correct answer, as it is the only situation where ABC Hotel Chain and XYZ Travel Agency do not have to honor Mike's data access request.


Reference:

1: Article 15 of the GDPR; 2: Article 16 of the GDPR; 3: Article 17(1) of the GDPR; 4: Article 17(3) of the GDPR; Free CIPP/E Study Guide, pages 33-35.



Viewing page 5 of 55
Viewing questions 21 - 25 out of 307 questions



Post your Comments and Discuss IAPP CIPP-E exam prep with other Community members:

Join the CIPP-E Discussion