CIPP-E IAPP Certified Information Privacy Professional/Europe (CIPP/E) Free Practice Exam Questions (2025 Updated)

Article 9 of the GDPR prohibits the processing of special category data, which includes biometric data for the purpose of uniquely identifying a natural person1. However, there are 10 exceptions to this general prohibition, usually referred to as ‘conditions for processing special category data’2. These are:

(a) Explicit consent

(b) Employment, social security and social protection (if authorised by law)

© Vital interests

(d) Not-for-profit bodies

(e) Made public by the data subject

(f) Legal claims and judicial acts

(g) Substantial public interest conditions

(h) Health or social care

(i) Public health

(j) Archiving, research and statistics

Option A is not one of these exceptions, and therefore it is not a valid reason to process biometric data under Article 9. Option B, C and D are all valid exceptions, as they correspond to conditions ©, (f) and (a) respectively. Therefore, the correct answer is A.

References:

4: Art. 9 GDPR Processing of special categories of personal data

6: What are the rules on special category data? | ICO

Cross-border processing is defined in Article 4(23) of the GDPR as either:

•processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

•processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

Therefore, the factors that are relevant for identifying whether the processing could be considered a cross-border processing are:

•the location and number of establishments of the controller or processor in the EU;

•the connection between the processing and the activities of the establishments;

•the substantial effect or likelihood of substantial effect on data subjects in more than one Member State.

The total number of the data subjects interested is not necessarily a factor, as the processing could affect only a few data subjects but still have a substantial impact on them. For example, a processing that involves the disclosure of sensitive personal data of a small group of data subjects in different Member States could be considered a cross-border processing.

References:

•GDPR Article 4 - Definitions1

•Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority2

Works councils are employee representative bodies that exist in some European countries, such as Germany, France, Spain and Italy. They have various roles and powers depending on the national laws and collective agreements, but generally they aim to protect and promote the interests of the employees in relation to the employer. Some of the common roles of works councils are:

Determining whether to approve or reject certain decisions of the employer that affect employees, such as transfers, dismissals, redundancies, working hours, health and safety, etc.

Determining whether employees’ personal data can be processed or not, based on the principle of co-determination, which means that the employer needs the consent of the works council for any data processing that involves employee monitoring, evaluation or control.

Determining what changes will affect employee working conditions, such as wages, benefits, training, social facilities, etc.

However, works councils do not have the role of determining the monetary fines to be levied against employers for data breach violations of employee data. This is the role of the data protection authorities, which are independent public bodies that supervise, through investigative and corrective powers, the application of the data protection law. Works councils may cooperate with the data protection authorities or file complaints on behalf of the employees, but they do not have the authority to impose sanctions on the employers. References: Free CIPP/E Study Guide, page 27; CIPP/E Certification, page 13.

According to the GDPR, a record of processing activities (RoPA) is a document that provides an overview of how personal data is processed within an organisation. It must include information on the types of personal data processed, the purposes for which the data is processed, and the measures taken to ensure the security of the data123. A RoPA must be kept up to date and made available to the supervisory authority upon request1.

In this scenario, Anna does not have to include Frank’s performance database in her RoPA, because it does not contain any personal data. Personal data is any information relating to an identified or identifiable natural person4. Frank’s performance database only contains aggregated or anonymised data that cannot identify any individual student. Therefore, it does not fall under the definition of personal data under the GDPR.

However, Anna still has to complete her RoPA for all other types of records that are processed by Granchester University, such as student records, staff and alumni records, and Department for Education records. These records may contain personal data that needs to be minimised and protected in accordance with the GDPR principles4. Anna also has to conduct a risk analysis before processing these records, as required by Article 35(2) of the GDPR4. She also has to report any security incidents involving these records, as required by Article 33(3) of the GDPR4.

References:

[Art. 30 GDPR – Records of processing activities]

[How do we document our processing activities?]

Records of Processing (Article 30) Guidance

GDPR Records of Processing Activities | Resources

Records of Processing Activities: A Key GDPR Compliance Requirement

 According to the ICO guidance on the use of cookies and similar technologies1, browser settings and other control mechanisms can be relied upon for the lawful application of cookies only if they meet the following conditions:

They are designed to protect users’ privacy and provide them with control over the use of cookies and similar technologies;

They are prominent and easy to use, and do not require users to take unnecessary steps or provide unnecessary information;

They are specific and granular enough to allow users to express their preferences for different types and purposes of cookies and similar technologies;

They are sufficiently informed and clear about the cookies and similar technologies that will be set or accessed, and the purposes for which they will be used;

They are regularly reviewed and updated to reflect any changes in the cookies and similar technologies that are used or the purposes for which they are used;

They are not overridden or circumvented by other software or settings that may interfere with users’ choices;

They provide an effective means of withdrawing consent at any time.

Therefore, browser settings and other control mechanisms can be a valid way of obtaining consent for cookies and similar technologies, but only if they meet these high standards and ensure that users have a real and meaningful choice over the use of cookies and similar technologies on their devices. References: 1 How do we comply with the cookie rules? | ICO. Available at: 4 (Accessed: 11 December 2023).

According to the UK GDPR, the controller and the processor must support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge1. The controller and the processor must also ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks and that he or she reports directly to the highest management level of the controller or the processor1. 

 According to Article 9 of the GDPR, special category data is personal data that needs more protection because it is sensitive. The GDPR defines 10 types of personal data as special categories, which are:

personal data revealing racial or ethnic origin;

personal data revealing political opinions;

personal data revealing religious or philosophical beliefs;

personal data revealing trade union membership;

genetic data;

biometric data (where used for identification purposes);

data concerning health;

data concerning a person’s sex life; and

data concerning a person’s sexual orientation.

Among the answer choices, only option B falls under one of these categories, as trade union membership is considered to reveal political opinions or beliefs. Option A, C and D are not considered as special category data, as they do not reveal any sensitive information about the data subject. However, they are still subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, accuracy, security, etc. References:

Special category data | ICO

Art. 9 GDPR Processing of special categories of personal data

Special Categories of Data - International Association of Privacy Professionals

The OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all aimed to harmonize the national data protection laws of the member states of the European Economic Community (EEC) and to establish a common framework for the protection of personal data. However, they largely failed to achieve this goal due to several reasons, such as:

The lack of political will and commitment from the member states to implement the directives fully and consistently12.

The divergent interpretations and applications of the directives by different national authorities, courts and regulators12.

The emergence of new technologies and challenges that required new or updated legal solutions, such as electronic communications, cookies, biometrics, cloud computing, etc12.

The influence of other regional or international initiatives that addressed some aspects of data protection differently or in conflict with the directives, such as the US Privacy Shield Framework3.

References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals 2: CIPP/E Certification - International Association of Privacy Professionals 3: Schrems II: A Critical Analysis - European Data Protection Board

According to the definition of direct marketing in the context of data protection law, it is personal data processed to communicate a marketing or advertising message. This includes messages from commercial organisations, as well as from charities and political organisations. Therefore, option D is an example of direct marketing that would be subject to European data protection laws, as it involves sending a marketing message by SMS to an individual. The other options are not examples of direct marketing, as they do not involve marketing or advertising messages, but rather information or service messages that are not intended to promote any product or service. References:

[IAPP article on direct marketing (EU specific)]

Lexology article on direct marketing requirements under the GDPR

 According to the CIPP/E study guide, the Data Protection Law Enforcement Directive (LED) is a piece of EU legislation that ensures the protection of personal data of individuals involved in criminal proceedings, be it as witnesses, victims or suspects1. The LED applies to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties2. Article 4 of the LED sets out the principles relating to the processing of personal data, which include lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality3. Article 4 (1) (e) of the LED states that personal data shall be processed lawfully, where processing is necessary for the performance of a task carried out by a competent authority for the purposes of the LED, and where processing is based on Union or Member State law which shall meet an objective of general interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued3. Therefore, a government can carry out covert investigations involving personal data, as long as it is set forth by law and constitutes a measure that is both necessary and proportionate to the objective of general interest, such as the prevention or prosecution of criminal offences. References: 1: CIPP/E study guide, page 1; Data protection in law enforcement2: CIPP/E study guide, page 2; Art. 2 LED3: CIPP/E study guide, page 3; Art. 4 LED.

 According to Article 58 of the GDPR, each supervisory authority has the power to notify the controller or the processor of an alleged infringement of the GDPR as part of its investigative powers. This power allows the supervisory authority to alert the controller or the processor of a possible violation of the GDPR and to initiate further actions if necessary. The notification may also include recommendations or instructions on how to remedy the infringement or prevent further violations. References:

Article 58 of the GDPR

European Data Protection Law & Practice textbook, Chapter 9: Supervision and Enforcement, Section 9.2: Supervisory Authorities, Subsection 9.2.2: Powers of Supervisory Authorities

According to the Free CIPP/E Study Guide, page 12, “the GDPR requires data controllers to implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. These measures should take into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.” The GDPR also requires data controllers to ensure the security of personal data, to notify data breaches to the supervisory authorities and data subjects, and to cooperate with the supervisory authorities in providing any information necessary for the performance of their tasks. Therefore, the GDPR requirement that data controllers must be in control of the data they hold at all times will present the most significant challenges for organizations with BYOD programs, as they will have to deal with the increased risks of data loss, theft, unauthorized access, or misuse that may arise from the use of personal devices by employees or contractors. The other options are not necessarily more challenging for organizations with BYOD programs, although they may involve other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects. References:

Free CIPP/E Study Guide, page 12

GDPR, Articles 24, 25, 28, 32, 33, 34 and 58

 A dynamic IP address is a unique numerical label for a device on the internet that changes every time the device connects to the internet. A dynamic IP address by itself is not personal data, as it does not directly identify the person who owns or uses the device. However, a dynamic IP address can become personal data when it is combined with other data held by the controller, such as the web pages accessed by the device, the time and duration of the visit, the location of the device, or the user’s preferences and interests. In this case, the controller can use the additional data to identify the data subject, either directly or indirectly, by linking the dynamic IP address to a specific person or a profile. This was confirmed by the Court of Justice of the European Union (CJEU) in the case of Breyer v Bundesrepublik Deutschland, where the CJEU ruled that a dynamic IP address registered by a website provider constitutes personal data in relation to that provider, where the latter has the legal means to obtain the identity of the data subject from the internet service provider (ISP) that assigned the dynamic IP address. Therefore, option B is the correct answer. References: Directive 95/46/EC, Directive 2002/58/EC, Breyer v Bundesrepublik Deutschland, Case C-582/14, Dynamic IP Addresses can be Personal Data

According to Article 14 of the GDPR, if the controller obtains personal data from other sources, such as third parties or publicly accessible sources, the controller must provide the data subject with the necessary privacy information, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject. The controller must provide this information within a reasonable period after obtaining the personal data, but no later than one month, having regard to the specific circumstances in which the personal data are processed. However, there are some exceptions to this rule, such as if the data subject already has the information, if the provision of the information proves impossible or would involve a disproportionate effort, if the obtaining or disclosure of the data is expressly laid down by EU or member state law, or if the personal data must remain confidential subject to an obligation of professional secrecy12. References:

GDPR, Article 14

Free CIPP/E Study Guide, page 19, section 2.5.1

CIPP/E Certification, page 14, section 1.2.1

Art. 14 GDPR - Information to be provided where personal data have not been obtained from the data subject

Article 14 GDPR - GDPRhub

According to Article 35 of the GDPR, a Data Protection Impact Assessment (DPIA) is required when the processing of data is likely to result in a high risk to the rights and freedoms of natural persons, especially when using new technologies. A DPIA is supposed to show the characteristics of the processing, the risks and the measures adopted to mitigate them. The GDPR also provides some examples of processing operations that require a DPIA, such as:

a systematic and extensive evaluation of personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal or significant effects on the data subject;

processing on a large scale of special categories of data or data relating to criminal convictions and offences; or

a systematic monitoring of a publicly accessible area on a large scale.

Among the answer choices, only option C falls under the first example, as it involves a systematic and extensive evaluation of personal aspects based on location data and data from third-party sources, which could be used for profiling and matching purposes. This could have significant effects on the data subjects’ privacy, personal relationships and reputation. Therefore, a DPIA would be required for this processing operation.

Option A does not necessarily involve a systematic and extensive evaluation of personal aspects, nor does it produce legal or significant effects on the data subject. It could be considered a legitimate interest of the company to offer more personalized service, as long as it respects the principles of data minimization, purpose limitation and transparency.

Option B does not involve a decision based on the processing, nor does it produce legal or significant effects on the data subject. It could be considered a form of direct marketing, which is subject to specific rules under the GDPR and the ePrivacy Directive.

Option D does not involve personal data relating to natural persons, but rather to delivery trucks. Therefore, it does not pose a high risk to the rights and freedoms of natural persons.

References:

GDPR Article 35

Guidelines on DPIA

Art. 35 GDPR - Data protection impact assessment - GDPR.eu

According to the UK GDPR, a processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller1. A processor must act only on the documented instructions of the controller and must not process the data for its own purposes or in a way that is incompatible with the controller’s purposes1. If a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller, it will be considered to be a controller in respect of that processing and will be subject to the same obligations and liabilities as a controller under the UK GDPR1. This means that the processor will have to comply with the data protection principles, ensure the rights of data subjects, implement appropriate technical and organisational measures, report data breaches, conduct data protection impact assessments, appoint a data protection officer if required, and cooperate with the supervisory authority1. The processor will also be exposed to the risk of administrative fines, compensation claims, and reputational damage1. References: 1

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/controllers-and-processors/controllers-and-processors/what-are-controllers-and-processors/