IAPP CIPP-E Certified Information Privacy Professional/Europe (CIPP/E) Online Training
IAPP CIPP-E Online Training
The questions for CIPP-E were last updated at Aug 06,2025.
- Exam Code: CIPP-E
- Exam Name: Certified Information Privacy Professional/Europe (CIPP/E)
- Certification Provider: IAPP
- Latest update: Aug 06,2025
A worker in a European Union (EU) member state has ceased his employment with a company.
What should the employer most likely do in regard to the worker’s personal data?
- A . Destroy sensitive information and store the rest per applicable data protection rules.
- B . Store all of the data in case the departing worker makes a subject access request.
- C . Securely store the data that is required to be kept under local law.
- D . Provide the employee the reasons for retaining the data.
A worker in a European Union (EU) member state has ceased his employment with a company.
What should the employer most likely do in regard to the worker’s personal data?
- A . Destroy sensitive information and store the rest per applicable data protection rules.
- B . Store all of the data in case the departing worker makes a subject access request.
- C . Securely store the data that is required to be kept under local law.
- D . Provide the employee the reasons for retaining the data.
Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?
- A . Name and contact details of each controller on behalf of which the processor is acting.
- B . Categories of processing carried out on behalf of each controller for which the processor is acting.
- C . Details of transfers of personal data to a third country carried out on behalf of each controller for which the processor is acting.
- D . Details of any data protection impact assessment conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting.
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?
- A . The establishment of a list of legitimate data processing criteria
- B . The creation of legally binding data protection principles
- C . The synchronization of approaches to data protection
- D . The restriction of cross-border data flow
What obligation does a data controller or processor have after appointing a data protection officer?
- A . To ensure that the data protection officer receives sufficient instructions regarding the exercise of his or her defined tasks.
- B . To provide resources necessary to carry out the defined tasks of the data protection officer and to maintain his or her expert knowledge.
- C . To ensure that the data protection officer acts as the sole point of contact for individuals’ Questions: about their personal data.
- D . To submit for approval to the data protection officer a code of conduct to govern organizational practices and demonstrate compliance with data protection principles.
SCENARIO
Please use the following to answer the next question:
Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.
After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient’s name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed Jack’s lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents In relation to the emails Jack listed six members of the management team whose inboxes he required access.
The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester.
Under Article 82 of the GDPR ("Right to compensation and liability-), which party is liable for the damage caused by the data breach?
- A . Both parties are exempt, as the company is involved in human health research
- B . Jack and the pharmaceutical company are jointly liable.
- C . The pharmaceutical company is liable.
- D . Jack is liable
According to Art 23 GDPR, which of the following data subject rights can NOT be restricted?
- A . Right to restriction of processing.
- B . Right to erasure ("Right to be forgotten").
- C . Right to lodge a complaint with a supervisory authority.
- D . Right not to be subject to automated individual decision-making
According to Article 14 of the GDPR, how long does a controller have to provide a data subject with necessary privacy information, if that subject’s personal data has been obtained from other sources?
- A . As soon as possible after obtaining the personal data.
- B . As soon as possible after the first communication with the data subject.
- C . Within a reasonable period after obtaining the personal data, but no later than one month.
- D . Within a reasonable period after obtaining the personal data, but no later than eight weeks.
Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the company encrypt all personal data at rest.
Which GDPR principle is she following?
- A . Accuracy
- B . Storage Limitation
- C . Integrity and confidentiality
- D . Lawfulness, fairness and transparency
Which statement is correct when considering the right to privacy under Article 8 of the European Convention on Human Rights (ECHR)?
- A . The right to privacy is an absolute right
- B . The right to privacy has to be balanced against other rights under the ECHR
- C . The right to freedom of expression under Article 10 of the ECHR will always override the right to privacy
- D . The right to privacy protects the right to hold opinions and to receive and impart ideas without interference
Latest CIPP-E Dumps Valid Version with 157 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund
