CIPP-E Exam Details

  • Exam Code
    :CIPP-E
  • Exam Name
    :Certified Information Privacy Professional/Europe (CIPP/E)
  • Certification
    :IAPP Certifications
  • Vendor
    :IAPP
  • Total Questions
    :307 Q&As
  • Last Updated
    :Jul 12, 2026

IAPP CIPP-E Online Questions & Answers

  • Question 11:

    Which of the following Convention 108+ principles, as amended in 2018, is NOT consistent with a principle found in the GDPR?

    A. The obligation of companies to declare data breaches.
    B. The requirement to demonstrate compliance to a supervisory authority.
    C. The necessity of the bulk collection of personal data by the government.
    D. The necessity of establishing a specific legal basis for processing personal data.

  • Question 12:

    Which of the following is an example of direct marketing that would be subject to European data protection laws?

    A. An updated privacy notice sent to an individual's personal email address.
    B. A charity fundraising event notice sent to an individual at her business address.
    C. A service outage notification provided to an individual by recorded telephone message.
    D. A revision of contract terms conveyed to an individual by SMS from a marketing organization.

  • Question 13:

    SCENARIO

    Please use the following to answer the next question:

    T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.

    T-Craze also opened various office locations throughout Europe to help expand its business. While Germany continued to host T-Craze's headquarters and main product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T-Craze, though with much less success. The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.

    Why does the Spanish supervisory authority notify the French supervisory authority when it opens an investigation into T-Craze based on Sofia's complaint?

    A. T-Craze has a French affiliate.
    B. The French affiliate procured the services of Right Target.
    C. T-Craze conducts its marketing and sales activities in France.
    D. The Spanish supervisory authority is providing a courtesy notification not required under the GDPR.

  • Question 14:

    What are the obligations of a processor that engages a sub-processor?

    A. The processor must give the controller prior written notice and perform a preliminary audit of the sub-processor.
    B. The processor must obtain the controller's specific written authorization and provide annual reports on the sub-processor's performance.
    C. The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.
    D. The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.

  • Question 15:

    What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108?

    A. Both govern international transfers of personal data
    B. Both govern the manual processing of personal data
    C. Both only apply to European Union countries
    D. Both require notification of processing activities to a supervisory authority

  • Question 16:

    Pursuant to the EDPB Guidelines 8/2022, all of the following criteria must be considered when identifying a lead supervisory authority of a controller EXCEPT?

    A. Determining where the controller has its place of central administration in the EEA.
    B. Determining the supervisory authority where the place of central administration of the controller is located.
    C. Determining the supervisory authority according to what has been identified by the controller as the authority to which data subjects can lodge complaints.
    D. Determining if decisions on the processing are taken in another establishment in the EEA, and if that establishment has the power to implement those decisions.

  • Question 17:

    SCENARIO

    Please use the following to answer the next question:

    CreditPlaya, SA is an established Spanish online insurance company whose exclusive activity is providing health insurance for legal residents of Spain, regardless of their nationality.

    CreditPlaya autonomously manages its own website, through which a potential customer, engaging in a free pre-contractual activity, enters his or her full name, e-mail address, tax identification number (to verify residence in Spain), age,

    profession, and the full names of any other adult members of his or her family.

    With this data, CreditPlaya immediately sends an email granting or denying eligibility for a health insurance policy. In the case of eligibility, the email also contains the eventual cost of the policy and two PDF documents – one with the contractual Terms and Conditions, and the other with the privacy notice as required by Article 13 of the GDPR. The CreditPlaya Information Tracking System (ITS) is very efficient, with a low rate of unpaid insurance policies. The ITS is automatically fed by the information provided by every applicant, whose data is then used to refine insurance policy

    rates.

    To ensure their back-up procedures, in January 2021 CreditPlaya started sending weekly copies of the whole database with all the applicants' personal data to an independent company in Uruguay. The information was sent through state-ofthe-art encrypting tools, but once in Uruguay was stored without any encryption method. In March 2022, the entire data base stored on the Uruguay's company servers was encrypted by malicious ransomware. There was no evidence that the data was accessed by unauthorized persons, much less altered or exfiltrated. Despite

    the incident, CreditPlaya found that they could rely on the locally based Spanish back-up information and carry on its activity without interrupting its operations. The incident caused the termination of the professional relationship between the

    two companies.

    The disclosure of personal data to the independent company in Uruguay should be regulated by which of the following?

    A. Binding Corporate Rules.
    B. A controller/processor agreement.
    C. An ad hoc authorization from the EU Commission.
    D. An ad hoc authorization from the Spanish Data Protection Authority.

  • Question 18:

    Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit organizations in a privacy group litigation or class action. These organizations are commonly known as?

    A. Law firm organizations.
    B. Civil society organizations.
    C. Human rights organizations.
    D. Constitutional rights organizations.

  • Question 19:

    The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?

    A. Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing.
    B. Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default.
    C. Failure to process personal information in a manner compatible with its original purpose.
    D. Failure to provide the means for a data subject to rectify inaccuracies in personal data.

  • Question 20:

    SCENARIO

    Please use the following to answer the next question:

    Jane starts her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a

    dedicated data center located in Malta (EU).

    People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a Know Your Customer (KYC) due diligence procedure aimed at preventing money laundering and ensuring

    compliance with applicable financial regulations.

    The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and ticking a checkbox on a separate page in order to get their account approved on the platform.

    All customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a customer fails the KYC process, its KYC data will be automatically shared

    with the national anti-money laundering agency.

    The KYC procedure requires customers to answer many questions, including whether they have any criminal convictions, whether they use recreational drugs or have problems with alcohol, and whether they have a terminal illness. While

    providing this data, customers see a conspicuous message saying that this data is meant only to prevent fraud and account takeover, and will be never shared with private third parties.

    The company regularly conducts external security testing of its online systems by independent cybersecurity companies from the EU. At the final stage of testing, the company provides cybersecurity assessors with access to its central

    database to review security permissions, roles and policies. Personal data in the database is encrypted; however, cybersecurity assessors usually have access to the decryption keys obtained while running initial security testing. The

    assessors must strictly follow the guidelines imposed by the company during the entire testing and auditing process.

    All customer data, including trading activities and all internal communications with technical support, are permanently stored in a secured AWS S3 Glacier cloud data storage, located in Ireland, for backup and compliance purposes. The data

    is securely transferred to the cloud and then is properly encrypted while at rest by using AWS-native encryption mechanisms. These mechanisms give AWS the necessary technical means to encrypt and decrypt the data when such is

    required by the company. There is no data processing agreement between AWS and the company.

    Should Jane modify the required GDPR rights waiver for non-European residents?

    A. Yes, the waiver must not apply to any residents of countries with an adequacy decision from the EC.
    B. Yes, this clause must be entirely removed as all customers, regardless of residence or nationality, shall enjoy the same individual rights granted under GDPR.
    C. No, the non-EU residents are not protected by GDPR unless they are physically located in the EU.
    D. No, but all non-EU residents must manually sign a separate waiver to ensure its lawfulness and enforceability under GDPR.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-E exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.