Free IAPP CIPP-E Exam Questions

Become IAPP Certified with updated CIPP-E exam questions and correct answers

Page: 1 / 64

Total 320 Questions | Updated On: Dec 05, 2025

Add To Cart

Question 1

Through a combination of hardware failure and human error, the decryption key for a bank’s customer account transaction database has been lost. An investigation has determined that this was not the result of hacking or malfeasance, simply an unfortunate combination of circumstances. Which of the following accurately indicates the nature of this incident?

A : A data breach has not occurred because the loss was not the result of hacking.

B : A data breach has not occurred because no data was exposed to any unauthorized individual.

C : A data breach has occurred because the loss of the key has resulted in the data no longer being accessible.

D : A data breach has occurred because the loss of the key has resulted in the loss of confidentiality or integrity of the data.

Answer: D

Question 2

A high-ranking employee has his laptop bag stolen in a train station. In addition to the laptop, the bag contained the employee’s ID card, confidential company documents (such as financial information and minutes of board meetings, including participants and their roles), company payment cards, and authorization tokens.

As the company's Data Protection Officer, what should be your first action?

A : Inform the appropriate supervisory authority of the breach.

B : Verify whether the laptop contained personal data and, if so, if it was encrypted.

C : Inform the meeting participants of the breach and provide them with next steps to be taken.

D : Request deactivation of the authorization tokens to avoid access to company data, and remotely wipe the laptop.

Answer: B

Question 3

Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?

A : European Commission can adopt an adequacy decision for individual companies.

B : European Commission can adopt, repeal or amend an existing adequacy decision.

C : member states are vested with the power to accept or reject a European Commission adequacy decision.

D : be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.

Answer: A

Question 4

According to the GDPR, Article 4(14), biometric data is defined as:

"Personal data resulting from specific technical processing relating to the ___ characteristics of a natural person."

Which term could NOT be placed in the above definition?

A : Physiological.

B : Physical.

C : Intellectual.

D : Behavioral

Answer: C

Question 5

Many businesses print their employees' photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GOPR. Why would such practice be permitted?

A : cause use of biometric data to confirm the unique identification of data subjects benefits from an exemption.

B : Because photographs qualify as biometric data only when they undergo a "specific technical processing".

C : cause employees are deemed to have given their explicit consent when they agree to be photographed by their employer.

D : cause photographic ID is a physical security measure which is "necessary for reasons of substantial public interest".

Answer: B

Page: 1 / 64

Total 320 Questions | Updated On: Dec 05, 2025

Add To Cart