Free IAPP CIPP-E Exam Questions

Become IAPP Certified with updated CIPP-E exam questions and correct answers

Page: 1 / 64

Total 320 Questions | Updated On: Apr 29, 2026

Add To Cart

Question 1

Through a combination of hardware failure and human error, the decryption key for a bank’s customer account transaction database has been lost. An investigation has determined that this was not the result of hacking or malfeasance, simply an unfortunate combination of circumstances. Which of the following accurately indicates the nature of this incident?

A : A data breach has not occurred because the loss was not the result of hacking.

B : A data breach has not occurred because no data was exposed to any unauthorized individual.

C : A data breach has occurred because the loss of the key has resulted in the data no longer being accessible.

D : A data breach has occurred because the loss of the key has resulted in the loss of confidentiality or integrity of the data.

Answer: D

Question 2

Which of the following is NOT an explicit right granted to data subjects under the GDPR?

A : right to request access to the personal data a controller holds about them.

B : right to request the deletion of data a controller holds about them.

C : right to opt-out of the sale of their personal data to third parties.

D : right to request restriction of processing of personal data, under certain scenarios.

Answer: A

Question 3

A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an article about the prank at the time, and the article is still available on the newspaper's website. Unfortunately, the prank is the top search result when a user searches on the victim's name. The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article. What else must SearchCo do?

A : tify the newspaper that its article it is delisting the article.

B : lly erase the URL to the content, as opposed to delist which is mainly based on data subject's name.

C : Identify other controllers who are processing the same information and inform them of the delisting request.

D : Prevent the article from being listed in search results no matter what search terms are entered into the search engine.

Answer: A

Question 4

The GDPR forbids the practice of "forum shopping", which occurs when companies do what?

A : Choose the data protection officer that is most sympathetic to their business concerns.

B : ignate their main establishment in member state with the most flexible practices.

C : le appeals of infringement judgments with more than one EU institution simultaneously.

D : lect third-party processors on the basis of cost rather than quality of privacy protection.

Answer: B

Question 5

Jerry, the Chief Marketing Officer for a sports apparel and trophy company, sells products to schools and athletic clubs globally. Recently the company has decided to invest in a new line of customized sports equipment. Jerry plans to email his current customer base to offer them a discount on their first purchase of such equipment.

Jerry tells Kate, the Director of Privacy, about his plan. What is the best guidance Kate can provide to Jerry?

A : Permit Jerry to carry out his plan on the basis of marketing similar products to existing customers.

B : Require Jerry to send all current customers a second notice to allow them to opt-in to marketing emails

C : Permit Jerry to carry out his marketing plan on the basis of legitimate interest

D : Require Jerry to include an option to opt out of marketing emails in the future

Answer: D

Page: 1 / 64

Total 320 Questions | Updated On: Apr 29, 2026

Add To Cart