Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

IAPP CIPP-E Exam Questions
Certified Information Privacy Professional/Europe (CIPP/E) (Page 5 )

Updated On: 17-Apr-2026
Page 5 of 38
PDF with 295 Questions

According to the GDPR, how is pseudonymous personal data defined?

  1. Data that can no longer be attributed to a specific data subject without the use of additional
    information
    kept separately.
  2. Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data.
  3. Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.
  4. Data that has been encrypted or is subject to other technical safeguards.

Answer(s): A

Explanation:

Pseudonymisation is a technique that replaces, removes or transforms information that identifies individuals, and keeps that information separate from the rest of the data. Pseudonymised data is still personal data under the GDPR, because it can be re-identified with the use of additional information. However, pseudonymisation can reduce the risks of processing personal data and help comply with data protection principles and obligations. Pseudonymisation is different from anonymisation, which is the process of irreversibly transforming personal data so that the data subject is no longer identifiable.


Reference:

GDPR Article 4(5), which defines pseudonymisation.
GDPR Recital 26, which explains the difference between pseudonymisation and anonymisation. EDPS blog post, which provides an overview of pseudonymisation and its benefits. ICO guidance, which gives practical advice on how to implement pseudonymisation.

https://www.chino.io/blog/what-is-pseudonymous-data-according-to-the-gdpr/



Under which of the following conditions does the General Data Protection Regulation NOT apply to the processing of personal data?

  1. When the personal data is processed only in non-electronic form
  2. When the personal data is collected and then pseudonymised by the controller
  3. When the personal data is held by the controller but not processed for further purposes
  4. When the personal data is processed by an individual only for their household activities

Answer(s): D

Explanation:

The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system1. However, the GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity2. This means that individuals can process personal data without being subject to the GDPR, as long as the processing is not related to a professional or commercial activity. For example, the GDPR does not apply to an individual who keeps a personal address book or who posts photos of their family and friends on a social media platform, as long as the platform is not used for business purposes3.


Reference:

1: Article 2(1) of the GDPR
2: Article 2(2)© of the GDPR
3: Recital 18 of the GDPR

https://gdpr-info.eu/art-6-gdpr/



According to the E-Commerce Directive
/EC, where is the place of "establishment" for a company providing services via an Internet website confirmed by the GDPR?

  1. Where the technology supporting the website is located
  2. Where the website is accessed
  3. Where the decisions about processing are made
  4. Where the customer's Internet service provider is located

Answer(s): C

Explanation:

According to the E-Commerce Directive
/EC, the place of establishment for a company providing services via an Internet website is the place where the service provider effectively pursues an economic activity through a fixed establishment for an indefinite period of time. The presence and use of the technical means and technologies required to provide the service do not, in themselves, constitute an establishment of the provider. The place of establishment is determined by the place where the decisions about processing are made, not by the place where the technology supporting the website is located, where the website is accessed, or where the customer's Internet service provider is located. This is confirmed by the GDPR, which applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not.


Reference:

E-Commerce Directive
/EC, Article 2(a), Recital 191 GDPR, Article 3(1)2

https://www.ohiobar.org/member-tools-benefits/publications/Ohio-Lawyer/the- european-general- data-protection-regulation-gdpr/



SCENARIO
Please use the following to answer the next question:
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance. Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.

Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes. Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system. Which statement accurately summarizes Bedrock's obligation in regard to Louis's data portability request?

  1. Bedrock does not have a duty to transfer Louis's data to Zantrum if doing so is legitimately not technically feasible.
  2. Bedrock does not have to transfer Louis's data to Zantrum because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.
  3. Bedrock has failed to comply with the duty to transfer Louis's data to Zantrum because the duty applies wherever personal data are processed by automated means and necessary for the performance of a contract with the customer.
  4. Bedrock has failed to comply with the duty to transfer Louis's data to Zantrum because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers on request.

Answer(s): B



SCENARIO

Please use the following to answer the next question:

Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.

Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.

Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.

In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.

Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.

In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.

Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.

After Louis has exercised his right to restrict the use of his data, under what conditions would Accidentable have grounds for refusing to comply?

  1. If Accidentable is entitled to use of the data as an affiliate of Bedrock.
  2. If Accidentable also uses the data to conduct public health research.
  3. If the data becomes necessary to defend Accidentable's legal rights.
  4. If the accuracy of the data is not an aspect that Louis is disputing.

Answer(s): A



Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and disclosure of a data subject's sensitive medical information without the data subject's knowledge or consent?

