Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

IAPP CIPP-E Exam Questions
Certified Information Privacy Professional/Europe (CIPP/E) (Page 6 )

Updated On: 18-Apr-2026
Page 6 of 38
PDF with 295 Questions

Article 5(1)(b) of the GDPR states that personal data must be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes." Based on Article 5(1)(b),

what is the impact of a member state's interpretation of the word "incompatible"?

  1. It dictates the level of security a processor must follow when using and storing personal data for two different purposes.
  2. It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of personal data.
  3. It sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data.
  4. It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original intended purpose.

Answer(s): D

Explanation:

The purpose limitation principle requires that personal data be collected for specified, explicit and legitimate purposes and not be further processed in a manner that is incompatible with those purposes. However, the GDPR does not provide a clear definition of what constitutes an incompatible purpose. Instead, it leaves room for interpretation by the member states, taking into account the context and circumstances of the processing. This means that the degree of flexibility a controller has in using personal data for a new purpose may vary depending on the member state's law and guidance. Some factors that may affect the compatibility assessment include the link between the original and the new purpose, the expectations of the data subject, the nature of the data, the impact of the further processing, and the safeguards applied by the controller.


Reference:

GDPR Article 5(1)(b), which states the purpose limitation principle. GDPR Article 6(4), which lists the criteria for assessing the compatibility of a new purpose. ICO guidance, which explains the purpose limitation principle and provides examples of compatible and incompatible purposes.
[EDPB guidelines], which provide further guidance on the application of the purpose limitation
principle.



Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the company encrypt all personal data at rest. Which GDPR principle is she following?

  1. Accuracy
  2. Storage Limitation
  3. Integrity and confidentiality
  4. Lawfulness, fairness and transparency

Answer(s): C

Explanation:

The GDPR requires that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures1. This principle is known as integrity and confidentiality, or sometimes as security2. Encryption is one of the possible technical measures that can be used to protect personal data at rest, as it makes the data unintelligible to anyone who does not have the key to decrypt it3. By recommending that the company encrypts all personal data at rest, Tanya is following the principle of integrity and confidentiality, as she is ensuring that the personal data is secure and protected from unauthorised access or accidental damage.


Reference:

1: Article 5(1)(f) of the GDPR
2: A guide to the data protection principles | ICO
3: Encryption | ICO

https://www.icaew.com/technical/technology/data/data-protection/data-protection- articles/do-i- have-to-encrypt-personal-data-to-comply-with-dpa-2018



A well-known video production company, based in Spain but specializing in documentaries filmed worldwide, has just finished recording several hours of footage featuring senior citizens in the streets of Madrid. Under what condition would the company NOT be required to obtain the consent of everyone whose image they use for their documentary?

  1. If obtaining consent is deemed to involve disproportionate effort.
  2. If obtaining consent is deemed voluntary by local legislation.
  3. If the company limits the footage to data subjects solely of legal age.
  4. If the company's status as a documentary provider allows it to claim legitimate interest.

Answer(s): D

Explanation:

According to the GDPR, consent is one of the six lawful bases for processing personal data, but not the only one. The other five are: contract, legal obligation, vital interests, public task and legitimate interests. Legitimate interests can be invoked by controllers who process personal data for their own benefit or for the benefit of third parties, as long as such processing does not override the rights and freedoms of the data subjects, especially if they are children. The GDPR also recognizes that processing personal data for journalistic purposes or the purposes of academic, artistic or literary expression may be necessary for the exercise of the right to freedom of expression and information, which is a legitimate interest. Therefore, the company may not need to obtain the consent of everyone whose image they use for their documentary, if they can demonstrate that their processing is necessary for the purposes of their journalistic, artistic or literary expression, and that they have taken into account the reasonable expectations of the data subjects and the potential impact on their privacy. The company should also comply with any relevant national laws or codes of conduct that may apply to such processing.


Reference:

GDPR, Article 6(1)(a)-(f)
GDPR, Recital 47
GDPR, Article 85



A Spanish electricity customer calls her local supplier with Questions: about the company's upcoming merger. Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information?

  1. Verify that the request is applicable to the data collected before the GDPR entered into force.
  2. Verify that the purpose of the request from the customer is in line with the GDPR.
  3. Verify that the personal data has not already been sent to the customer.
  4. Verify that the identity of the customer can be proven by other means.

Answer(s): D

Explanation:

According to Article 13 of the GDPR, the controller (in this case, the electricity supplier) has the obligation to provide the data subject (in this case, the customer) with information about the processing of their personal data, including the recipients or categories of recipients of the personal data, if any. However, before providing such information, the controller must verify the identity of the data subject, to ensure that the information is not disclosed to unauthorized persons. This verification can be done by other means than the personal data already collected, such as asking for additional information, sending a verification code, or using a secure online portal. The other options (A, B, and C) are not relevant for this verification, as they do not relate to the identity of the data subject, but to the scope, purpose, and history of the processing.


Reference:

Article 13 of the GDPR
The right to be informed (transparency) (Article 13 & 14 GDPR) Regulation (EU)
of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive
/EC (General Data Protection Regulation)

https://fpf.org/wp-content/uploads/2018/11/GDPR_CCPA_Comparison-Guide.pdf



Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?

  1. The data subject already has information regarding how his data will be used
  2. The provision of such information to the data subject would be too problematic
  3. Third-party data would be disclosed by providing such information to the data subject
  4. The processing of the data subject's data is protected by appropriate technical measures

Answer(s): A

Explanation:

According to Article 14 of the GDPR, where personal data is not obtained directly from the data subject, the controller must provide the data subject with certain information about the processing, such as the identity of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject12. However, there are some exceptions to this obligation, as specified in Article 14(5). One of them is when the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation is likely to render impossible or seriously impair the achievement of the objectives of that processing12. In such cases, the controller must take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available12.


Reference:

CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, Right to be Informed - General Data Protection Regulation (GDPR)

https://dataprivacymanager.net/gdpr-exemptions-from-the-obligation-to-provide- information-to-the- individual-data-subject/



SCENARIO

Please use the following to answer the next question:

Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.

Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data.
Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full.
Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.

Under the GDPR, which of Company B's actions would NOT be likely to trigger a potential enforcement action?

  1. Their omission of data protection provisions in their contract with Company C.
  2. Their failure to provide sufficient security safeguards to Company A's data.
  3. Their engagement of Company C to improve their payroll service.
  4. Their decision to operate without a data protection officer.

Answer(s): C

Explanation:

While Company B made several mistakes in handling Company A's employee data, not all of them would likely trigger a potential enforcement action under the GDPR. Here's an analysis of each option:
A . Omission of data protection provisions in the contract with Company C: This is a clear violation of the GDPR. Company B, as the data controller, is responsible for ensuring that any third-party processors comply with data protection requirements. By omitting data protection provisions in the contract, Company B failed to take appropriate steps to ensure the security and privacy of the personal data. This would be a likely trigger for an enforcement action.

B . Failure to provide sufficient security safeguards to Company A's data: This is another violation of the GDPR. Company B has a legal obligation to implement appropriate technical and organizational security measures to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. The outdated IT security system at Company C's U.S. server demonstrates a failure to meet this obligation. This would also be a likely trigger for an enforcement action. C . Engagement of Company C to improve their payroll service: While outsourcing certain aspects of data processing is permitted under the GDPR, the data controller remains ultimately responsible for compliance. However, simply engaging another company to improve a service itself isn't necessarily a violation. As long as the proper safeguards are in place and the data processing is carried out in accordance with the GDPR, this action alone would not likely trigger an enforcement action. D . Decision to operate without a data protection officer: The GDPR requires certain organizations to appoint a data protection officer (DPO). While Company B may be required to have a DPO depending on its size and activities, the absence of a DPO wouldn't automatically trigger an enforcement action. However, it could indicate a lack of compliance culture and contribute to other violations, increasing the likelihood of an enforcement action.
Therefore, while Company B made several mistakes, only the ones that directly violate specific data protection requirements, such as omitting data protection provisions in contracts or failing to implement appropriate security measures, are likely to trigger an enforcement action. Engaging a third-party to improve a service, as long as it's done in a compliant manner, isn't a violation in itself.



SCENARIO

Please use the following to answer the next question:

Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.

Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions

Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data.
Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full.
Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.

The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

  1. Hiring companies whose measures are consistent with recommendations of accrediting bodies.
  2. Requesting advice and technical support from Company A's IT team.
  3. Avoiding the use of another company's data to improve their own services.
  4. Vetting companies' measures with the appropriate supervisory authority.

Answer(s): A

Explanation:

Article 82 of the GDPR1234 regulates the right to compensation and liability for any person who has suffered material or non-material damage as a result of an infringement of the GDPR. Paragraph 4 of Article 821234 states that a controller or processor shall be exempt from liability under paragraph 2 (which holds them liable for the damage caused by processing which infringes the GDPR) if it proves that it is not in any way responsible for the event giving rise to the damage. Therefore, the right to compensation and liability under the GDPR provides for an exemption from liability if the data controller (or data processor) proves that it is not in any way responsible for the event giving rise to the damage.


Reference:

1: Art. 82 GDPR ­ Right to compensation and liability - General Data Protection Regulation (GDPR)
2: Art. 82 GDPR - Right to compensation and liability - GDPR.eu
3: GDPR Article 82: Right to compensation and liability - Advisera
4: Article 82 GDPR | Right to compensation and liability

https://www.knowyourcompliance.com/gdpr-technical-organisational-measures/



In 2016's Guidance, the United Kingdom's Information Commissioner's Office (ICO) reaffirmed the importance of using a "layered notice" to provide data subjects with what?

  1. A privacy notice containing brief information whilst offering access to further detail.
  2. A privacy notice explaining the consequences for opting out of the use of cookies on a website.
  3. An explanation of the security measures used when personal data is transferred to a third party.
  4. An efficient means of providing written consent in member states where they are required to do so.

Answer(s): A

Explanation:

A layered notice is a privacy notice designed to respond to problems with excessively long notices1. A short notice -- the top layer -- provides a user with the key elements of the privacy notice, such as the identity of the organisation, the purposes of the processing, and the rights of the data subjects2. The full notice -- the bottom layer -- covers all the intricacies in full, such as the lawful basis, the retention periods, and the recipients of the personal data2. The ICO recommends using a layered approach to deliver privacy information in a concise, transparent, intelligible, and easily accessible way, as required by the UK GDPR3. A layered notice allows data subjects to access the information they need at the appropriate level of detail and helps organisations to comply with the right to be informed23.



Viewing page 6 of 38
Viewing questions 41 - 48 out of 295 questions



Post your Comments and Discuss IAPP CIPP-E exam dumps with other Community members:

CIPP-E Exam Discussions & Posts

AI Tutor AI Tutor 👋 I’m here to help!