IAPP CIPP-E Certified Information Privacy Professional/Europe (CIPP/E) Online Training
IAPP CIPP-E Online Training
The questions for CIPP-E were last updated at Aug 05,2025.
- Exam Code: CIPP-E
- Exam Name: Certified Information Privacy Professional/Europe (CIPP/E)
- Certification Provider: IAPP
- Latest update: Aug 05,2025
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.
JaphSoft’s use of pseudonymization is NOT in compliance with the CDPR because?
- A . JaphSoft failed to first anonymize the personal data.
- B . JaphSoft pseudonymized all the data instead of deleting what it no longer needed.
- C . JaphSoft was in possession of information that could be used to identify data subjects.
- D . JaphSoft failed to keep personally identifiable information in a separate database.
Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit organizations in a privacy group litigation or class action.
These organizations are commonly known as?
- A . Law firm organizations.
- B . Civil society organizations.
- C . Human rights organizations.
- D . Constitutional rights organizations.
According to the GDPR, how is pseudonymous personal data defined?
- A . Data that can no longer be attributed to a specific data subject without the use of additional information kept separately.
- B . Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data.
- C . Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.
- D . Data that has been encrypted or is subject to other technical safeguards.
When would a data subject NOT be able to exercise the right to portability?
- A . When the processing is necessary to perform a task in the exercise of authority vested in the controller.
- B . When the processing is carried out pursuant to a contract with the data subject.
- C . When the data was supplied to the controller by the data subject.
- D . When the processing is based on consent.
A well-known video production company, based in Spain but specializing in documentaries filmed worldwide, has just finished recording several hours of footage featuring senior citizens in the streets of Madrid. Under what condition would the company NOT be required to obtain the consent of everyone whose image they use for their documentary?
- A . If obtaining consent is deemed to involve disproportionate effort.
- B . If obtaining consent is deemed voluntary by local legislation.
- C . If the company limits the footage to data subjects solely of legal age.
- D . If the company’s status as a documentary provider allows it to claim legitimate interest.
As per the GDPR, which legal basis would be the most appropriate for an online shop that wishes to process personal data for the purpose of fraud prevention?
- A . Protection of the interests of the data subjects.
- B . Performance of a contact
- C . Legitimate interest
- D . Consent
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.
For what reason would JaphSoft be considered a controller under the GDPR?
- A . It determines how long to retain the personal data collected.
- B . It has been provided access to personal data in the MarketIQ database.
- C . It uses personal data to improve its products and services for its client-base through machine learning.
- D . It makes decisions regarding the technical and organizational measures necessary to protect the personal data.
Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric data.
Which of the following is NOT one of these exceptions?
- A . The processing is done by a non-profit organization and the results are disclosed outside the organization.
- B . The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent.
- C . The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a judicial capacity.
- D . The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State law to lift the prohibition.
Which sentence best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?
- A . Employees must sign an ad hoc contractual agreement each time personal data is exported.
- B . All employees are subject to the rules in their entirety, regardless of where the work is taking place.
- C . All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.
- D . Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.
If a French controller has a car-sharing app available only in Morocco, Algeria and Tunisia, but the data processing activities are carried out by the appointed processor in Spain, the GDPR will apply to the processing of the personal data so long as?
- A . The individuals are European citizens or residents.
- B . The data processing activities are in Spain.
- C . The data controller is in France.
- D . The EU individuals are targeted.
Latest CIPP-E Dumps Valid Version with 157 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund
