Most Recent IAPP CIPP-E Exam Questions & Answers

Prepare for the IAPP Certified Information Privacy Professional/Europe exam with our extensive collection of questions and answers. These practice Q&A are updated according to the latest syllabus, providing you with the tools needed to review and test your knowledge.

QA4Exam focus on the latest syllabus and exam objectives, our practice Q&A are designed to help you identify key topics and solidify your understanding. By focusing on the core curriculum, These Questions & Answers helps you cover all the essential topics, ensuring you're well-prepared for every section of the exam. Each question comes with a detailed explanation, offering valuable insights and helping you to learn from your mistakes. Whether you're looking to assess your progress or dive deeper into complex topics, our updated Q&A will provide the support you need to confidently approach the IAPP CIPP-E exam and achieve success.

The questions for CIPP-E were last updated on Nov 15, 2024.

Viewing page 1 out of 54 pages.
Viewing questions 1-5 out of 268 questions

Get All 268 Questions & Answers

Question No. 1

What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?

AThe requirements affected individuals without exception.

BThe requirements were financially burdensome to EU businesses.

CThe requirements specified that data must be held within the EU.

DThe requirements had limitations on how national authorities could use data.

Show Answer

Correct Answer: A

The Data Retention Directive was a EU law that required providers of electronic communications services to retain certain data, such as traffic and location data, for a period of between six months and two years, for the purpose of preventing, investigating, detecting and prosecuting serious crime1.However, in 2014, the Court of Justice of the European Union declared the Directive invalid, because it violated the fundamental rights to respect for private life and to the protection of personal data, as enshrined in the Charter of Fundamental Rights of the EU2.The Court found that the Directive entailed a wide-ranging and particularly serious interference with those rights, without being limited to what is strictly necessary3.One of the reasons for this finding was that the Directive applied to all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception, thus affecting the entire population of the EU4.The Court also noted that the Directive did not provide sufficient safeguards to ensure effective protection of the data against the risk of abuse and unlawful access, and did not require the data to be retained within the EU5.Reference:1Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC2Charter of Fundamental Rights of the European Union3Press release No 54/14 - Judgment in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others4Judgment of the Court (Grand Chamber) of 8 April 2014. Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Krntner Landesregierung and Others. Requests for a preliminary ruling from the High Court (Ireland) and the Verfassungsgerichtshof (Austria).Joined cases C-293/12 and C-594/125Ibid.

%20the%20Grand,proportionality%20in%20forging%20the%20Directive.

Question No. 2

What must be included in a written agreement between the controller and processor in relation to processing conducted on the controller's behalf?

AAn obligation on the processor to report any personal data breach to the controller within 72 hours.

BAn obligation on both parties to report any serious personal data breach to the supervisory authority.

CAn obligation on both parties to agree to a termination of the agreement if the other party is responsible for a personal data breach.

DAn obligation on the processor to assist the controller in complying with the controller's obligations to notify the supervisory authority about personal data breaches.

Show Answer

Correct Answer: D

According to Article 28(3)(f) of the GDPR, the written agreement between the controller and the processor must include an obligation on the processor to assist the controller in ensuring compliance with the controller's obligations pursuant to Articles 32 to 36 of the GDPR. These obligations include notifying the supervisory authority and the data subjects about personal data breaches, as well as conducting data protection impact assessments and consulting with the supervisory authority when required. The processor must assist the controller by taking appropriate technical and organisational measures, insofar as this is possible, and considering the nature of the processing and the information available to the processor.Reference:

GDPR Article 28(3)(f)

CIPP/E Textbook, Chapter 6, Section 6.2.2, page 154

Free CIPP/E Study Guide, page 18

Question No. 3

Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article 3?

AThe behavior of suspected terrorists being monitored by EU law enforcement bodies.

BPersonal data of EU citizens being processed by a controller or processor based outside the EU.

CThe behavior of EU citizens outside the EU being monitored by non-EU law enforcement bodies.

DPersonal data of EU residents being processed by a non-EU business that targets EU customers.