  1. A member of the judiciary involved in adjudicating a legal dispute involving the data subject and concerning the health of the data subject.
  2. A public authority responsible for public health, where the sharing of such information is considered necessary for the protection of the general populace.
  3. A health professional involved in the medical care for the data subject, where the data subject's life hinges on the timely dissemination of such information.
  4. A journalist writing an article relating to the medical condition in QUESTION, who believes that the publication of such information is in the public interest.

Answer(s): D

Explanation:

The GDPR defines data concerning health as a special category of personal data that is subject to specific processing conditions and safeguards. The GDPR prohibits the processing of such data unless one of the exceptions in Article 9 applies. One of these exceptions is the explicit consent of the data subject, which means that the data subject has given a clear and affirmative indication of their agreement to the processing of their health data. Another exception is when the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care. A third exception is when the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. These exceptions are based on the principle of necessity, which means that the processing must be strictly necessary for a specific purpose and cannot be achieved by other means. In the given scenario, the journalist does not fall under any of these exceptions. The journalist is not a health professional, a public authority, or a person who has obtained the explicit consent of the data subject. The journalist is not processing the data for any legitimate purpose related to public health, medical care, or social protection. The journalist is merely pursuing their own interest in publishing a story that may or may not be in the public interest. The journalist is not respecting the data subject's rights and freedoms, especially their right to privacy and confidentiality. Therefore, the journalist would be least likely to be allowed to engage in the collection, use, and disclosure of the data subject's sensitive medical information without their knowledge or consent.


Reference:

Article 4 (15) and Article 9 of the GDPR
Health data | ICO
What does the GDPR mean for personal data in medical reports? Sensitive data and medical confidentiality - FutureLearn Health data and data privacy: storing sensitive data under GDPR

https://www.eui.eu/Documents/ServicesAdmin/DeanOfStudies/ResearchEthics/Guide- Data- Protection-Research.pdf



With the issue of consent, the GDPR allows member states some choice regarding what?

  1. The mechanisms through which consent may be communicated
  2. The circumstances in which silence or inactivity may constitute consent
  3. The age at which children must be required to obtain parental consent
  4. The timeframe in which data subjects are allowed to withdraw their consent

Answer(s): C

Explanation:

The GDPR states that the parental consent mechanism generally applies when the child is younger than 16 years1. Processing personal data will be lawful only if the child's parent or custodian has consented to such processing2. However, Member States are allowed to lower this threshold in national legislation up to 13 years old3. This means that Member States have some choice regarding the age limit for children's consent, as long as it is not below 13 years. The GDPR also requires that the consent request is clear and understandable for the child, and that the controller makes reasonable efforts to verify that the consent is given or authorised by the holder of parental responsibility4.


Reference:

CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, Complying with the GDPR when vulnerable people use smart devices I hope this helps. If you have any other questions, please let me know. .

https://gdpr-info.eu/issues/consent/



Which sentence BEST summarizes the concepts of "fairness," "lawfulness" and "transparency", as expressly required by Article 5 of the GDPR?

  1. Fairness and transparency refer to the communication of key information before collecting data; lawfulness refers to compliance with government regulations.
  2. Fairness refers to limiting the amount of data collected from individuals; lawfulness refers to the approval of company guidelines by the state; transparency solely relates to communication of key information before collecting data.
  3. Fairness refers to the security of personal data; lawfulness and transparency refers to the analysis of ordinances to ensure they are uniformly enforced.
  4. Fairness refers to the collection of data from diverse subjects; lawfulness refers to the need for legal rules to be uniform; transparency refers to giving individuals access to their data.

Answer(s): A

Explanation:

According to the UK GDPR, the processing of personal data must be lawful, fair and transparent1. Lawfulness means that there must be a valid legal basis for processing personal data, such as consent, contract, legal obligation, vital interests, public task or legitimate interests1. Fairness means that the processing must not be detrimental, unexpected or misleading to the individuals concerned1. Transparency means that the individuals must be informed about how their data is used, who it is shared with, what rights they have and how they can exercise them1. Therefore, the sentence that best summarizes these concepts is option A, which states that fairness and transparency refer to the communication of key information before collecting data; lawfulness refers to compliance with government regulations.


Reference:

1 https://ico.org.uk/for- organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation- gdpr/principles/lawfulness-fairness-and-transparency/



Viewing page 5 of 38
Viewing questions 33 - 40 out of 295 questions



Post your Comments and Discuss IAPP CIPP-E exam dumps with other Community members:

CIPP-E Exam Discussions & Posts

AI Tutor AI Tutor 👋 I’m here to help!