Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

IAPP CIPP-E Exam
Certified Information Privacy Professional/Europe (CIPP/E) (Page 9 )

Updated On: 1-Feb-2026
Page 9 of 55
PDF with 307 Questions

Which of the following is an example of direct marketing that would be subject to European data protection laws?

  1. An updated privacy notice sent to an individual's personal email address.
  2. A charity fundraising event notice sent to an individual at her business address.
  3. A service outage notification provided to an individual by recorded telephone message.
  4. A revision of contract terms conveyed to an individual by SMS from a marketing organization.

Answer(s): D

Explanation:

According to the definition of direct marketing in the context of data protection law, it is personal data processed to communicate a marketing or advertising message. This includes messages from commercial organisations, as well as from charities and political organisations. Therefore, option D is an example of direct marketing that would be subject to European data protection laws, as it involves sending a marketing message by SMS to an individual. The other options are not examples of direct marketing, as they do not involve marketing or advertising messages, but rather information or service messages that are not intended to promote any product or service.


Reference:

[IAPP article on direct marketing (EU specific)]
Lexology article on direct marketing requirements under the GDPR



Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric data.
Which of the following is NOT one of these exceptions?

  1. The processing is done by a non-profit organization and the results are disclosed outside the organization.
  2. The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent.
  3. The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a judicial capacity.
  4. The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State law to lift the prohibition.

Answer(s): A

Explanation:

Article 9 of the GDPR prohibits the processing of special category data, which includes biometric data for the purpose of uniquely identifying a natural person. However, there are 10 exceptions to this general prohibition, usually referred to as `conditions for processing special category data'2. These are:
(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law) © Vital interests
(d) Not-for-profit bodies

(e) Made public by the data subject
(f) Legal claims and judicial acts
(g) Substantial public interest conditions
(h) Health or social care
(i) Public health
(j) Archiving, research and statistics
Option A is not one of these exceptions, and therefore it is not a valid reason to process biometric data under Article 9. Option B, C and D are all valid exceptions, as they correspond to conditions ©, (f) and (a) respectively. Therefore, the correct answer is A.


Reference:

4: Art. 9 GDPR Processing of special categories of personal data
6: What are the rules on special category data? | ICO


https://dataprivacymanager.net/sensitive-personal-data-special-category-under-the- gdpr/



Which marketing-related activity is least likely to be covered by the provisions of Privacy and Electronic Communications Regulations (Directive 2002/58/EC)?

  1. Advertisements passively displayed on a website.
  2. The use of cookies to collect data about an individual.
  3. A text message to individuals from a company offering concert tickets for sale.
  4. An email from a retail outlet promoting a sale to one of their previous customer.

Answer(s): A

Explanation:

The Privacy and Electronic Communications Regulations (PECR) are derived from the e-privacy Directive 2002/58/EC, which aims to protect the privacy and confidentiality of users of electronic communications services. The PECR cover various aspects of electronic marketing, such as the use of cookies, unsolicited communications, and traffic and location data. According to the PECR, the following marketing-related activities require the consent of the user or subscriber, unless certain exemptions apply:
The use of cookies or similar technologies to store or access information on the user's device (Regulation 6).
The sending of electronic mail for direct marketing purposes to individual subscribers who have not given their prior consent (Regulation 22).
The making of unsolicited calls for direct marketing purposes to individual subscribers who have registered their number with the Telephone Preference Service or who have objected to such calls from a specific caller (Regulation 21).
The sending of unsolicited communications for direct marketing purposes by means of electronic mail, fax, or automated calling systems to corporate subscribers, unless they have indicated that they do not wish to receive such communications (Regulation 23). Therefore, among the four options, the one that is least likely to be covered by the provisions of the PECR is the advertisements passively displayed on a website, as they do not involve the use of cookies, the sending of unsolicited communications, or the processing of traffic or location data.

However, such advertisements may still be subject to other data protection laws, such as the GDPR, if they involve the processing of personal data of the users.


Reference:

PECR
e-privacy Directive
ICO guide to PECR


https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02002L0058- 20091219&from=RO



Which of the following is NOT recognized as being a common characteristic of cloud-computing services?

  1. The service's infrastructure is shared among the supplier's customers and can be located in a number of countries.
  2. The supplier determines the location, security measures, and service standards applicable to the processing.
  3. The supplier allows customer data to be transferred around the infrastructure according to capacity.
  4. The supplier assumes the vendor's business risk associated with data processed by the supplier.

Answer(s): D

Explanation:

This is not a common characteristic of cloud-computing services, as the supplier usually does not assume the vendor's business risk. In fact, the supplier often limits its liability for data breaches or losses, and the vendor remains responsible for complying with data protection laws and regulations. The other options are common characteristics of cloud-computing services, as they reflect the nature of cloud computing as a flexible, scalable, and cost-effective way of processing data, but also pose challenges for data protection and security.


Reference:

Free CIPP/E Study Guide, page 17, section 2.3.2
CIPP/E Certification, page 12, section 2.3.2
Cipp-e Study guides, Class notes & Summaries, page 23, section 2.3.2


https://www.softwaremajor.com/news-articles/64-gdpr-how-does-it-apply-to-the-cloud



When may browser settings be relied upon for the lawful application of cookies?

  1. When a user rejects cookies that are strictly necessary.
  2. When users are aware of the ability to adjust their settings.
  3. When users are provided with information about which cookies have been set.
  4. When it is impossible to bypass the choices made by users in their browser settings.

Answer(s): D

Explanation:

: According to the ICO guidance on the use of cookies and similar technologies1, browser settings and other control mechanisms can be relied upon for the lawful application of cookies only if they meet the following conditions:
They are designed to protect users' privacy and provide them with control over the use of cookies and similar technologies;
They are prominent and easy to use, and do not require users to take unnecessary steps or provide unnecessary information;

They are specific and granular enough to allow users to express their preferences for different types and purposes of cookies and similar technologies;
They are sufficiently informed and clear about the cookies and similar technologies that will be set or accessed, and the purposes for which they will be used; They are regularly reviewed and updated to reflect any changes in the cookies and similar technologies that are used or the purposes for which they are used; They are not overridden or circumvented by other software or settings that may interfere with users' choices;
They provide an effective means of withdrawing consent at any time. Therefore, browser settings and other control mechanisms can be a valid way of obtaining consent for cookies and similar technologies, but only if they meet these high standards and ensure that users have a real and meaningful choice over the use of cookies and similar technologies on their devices.


Reference:

1 How do we comply with the cookie rules? | ICO. Available at: 4 (Accessed: 11 December 2023).



Viewing page 9 of 55
Viewing questions 41 - 45 out of 307 questions



Post your Comments and Discuss IAPP CIPP-E exam prep with other Community members:

Join the CIPP-E Discussion