Show Answer

Correct Answer: B

According to Article 3(1) of the GDPR1, personal data shall be processed in any member state only on the basis ofa decisiontaken ata Union levelthat isbindingfor that member state, unless it is derogated from by national law. This means that the GDPR applies to any processing of personal data within the EU, regardless of where the controller or processor is located, as long as it is based on a decision made at a Union level that is binding for that member state.

Therefore, option B would most likely trigger the extraterritorial effect of the GDPR, as it involves personal data of EU citizens being processed by a controller or processor based outside the EU, which may be subject to a decision made at a Union level that is binding for that member state.

Option A would not trigger the extraterritorial effect of the GDPR, as it involves monitoring suspected terrorists, which is not considered processing under Article 4(1) and (2) of the GDPR1. Monitoring may fall under other legal frameworks, such as national security or counter-terrorism laws.

Option C would not trigger the extraterritorial effect of the GDPR, as it involves monitoring EU citizens outside the EU by non-EU law enforcement bodies, which may not be subject to any decision made at a Union level that is binding for that member state.

Option D would not trigger the extraterritorial effect of the GDPR, as it involves processing personal data of EU residents by a non-EU business that targets EU customers, which may not be subject to any decision made at a Union level that is binding for that member state.

Question No. 4

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, US

AToday, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
As a result of Sam's actions, the Gummy Bear Company potentially violated Articles 33 and 34 of the GDPR and will be required to do what?

ANotify its Data Protection Authority about the data breach.

BAnalyze and evaluate the liability for customers in Ireland.

CAnalyze and evaluate all of its breach notification obligations.

DNotify all of its customers that reside in the European Union.

Show Answer

Correct Answer: C

According to Articles 33 and 34 of the GDPR, the Gummy Bear Company potentially violated its breach notification obligations by allowing Sam to copy and use the personal data of its customers in Ireland without their consent or authorization. A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed (Article 4(12)). The Gummy Bear Company, as a data controller, is required to notify the competent supervisory authority of the personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Article 33(1)). The notification should include the nature of the personal data breach, the categories and approximate number of data subjects and personal data records concerned, the likely consequences of the personal data breach, and the measures taken or proposed to address the personal data breach (Article 33(3)). The Gummy Bear Company is also required to communicate the personal data breach to the affected data subjects without undue delay, if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34(1)). The communication should describe the nature of the personal data breach and the measures taken or proposed to address the personal data breach (Article 34(2)).

Therefore, the Gummy Bear Company should analyze and evaluate all of its breach notification obligations, taking into account the nature and circumstances of the personal data breach, the type and sensitivity of the personal data involved, the potential impact and harm to the data subjects, and the applicable laws and regulations of the jurisdictions where the data subjects reside. The Gummy Bear Company should also document the personal data breach and the remedial actions taken, and cooperate with the supervisory authorities and the data subjects as required by the GDPR.

Question No. 5

Which statement provides an accurate description of a directive?

AA directive speo5es certain results that must be achieved, but each member state is free to decide how to turn it into a national law

BA directive has binding legal force throughout every member state and enters into force on a set date in all the member states.

CA directive is a legal act relating to specific cases and directed towards member states, companies 0' private individuals.

DA directive is a legal act that applies automatically and uniformly to all EU countries as soon as it enters into force.

Show Answer

Correct Answer: A

According to the EU glossary1, a directive is a legal act that sets out a goal that EU countries must achieve, but leaves them the choice of form and methods to reach it. A directive is binding on the EU countries to which it is addressed, but it does not apply directly at the national level. Instead, it has to be transposed into national law by the national authorities, usually within a specified time limit. This allows for some flexibility and adaptation to the specific circumstances of each country. A directive is different from a regulation, which is a legal act that applies automatically and uniformly to all EU countries as soon as it enters into force, without needing to be transposed into national law.Reference:

Free CIPP/E Study Guide, page 14, section 2.3

Types of legislation, section 2

What are EU directives?

Unlock All Questions for IAPP CIPP-E Exam

Full Exam Access, Actual Exam Questions, Validated Answers, Anytime Anywhere, No Download Limits, No Practice Limits

Get All 268 Questions & Answers