CIPP-E IAPP Certified Information Privacy Professional/Europe (CIPP/E) Free Practice Exam Questions (2025 Updated)

Section: (none)

Explanation

 The European Council and the Council of the European Union are two different EU institutions that have similar names but distinct roles and memberships. The European Council is the body of leaders (heads of state or government) of the 27 EU member states that defines the EU’s general political direction and priorities1. The European Council does not adopt EU legislation, but rather sets the agenda and gives guidance to the other EU institutions1. The Council of the European Union, informally known as the Council, is composed of national ministers from each EU member state, grouped by policy area1. The Council is one of the two legislative bodies of the EU, along with the European Parliament, and negotiates and adopts EU laws, coordinates member states’ policies, and develops the EU’s common foreign and security policy1. The key difference between the two institutions is that the European Council is comprised of the heads of each EU member state, while the Council of the European Union is comprised of the ministers of each EU member state12. References: European Council | Council of the European Union, What is the difference between EU Council, Council of the European Union, and Council of Europe?

One of the main reasons why the CJEU invalidated the Privacy Shield was that it found that the US surveillance programs were not limited to what is strictly necessary and proportionate, as required by the EU law. The CJEU also criticized the lack of effective judicial remedies for EU data subjects whose data was accessed by US authorities. The Trans-Atlantic Data Privacy Framework is intended to address these issues by introducing new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, and by creating a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities. The Framework also enhances the oversight and transparency of US surveillance practices.

References: EU–US Data Privacy Framework - Wikipedia; FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework | The White House; United States and European Commission Joint Statement on Trans-Atlantic Data Privacy Framework; European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework; A practical approach to the new Trans-Atlantic Data Privacy Framework.

 According to the UK GDPR, the processing of personal data must be lawful, fair and transparent1. Lawfulness means that there must be a valid legal basis for processing personal data, such as consent, contract, legal obligation, vital interests, public task or legitimate interests1. Fairness means that the processing must not be detrimental, unexpected or misleading to the individuals concerned1. Transparency means that the individuals must be informed about how their data is used, who it is shared with, what rights they have and how they can exercise them1. Therefore, the sentence that best summarizes these concepts is option A, which states that fairness and transparency refer to the communication of key information before collecting data; lawfulness refers to compliance with government regulations. References: 1 https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/lawfulness-fairness-and-transparency/

 According to the GDPR, the right of access by the data subject is one of the rights granted to individuals to obtain information about the processing of their personal data by a data controller1. The data controller must provide a copy of the personal data undergoing processing and additional information, such as the purposes, the categories, the recipients, the retention period, the rights, the source, and the automated decision-making of the processing1. The data controller must also inform the data subject of the existence of the right to access and the means to exercise it2.

The GDPR also specifies the time limit for responding to a data subject access request. The data controller must provide the information without undue delay and in any event within one month of receipt of the request1. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests, but the data controller must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay1. The data controller must also verify the identity of the data subject before providing the information, but this verification should not extend the time limit for responding to the request3.

In this scenario, Mike is an EU resident who has booked travel itineraries through XYZ Travel Agency and stayed at ABC Hotel Chain’s locations. Both companies are U.S.-based multinational companies that use a common platform for collecting and sharing their customer data. Mike has signed the agreement to be a rewards program member of XYZ Travel Agency. Mike wants to know what personal information the company holds about him and sends an email requesting access to his data.

Assuming that both companies are subject to the GDPR, either because they offer goods or services to individuals in the EU or because they monitor the behavior of individuals in the EU4, they must comply with the right of access by the data subject and provide Mike with the information he requests. The time period in which Mike should receive a response to his request is not more than one month of receipt of his request, unless there are grounds for extending the period by two further months. The companies must also verify Mike’s identity before providing the information, but this verification should not affect the time limit for responding to the request.

Therefore, the correct answer is A. Not more than one month of receipt of Mike’s request.

References: 1 Article 15 of the GDPR2 Article 13 and 14 of the GDPR3 Guidelines on the right to data portability | European Data Protection Board34 Article 3 of the GDPR.

 Under the GDPR, email marketing requires explicit and unambiguous consent from the recipients, meaning that they must actively agree to receive marketing communications, and the process for obtaining this consent must be clear and transparent. A prior opt-in consent is the most common and reliable way to demonstrate compliance with this requirement, as it involves a positive action from the data subject, such as ticking a box, clicking a button, or filling a form. A pre-checked box, a notice, or an opt-out option are not sufficient to obtain valid consent, as they do not indicate a clear expression of the data subject’s will. However, there is an exception to the consent rule for existing customers, known as the “soft opt-in”. This means that a company can send email marketing messages to its customers without prior consent, if the following conditions are met:

The company obtained the customer’s contact details in the course of a sale or negotiations for a sale of a product or service;

The company only sends marketing messages about its own similar products or services;

The company gives the customer a clear opportunity to opt out of receiving such messages both when first collecting the details and in every subsequent message.

References: GDPR Article 4(11), GDPR Article 6(1)(a), GDPR Article 7, GDPR Recital 32, GDPR Recital 47, GDPR for Marketing: The Definitive Guide for 2023 - SuperOffice, A Guide to GDPR Compliance for Email Marketers in 2023

This is not a common characteristic of cloud-computing services, as the supplier usually does not assume the vendor’s business risk. In fact, the supplier often limits its liability for data breaches or losses, and the vendor remains responsible for complying with data protection laws and regulations. The other options are common characteristics of cloud-computing services, as they reflect the nature of cloud computing as a flexible, scalable, and cost-effective way of processing data, but also pose challenges for data protection and security. References:

Free CIPP/E Study Guide, page 17, section 2.3.2

CIPP/E Certification, page 12, section 2.3.2

Cipp-e Study guides, Class notes & Summaries, page 23, section 2.3.2

According to the GDPR, pseudonymization is a technique that reduces the linkability of personal data to a specific data subject by replacing identifying attributes with pseudonyms1. Pseudonymization is not a sufficient measure to anonymize personal data, which means that the data cannot be attributed to an identifiable person without additional information2. Pseudonymization can help data controllers and processors to comply with the GDPR principles of data minimization, purpose limitation, and storage limitation, as well as to enhance the security and confidentiality of personal data3.

In this scenario, JaphSoft’s use of pseudonymization is not in compliance with the GDPR because of option C: JaphSoft was in possession of information that could be used to identify data subjects. This is because JaphSoft did not keep the additional information (the contact information) separately from the pseudonymized data (the identifying information), and did not apply technical and organizational measures to prevent the re-identification of the data subjects4. This means that JaphSoft could potentially link the personal data to the individuals, and therefore, the data was not effectively pseudonymized. Moreover, JaphSoft did not have a deletion process for the data it received from clients, which could violate the principle of storage limitation that requires personal data to be kept no longer than necessary for the purposes for which they are processed.

 A. Consent management and withdrawal.  Article 32 of the GDPR requires the controller and the processor to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing. These measures should take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of natural persons. The three domains of security covered by Article 32 are:

Preventative security: This refers to the measures that aim to prevent or reduce the likelihood of security incidents, such as unauthorized or unlawful access, disclosure, alteration, loss or destruction of personal data. Examples of preventative security measures include encryption, pseudonymization, access control, firewalls, antivirus software, etc.

Incident detection and response: This refers to the measures that aim to detect, analyze, contain, eradicate and recover from security incidents, as well as to notify the relevant authorities and data subjects, and to document the facts and actions taken. Examples of incident detection and response measures include security monitoring, logging, auditing, incident response plans, breach notification procedures, etc.

Remedial security: This refers to the measures that aim to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, as well as to mitigate the adverse effects of security incidents on the data subjects. Examples of remedial security measures include backup, disaster recovery, business continuity, compensation, etc.

Consent management and withdrawal is not a domain of security covered by Article 32, but rather a requirement for the lawfulness of processing based on consent under Article 6(1)(a) and Article 7 of the GDPR. Consent management and withdrawal involves obtaining, recording, updating and revoking the consent of data subjects for specific purposes of processing, as well as informing them of their right to withdraw their consent at any time. References: Free CIPP/E Study Guide, page 35; CIPP/E Certification, page 17; GDPR, Article 32, Article 6(1)(a), Article 7.

Under the GDPR, the lead supervisory authority is determined by where the main establishment related to the processing activity is located.

In this case, even though the company's headquarters is in Germany, the SaaS application was specifically defined and implemented by the Polish establishment. This indicates that the Polish establishment has the primary role in determining the purposes and means of processing personal data related to that SaaS service. Therefore, the supervisory authority of Poland would be the lead supervisory authority for this specific processing activity.

