CIPP-E Exam Details

  • Exam Code
    :CIPP-E
  • Exam Name
    :Certified Information Privacy Professional/Europe (CIPP/E)
  • Certification
    :IAPP Certifications
  • Vendor
    :IAPP
  • Total Questions
    :307 Q&As
  • Last Updated
    :Jul 12, 2026

IAPP CIPP-E Online Questions & Answers

  • Question 291:

    An entity's website stores text files on EU users' computer and mobile device browsers. Prior to doing so, the entity is required to provide users with notices containing information and consent under which of the following frameworks?

    A. General Data Protection Regulation 2016/679.
    B. E-Privacy Directive 2002/58/EC.
    C. E-Commerce Directive 2000/31/EC.
    D. Data Protection Directive 95/46/EC.

  • Question 292:

    In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met?

    A. Approved data controllers.
    B. The Council of the European Union.
    C. National data protection authorities.
    D. The European Data Protection Supervisor.

  • Question 293:

    A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a global data transfer solution. Which of the following statements would help the company make an effective decision?

    A. Binding Corporate Rules are especially recommended for small and medium companies.
    B. The data exporter does not need to be located in the EU for the standard Contractual Clauses.
    C. Binding Corporate Rules provide a global solution for all the entities of a company that are bound by the intra-group agreement.
    D. The company will need the prior authorization of all EU data protection authorities for concluding Standard Contractual Clauses.

  • Question 294:

    SCENARIO Please use the following to answer the next question: Zandelay Fashion (`Zandelay') is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the

    company's compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.

    The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial

    information such as credit card and bank account numbers.

    In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company's customers by analyzing their purchases.

    Martin tells the CEO that:

    (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures. Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.

    Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay's business plan and associated processing activities. What must Zandelay provide to the supervisory authority during the prior consultation?

    A. An evaluation of the complexity of the intended processing.
    B. An explanation of the purposes and means of the intended processing.
    C. Records showing that customers have explicitly consented to the intended profiling activities.
    D. Certificates that prove Martin's professional qualities and expert knowledge of data protection law.

  • Question 295:

    Jerry the Chief Marketing Officer for a sports apparel and trophy company, sells products to schools and athletic clubs globally Recently the company has decided to invest in a new line of customized sports equipment Jerry plans to email his current customer base to offer them a discount on their first purchase of such equipment.

    Jerry tells Kate, the Director of Privacy, about his plan. What is the best guidance Kate can provide to Jerry?

    A. Permit Jerry to carry out his plan on the basis of marketing similar products to existing customers.
    B. Require Jerry to send all current customers a second notice to allow them to opt-in to marketing emails
    C. Permit Jerry to carry out his marketing plan on the basis of legitimate interest
    D. Require Jerry to include an option to opt out of marketing emails in the future

  • Question 296:

    Which of the following is NOT exempt from the material scope of the GDPR. insofar as the processing of personal data is concerned?

    A. A natural person in the course of a large-scale but purely personal or household activity.
    B. A natural person processing data foe a small-scale, purely personal or household activity.
    C. A natural person in the course of processing purely personal or household data on behalf of a spouse who is beyond the age of majority.
    D. A natural person in the course of activity conducted purely tor a personally-owned sole proprietorship.

  • Question 297:

    The Planet 49 decision clarified all of the following issues regarding cookies EXCEPT?

    A. Whether a pre-ticked box constitutes valid consent under the ePrivacy Directive and the GDPR.
    B. Whether consent may be bundled to cover a number of activities or purposes at the same time.
    C. Whether is it necessary to provide information about the duration of cookies and any third-party cookies.
    D. Whether users may be forced to provide their consent as a condition for benefiting from goods or services being offered.

  • Question 298:

    SCENARIO

    Please use the following to answer the next question:

    Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.

    After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed

    Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents. In relation to the emails Jack listed six members of the management team whose inboxes the required access.

    How should the company respond to Jack's request to be forgotten?

    A. The company should not erase the data at this time as it may be required to defend a legal claim of unfair dismissal.
    B. The company should erase all data relating to Jack without undue delay as the right to be forgotten is an absolute right.
    C. The company should claim that the right to be forgotten is not applicable to them, as only a fraction of their global workforce resides in the European Union.
    D. The company should ensure that the information is stored outside of the European Union so that the right to be forgotten under the GDPR does not apply.

  • Question 299:

    SCENARIO

    Please use the following to answer the next question:

    Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover

    compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.

    Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.

    Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When

    his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.

    In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes. Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that

    Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing. In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

    Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim.

    Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.

    Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.

    After Louis has exercised his right to restrict the use of his data, under what conditions would Accidentable have grounds for refusing to comply?

    A. If Accidentable is entitled to use of the data as an affiliate of Bedrock.
    B. If Accidentable also uses the data to conduct public health research.
    C. If the data becomes necessary to defend Accidentable's legal rights.
    D. If the accuracy of the data is not an aspect that Louis is disputing.

  • Question 300:

    According to the European Data Protection Board, controllers responding to a data subject access request can refuse to provide a copy of personal data under certain conditions. Which of the following is NOT one of these conditions?

    A. If the data subject access request was sent to an employee that is not involved in the processing of such requests.
    B. If there is such a large amount of data that the controller cannot identify the data subject of the request.
    C. If the controller is unable to use end-to-end encrypted emails for responding to such requests.
    D. If the personal data was processed in the past but is no longer at the controller’s disposal at the time of the request.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-E exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.