1. Home
  2. IAPP
  3. CIPP-E

IAPP CIPP-E Online Practice Questions and Exam Preparation

CIPP-E Exam Details

  • Exam Code
    :CIPP-E
  • Exam Name
    :Certified Information Privacy Professional/Europe (CIPP/E)
  • Certification
    :IAPP Certifications
  • Vendor
    :IAPP
  • Total Questions
    :307 Q&As
  • Last Updated
    :Jan 10, 2026

IAPP CIPP-E Online Questions & Answers

  • Question 1:

    Which of the following elements does NOT need to be presented to a data subject in order to collect valid consent for the use of cookies?

    A. A "Cookies Settings" button.
    B. A "Reject All" cookies button.
    C. A list of cookies that may be placed.
    D. Information on the purpose of the cookies.

  • Question 2:

    Pursuant to the EDPB Guidelines 8/2022, all of the following criteria must be considered when identifying a lead supervisory authority of a controller EXCEPT?

    A. Determining where the controller has its place of central administration in the EEA.
    B. Determining the supervisory authority where the place of central administration of the controller is located.
    C. Determining the supervisory authority according to what has been identified by the controller as the authority to which data subjects can lodge complaints.
    D. Determining if decisions on the processing are taken in another establishment in the EEA, and if that establishment has the power to implement those decisions.

  • Question 3:

    Which failing of Privacy Shield, cited by the CJEU as a reason for its invalidation, is the Trans-Atlantic Data Privacy Framework intended to address?

    A. Data Subject Rights.
    B. Right of Action.
    C. Necessity.
    D. Consent.

  • Question 4:

    In the wake of the Schrems II ruling, which of the following actions has been recommended by the EDPB for companies transferring personal data to third countries?

    A. Adopting a risk-based approach and implementing supplementary measures as needed.
    B. Ensuring that all data transfers are encrypted with unbreakable encryption algorithms.
    C. Obtaining explicit consent from each EU citizen for every individual data transfer.
    D. Storing all personal data within the borders of the European Union.

  • Question 5:

    ISO 31700 has set forth requirements relating to consumer products and services. In particular, this international standard focuses on the implementation of which of the following?

    A. Privacy by design.
    B. Comprehensive ethical AI software.
    C. Privacy notices for companies providing services to consumers.
    D. Automated systems for identifying EU data subjects' personal data.

  • Question 6:

    If a company receives an anonymous email demanding ransom for the stolen personal data of its clients, what must the company do next, per GDPR requirements?

    A. Notify the police and file a criminal complaint about the incident.
    B. Start an investigation to understand the incident's possible scope, duration and nature.
    C. Send a notification to the competent supervisory authority describing the incident.
    D. Send an email about the incident to all clients and ask them to change their passwords.

  • Question 7:

    According to the EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, if exfiltration of job application data (submitted through online application forms and stored on a webserver) resulted in personal information being accessible to unauthorized persons, this would be primarily considered what kind of breach?

    A. An integrity breach.
    B. An accuracy breach.
    C. An availability breach.
    D. A confidentiality breach.

  • Question 8:

    According to Art. 23 GDPR, which of the following data subject rights can NOT be restricted?

    A. Right to restriction of processing.
    B. Right to erasure ("Right to be forgotten").
    C. Right to lodge a complaint with a supervisory authority.
    D. Right not to be subject to automated individual decision-making.

  • Question 9:

    As a Data Protection Officer for a small bank in the European Union, you receive a data subject access request from one of your customers. The customer provides you with his name, and has used the email address registered in your system.

    What would be the most appropriate way to confirm the identity of the customer?

    A. Request that the customer provide his bank account number.
    B. Request that the customer answer additional security questions.
    C. Request a copy of the customer's last bank account statement.
    D. Request a copy of the customer's government-issued ID document.

  • Question 10:

    SCENARIO

    Please use the following to answer the next question:

    Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in Greece (5), Italy (15) and Spain (1), have registered their most profitable results ever. To celebrate this achievement, ARRA Hotels' Human Resources

    office, based in ARRA's main Italian establishment, has organized a team event for its 420 employees and their families at its hotel in Spain.

    Upon arrival at the hotel, each employee and family member is given an electronic wristband at the reception desk. The wristband serves a number of functions:

    1.

    Allows access to the "party zone" of the hotel, and emits a buzz if the user approaches any unauthorized areas

    2.

    Allows up to three free drinks for each person of legal age, and emits a buzz once this limit has been reached

    3.

    Grants a unique ID number for participating in the games and contests that have been planned.

    Along with the wristband, each guest receives a QR code that leads to the online privacy notice describing the use of the wristband. The page also contains an unchecked consent checkbox. In the case of employee family members under the age of 16, consent must be given by a parent. Among the various activities planned for the event, ARRA Hotels' HR office has autonomously set up a photocall area, separate from the main event venue, where employees can come and have their pictures taken in traditional carnival

    costume. The photos will be posted on ARRA Hotels' main website for general marketing purposes.

    On the night of the event, an employee from one of ARRA's Greek hotels is displeased with the results of the photos in which he appears. He intends to file a complaint with the relevant supervisory authority in regard to the following:

    1.

    The lack of any privacy notice in the separate photocall area

    2.

    The unlawful cross-border processing of his personal data

    3.

    The unacceptable aesthetic outcome of his photos

    Assuming that there is a cross-border processing of personal data, which of the following criteria would NOT be useful to the lead supervisory authority responsible for the Greek employee's complaint when trying to determine the location of the controller's main establishment?

    A. Where the controller is registered as a company.
    B. Where the processor is registered as a company.
    C. Where decisions about the processing activities are made.
    D. Where the director with responsibility for processing activities is located.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-E exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.