Free IAPP CIPP-E Exam Questions

Become IAPP Certified with updated CIPP-E exam questions and correct answers

Page: 1 / 64

Total 320 Questions | Updated On: Mar 26, 2026

Add To Cart

Question 1

Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users’ ethnic origin, nationality, and gender.Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users’ ethnic origin, nationality, and gender.

A : Processing necessary for scientific or statistical purposes.

B : Processing necessary for reasons of substantial public interest.

C : Processing necessary for purposes of preventive or occupational medicine.

D : Processing necessary for the defense of legal claims in potential negligence cases.

Answer: C

Question 2

In which scenario is a Controller most likely required to undertake a Data Protection Impact Assessment?

A : en the controller is collecting email addresses from individuals via an online registration form for marketing purposes.

B : en personal data is being collected and combined with other personal data to profile the creditworthiness of individuals.

C : en the controller is required to have a Data Protection Officer.

D : en personal data is being transferred outside of the EEA.

Answer: B

Question 3

The GDPR forbids the practice of "forum shopping", which occurs when companies do what?

A : Choose the data protection officer that is most sympathetic to their business concerns.

B : ignate their main establishment in member state with the most flexible practices.

C : le appeals of infringement judgments with more than one EU institution simultaneously.

D : lect third-party processors on the basis of cost rather than quality of privacy protection.

Answer: B

Question 4

Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?

A : me and contact details of each controller on behalf of which the processor is acting

B : tegories of processing carried out on behalf of each controller for which the processor is acting.

C : tails of transfers of personal data to a third country carried out on behalf of each controller for which the processor is acting.

D : tails of any data protection impact assessment conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting.

Answer: C

Question 5

According to the European Data Protection Board, if a controller that is not established in the EU but still subject to the GDPR becomes aware of a personal data breach, which supervisory authority or authorities must be notified?

A : Only the supervisory authority of the EU member state in which the controller's EU representative (pursuant to Article 27) is established.

B : Only one lead supervisory authority, as a controller benefits from the one-stop shop mechanism under the GDPR’s enforcement regime.

C : Every supervisory authority of the EU member states where the controller is offering goods or services.

D : Every supervisory authority for which affected data subjects reside in their EU member state.

Answer: A

Page: 1 / 64

Total 320 Questions | Updated On: Mar 26, 2026

Add To Cart