References:

GDPR Article 56 - Competence of the lead supervisory authority

IAPP CIPP/E textbook, Chapter 3: EU General Data Protection Regulation (specifically, sections on One-Stop Shop mechanism and lead supervisory authority)

The NIS2 Directive is the EU’s legislation on cybersecurity that updates and replaces the previous NIS Directive. It aims to create a high common level of cybersecurity across the EU by setting up legal measures for the security of network and information systems used by essential and important entities in various sectors and by enhancing cooperation among the member states. The NIS2 Directive does not establish a common controls framework that every organization must adopt, but rather allows each member state to define the appropriate security measures and incident reporting requirements for the entities under its jurisdiction, taking into account the specificities of each sector and subsector. However, the NIS2 Directive does provide some general principles and objectives for the security measures, such as proportionality, risk-based approach, state of the art, and regular review and update. The NIS2 Directive also introduces minimum harmonised rules for the supervision and enforcement of the security measures and incident reporting obligations, including the possibility of imposing administrative fines.

References:

NIS2 Directive, Articles 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, and 14.

The NIS2 Directive: A high common level of cybersecurity in the EU, pages 1, 2, 3, 4, 5, 6, 7, and 8.

 A data protection impact assessment (DPIA) is a process to help identify and minimise the data protection risks of a project that involves personal data, especially when using new technologies or processing that is likely to result in a high risk to individuals1. The UK GDPR requires data controllers to carry out a DPIA before starting such processing and to consult the supervisory authority if the DPIA indicates a high risk that cannot be mitigated1. The UK GDPR also provides some general guidance on the content and methodology of a DPIA, but it does not prescribe a specific format or procedure1. Therefore, to effectively assist Zandelay in conducting their DPIA, it would be helpful to refer to existing DPIA guides published by local supervisory authorities, such as the ICO in the UK or the DPC in Ireland23. These guides offer more detailed and practical advice on how to conduct a DPIA, what to include in it, how to assess and mitigate the risks, and when to consult the authority23. They also provide templates, checklists, examples, and case studies to illustrate the DPIA process23. By following these guides, Zandelay can ensure that their DPIA is comprehensive, consistent, and compliant with the UK GDPR and the relevant national laws.

The other options are not as effective as option C, because:

Option A: Information about DPIAs found in Articles 38 through 40 of the UK GDPR is too general and vague to assist Zandelay in conducting their DPIA. These articles only outline the basic requirements and principles of a DPIA, but do not provide any specific guidance on how to conduct one, what to include in it, or how to assess and mitigate the risks1. Zandelay would need more detailed and practical advice to effectively perform a DPIA.

Option B: Data breach documentation that data controllers are required to maintain is not relevant to conducting a DPIA. A data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data1. A data controller must document any data breaches, including the facts, effects, and remedial actions taken, and notify the supervisory authority and the affected individuals without undue delay1. However, a data breach is not the same as a data protection risk, which is the potential for adverse effects on individuals as a result of the processing of their personal data2. A DPIA is a proactive and preventive measure to identify and minimise the data protection risks of a project, not a reactive and corrective measure to deal with the consequences of a data breach2.

Option D: Records of processing activities that data controllers are required to maintain are not sufficient to assist Zandelay in conducting their DPIA. A record of processing activities is a document that contains information about the purposes, categories, recipients, transfers, retention periods, and security measures of the processing of personal data by a data controller or a data processor1. A data controller must maintain a record of processing activities under its responsibility and make it available to the supervisory authority upon request1. However, a record of processing activities is not the same as a DPIA, which is a more in-depth and systematic analysis of the data protection risks and the measures to address them2. A record of processing activities may provide some useful information for a DPIA, such as the nature, scope, context, and purposes of the processing, but it does not cover other aspects, such as the necessity, proportionality, compliance, and impact of the processing2.

https://blog.netwrix.com/2021/02/17/data-protection-impact-assessment/

https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/

According to the EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, a confidentiality breach occurs when personal data is disclosed or made available to unauthorized persons. This is the case when exfiltration of job application data from a website results in personal information being accessible to unauthorized persons, such as hackers or competitors. This type of breach may pose a high risk to the rights and freedoms of the data subjects, as it may lead to identity theft, fraud, discrimination, or reputational damage. Therefore, the data controller should notify the data subjects without undue delay, unless the data is encrypted or anonymized, or the controller has taken subsequent measures to ensure that the high risk is no longer likely to materialize.

References: EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, page 151; CIPP/E Textbook, page 136.

The GDPR (General Data Protection Regulation) applies to any organisation that processes personal data of EU residents, regardless of where the processing takes place. Therefore, WonderKids, as a data controller based in France, must comply with the GDPR when it transfers personal data to its hosting service provider in Switzerland, which acts as a data processor on behalf of WonderKids.

