IAPP CIPP-E Certified Information Privacy Professional/Europe (CIPP/E) Online Training
IAPP CIPP-E Online Training
The questions for CIPP-E were last updated at Apr 23,2025.
- Exam Code: CIPP-E
- Exam Name: Certified Information Privacy Professional/Europe (CIPP/E)
- Certification Provider: IAPP
- Latest update: Apr 23,2025
How does the GDPR now define “processing”?
- A . Any act involving the collecting and recording of personal data.
- B . Any operation or set of operations performed on personal data or on sets of personal data.
- C . Any use or disclosure of personal data compatible with the purpose for which the data was collected.
- D . Any operation or set of operations performed by automated means on personal data or on sets of personal data.
What is the MAIN reason GDPR Article 4(22) establishes the concept of the “concerned supervisory authority”?
- A . To encourage the consistency of local data processing activity.
- B . To give corporations a choice about who their supervisory authority will be.
- C . To ensure the GDPR covers controllers that do not have an establishment in the EU but have a representative in a member state.
- D . To ensure that the interests of individuals residing outside the lead authority’s jurisdiction are represented.
Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article 3?
- A . The behavior of suspected terrorists being monitored by EU law enforcement bodies.
- B . Personal data of EU citizens being processed by a controller or processor based outside the EU.
- C . The behavior of EU citizens outside the EU being monitored by non-EU law enforcement bodies.
- D . Personal data of EU residents being processed by a non-EU business that targets EU customers.
It a company receives an anonymous email demanding ransom for the stolen personal data of its clients, what must the company do next, per GDPR requirements’3
- A . Notify the police and Tile a criminal complaint about the incident
- B . Start an investigation to understand the incident’s possible scope, duration and nature
- C . Send a notification to the competent supervisory authority describing the incident.
- D . Send an email about the incident to all clients and ask them to change their passwords
A company in France suffers a robbery over the weekend owing to a faulty alarm system. When it is determined that the break-in involves the loss of a substantial amount of data, the company decides on a CCTV system to monitor for future incidents. Company technicians install cameras in the entrance of the building, hallways and offices. Footage is recorded continuously, and is monitored by the home office in the United States.
What is the most realistic step the company could take to address their security concerns and comply with the personal data processing principles set out in Article 5 of the GDPR?
- A . Seek informed consent from company employees.
- B . Have cameras recording during work hours only.
- C . Retain captured footage for no more than 30 days.
- D . Restrict camera placement to building entrances only.
SCENARIO
Please use the following to answer the next question:
T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.
T-Craze also opened various office locations throughout Europe to help expand its business. While Germany continued to host T-Craze’s headquarters and main product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.
The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.
Why does the Spanish supervisory authority notify the French supervisory authority when it opens an investigation into T-Craze based on Sofia’s complaint?
- A . T-Craze has a French affiliate.
- B . The French affiliate procured the services of Right Target.
- C . T-Craze conducts its marketing and sales activities in France.
- D . The Spanish supervisory authority is providing a courtesy notification not required under the GDPR.
SCENARIO
Please use the following to answer the next question:
Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.
The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.
In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases.
Martin tells the CEO that:
(a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and
(b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Zandelay may have to undertake a prior consultation with the Irish
Data Protection Commissioner before implementing the app and loyalty scheme.
Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay’s business plan and associated processing activities.
What would MOST effectively assist Zandelay in conducting their data protection impact assessment?
- A . Information about DPIAs found in Articles 38 through 40 of the GDPR.
- B . Data breach documentation that data controllers are required to maintain.
- C . Existing DPIA guides published by local supervisory authorities.
- D . Records of processing activities that data controllers are required to maintain.
What is true if an employee makes an access request to his employer for any personal data held about him?
- A . The employer can automatically decline the request if it contains personal data about a third person.
- B . The employer can decline the request if the information is only held electronically.
- C . The employer must supply all the information held about the employee.
- D . The employer must supply any information held about an employee unless an exemption applies.
Which of the following is the weakest lawful basis for processing employee personal data?
- A . Processing based on fulfilling an employment contract.
- B . Processing based on employee consent.
- C . Processing based on legitimate interests.
- D . Processing based on legal obligation.
Which of the following regulates the use of electronic communications services within the European Union?
- A . Regulator (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015.
- B . Regulation (EU) 2017/1953 of the European Parliament and of the Council of 25 October 2017.
- C . Directive 2002/58’EC of the European Parliament and of the Council of 12 July 2002.
- D . Directive (EU) 2019.789 of the European Parliament and of the Council of 17 April 2019.
Latest CIPP-E Dumps Valid Version with 157 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund
