1. Home
  2. IAPP
  3. CIPP-E

IAPP CIPP-E Online Practice Questions and Exam Preparation

CIPP-E Exam Details

  • Exam Code
    :CIPP-E
  • Exam Name
    :Certified Information Privacy Professional/Europe (CIPP/E)
  • Certification
    :IAPP Certifications
  • Vendor
    :IAPP
  • Total Questions
    :307 Q&As
  • Last Updated
    :May 31, 2026

IAPP CIPP-E Online Questions & Answers

  • Question 221:

    SCENARIO

    Please use the following to answer the next question:

    CreditPlaya, SA is an established Spanish online insurance company whose exclusive activity is providing health insurance for legal residents of Spain, regardless of their nationality.

    CreditPlaya autonomously manages its own website, through which a potential customer, engaging in a free pre-contractual activity, enters his or her full name, e-mail address, tax identification number (to verify residence in Spain), age,

    profession, and the full names of any other adult members of his or her family.

    With this data, CreditPlaya immediately sends an email granting or denying eligibility for a health insurance policy. In the case of eligibility, the email also contains the eventual cost of the policy and two PDF documents – one with the contractual Terms and Conditions, and the other with the privacy notice as required by Article 13 of the GDPR. The CreditPlaya Information Tracking System (ITS) is very efficient, with a low rate of unpaid insurance policies. The ITS is automatically fed by the information provided by every applicant, whose data is then used to refine insurance policy

    rates.

    To ensure their back-up procedures, in January 2021 CreditPlaya started sending weekly copies of the whole database with all the applicants' personal data to an independent company in Uruguay. The information was sent through state-ofthe-art encrypting tools, but once in Uruguay was stored without any encryption method. In March 2022, the entire data base stored on the Uruguay's company servers was encrypted by malicious ransomware. There was no evidence that the data was accessed by unauthorized persons, much less altered or exfiltrated. Despite

    the incident, CreditPlaya found that they could rely on the locally based Spanish back-up information and carry on its activity without interrupting its operations. The incident caused the termination of the professional relationship between the two companies.

    According to the GDPR, current CreditPlaya customers who have expressly accepted the policy Terms and Conditions would NOT be granted which of the following rights?

    A. The Right To Object.
    B. The Right to Erasure.
    C. The Right to Data Portability.
    D. The Right Not to be Subject to Profiling.

  • Question 222:

    A worker in a European Union (EU) member state has ceased his employment with a company. What should the employer most likely do in regard to the worker's personal data?

    A. Destroy sensitive information and store the rest per applicable data protection rules.
    B. Store all of the data in case the departing worker makes a subject access request.
    C. Securely store the data that is required to be kept under local law.
    D. Provide the employee the reasons for retaining the data.

  • Question 223:

    As a Data Protection Officer for a small bank in the European Union, you receive a data subject access request from one of your customers. The customer provides you with his name, and has used the email address registered in your system.

    What would be the most appropriate way to confirm the identity of the customer?

    A. Request that the customer provide his bank account number.
    B. Request that the customer answer additional security questions.
    C. Request a copy of the customer's last bank account statement.
    D. Request a copy of the customer's government-issued ID document.

  • Question 224:

    What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) in relation to their roles and functions?

    A. ECHR can rule on issues concerning privacy as a fundamental right, while the CJEU cannot.
    B. CJEU can force national governments to implement and honor EU law, while the ECHR cannot.
    C. CJEU can hear appeals on human rights decisions made by national courts, while the ECHR cannot.
    D. ECHR can enforce human rights laws against governments that fail to implement them, while the CJEU cannot.

  • Question 225:

    SCENARIO Please use the following to answer the next question: The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron's marketing manager asks his assistant Emily to create a webpage that describes the app

    and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron's legal department.

    Registration Form

    Vigotron's new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already

    have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)

    Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with

    your passcode. You can back up data stored in the Health app to Vigotron's cloud provider, Stratculous. (Read more about Stratculous here.)

    Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer's name, email address or any other information gathered from the app to any third-party without a

    customer's consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer's legal rights or protect its business or property.

    We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you

    first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)

    First name:

    Surname:

    Year of birth:

    Email:

    Physical Address (optional*):

    Health status:

    *If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can

    unsubscribe by sending an email to [email protected] or send a letter with your request to the address listed at the bottom of this page.

    Terms and Conditions

    1.Jurisdiction. [...]

    2.Applicable law. [...]

    3.Limitation of liability. [...]

    Consent

    By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose ofusing the M-Health app. Although you are entitled to opt out of

    any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company

    may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.

    Emily sends the draft to Sam for review. Which of the following is Sam most likely to point out as the biggest problem with Emily's consent provision?

    A. It is not legal to include fields requiring information regarding health status without consent.
    B. Processing health data requires explicit consent, but the form does not ask for explicit consent.
    C. Direct marketing requires explicit consent, whereas the registration form only provides for a right to object
    D. The provision of the fitness app should be made conditional on the consent to the data processing for direct marketing.

  • Question 226:

    Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric data. Which of the following is NOT one of these exceptions?

    A. The processing is done by a non-profit organization and the results are disclosed outside the organization.
    B. The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent.
    C. The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a judicial capacity.
    D. The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State law to lift the prohibition.

  • Question 227:

    According to Article 84 of the GDPR, the rules on penalties applicable to infringements shall be laid down by?

    A. The local Data Protection Supervisory Authorities.
    B. The European Data Protection Board.
    C. The EU Commission.
    D. The Member States.

  • Question 228:

    Under the Data Protection Law Enforcement Directive of the EU, a government can carry out covert investigations involving personal data, as long it is set forth by law and constitutes a measure that is both necessary and what?

    A. Prudent.
    B. Important.
    C. Proportionate.
    D. DPA-approved.

  • Question 229:

    The European Parliament jointly exercises legislative and budgetary functions with which of the following?

    A. The European Commission.
    B. The Article 29 Working Party.
    C. The Council of the European Union.
    D. The European Data Protection Board.

  • Question 230:

    What term BEST describes the European model for data protection?

    A. Sectoral
    B. Self-regulatory
    C. Market-based
    D. Comprehensive

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-E exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.