According to Article 28 of the GDPR, data controllers must only use data processors that provide sufficient guarantees to implement appropriate technical and organisational measures to ensure the protection of the rights of the data subjects and the security of the data. The data controller and the data processor must also enter into a written contract or other legal act that sets out the subject matter, duration, nature, and purpose of the processing, as well as the obligations and rights of the data controller.

The contract must include, among other things, the following provisions:

The data processor must process the personal data only on documented instructions from the data controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or member state law;

The data processor must ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

The data processor must take all measures required pursuant to Article 32 of the GDPR, which relates to the security of the processing;

The data processor must respect the conditions for engaging another processor, and inform the data controller of any intended changes concerning the addition or replacement of other processors, giving the data controller the opportunity to object to such changes;

The data processor must assist the data controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, which relate to the security of the processing, the notification of personal data breaches, the communication of personal data breaches to data subjects, the data protection impact assessment, and the prior consultation with the supervisory authority;

The data processor must, at the choice of the data controller, delete or return all the personal data to the data controller after the end of the provision of services relating to the processing, and delete existing copies unless EU or member state law requires storage of the personal data;

The data processor must make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller.

Therefore, among the four options, the one that must be included in the contract between WonderKids and the hosting service provider is the requirement to implement technical and organisational measures to protect the data, as this is part of the data processor’s obligations under Article 28 and Article 32 of the GDPR.

The other options are not mandatory under the GDPR, although they may be advisable or desirable depending on the circumstances. Controller-to-controller model contract clauses are used when personal data is transferred from one data controller to another data controller, not from a data controller to a data processor. Audit rights for the data subjects are not explicitly required by the GDPR, although the data controller must ensure that the data processor allows for and contributes to audits conducted by the data controller or another auditor mandated by the data controller. A non-disclosure agreement may be useful to protect the confidentiality of the personal data, but it is not sufficient to ensure the compliance with the GDPR, as it does not cover all the aspects of the data processing relationship.

References:

GDPR

Web Hosting and GDPR Compliance - What to Look For

The GDPR: Why you need to review your third-party service providers’ security

GDPR Compliance for Third-Party Service Providers: Vendor Management

According to the GDPR, the processing of personal data obtained through monitoring software must be lawful, fair, and transparent. This means that the employer must inform the employees about the nature, extent, and reasons for monitoring, and the possible consequences of non-compliance with the company’s policies. The employer must also have a legitimate interest or another lawful basis for processing the employees’ data, and respect their rights and freedoms. The employer must also comply with the national laws and guidelines of each member state where it operates, which may impose additional conditions or limitations on employee monitoring. In this case, Building Block did not inform the employee from Italy that the security software would also monitor his computer activity and location, and did not specify the purpose and scope of such monitoring. Therefore, the employee could not reasonably expect that his personal data would be processed in this way, and could not exercise his rights under the GDPR, such as the right to access, rectify, or object to the processing. Moreover, the employer did not conduct a proper assessment of the necessity and proportionality of the monitoring, and did not consider less intrusive alternatives to achieve its security goals. Therefore, the employer could face legal challenges from the employee, the Italian supervisory authority, or the labor courts, if it decides to apply disciplinary measures based on the data obtained through the monitoring software. The employer could also face fines or sanctions for violating the GDPR and the Italian data protection law. References: GDPR requirements for employee monitoring: rules to follow, Can Your Organisation Monitor Employees’ Personal Communications?, ICO publishes guidance to ensure lawful monitoring in the workplace, [Guidelines on processing personal data in the context of connected vehicles and mobility related applications]

According to the GDPR, personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed1. Therefore, the data storage period of the backup system must be aligned with this principle and reviewed regularly. Moreover, the GDPR requires that when a controller (the company) uses a processor (AWS) to process personal data on its behalf, it must ensure that the processor provides sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of the GDPR and ensure the protection of the rights of the data subjects2. This is usually done by signing a data processing agreement that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller3. AWS offers a GDPR-compliant Data Processing Addendum (DPA) that is incorporated into the AWS Service Terms and applies automatically to all customers who require it to comply with the GDPR4. References:

Free CIPP/E Study Guide, page 24, section 4.2.1

Free CIPP/E Study Guide, page 25, section 4.3

GDPR, Article 28

GDPR - Amazon Web Services (AWS), section “GDPR resources”