Free IAPP CIPP-E Exam Questions

Become IAPP Certified with updated CIPP-E exam questions and correct answers

Page: 1 / 64

Total 320 Questions | Updated On: Dec 17, 2025

Add To Cart

Question 1

According to the European Data Protection Board, if a controller that is not established in the EU but still subject to the GDPR becomes aware of a personal data breach, which supervisory authority or authorities must be notified?

A : Only the supervisory authority of the EU member state in which the controller's EU representative (pursuant to Article 27) is established.

B : Only one lead supervisory authority, as a controller benefits from the one-stop shop mechanism under the GDPR’s enforcement regime.

C : Every supervisory authority of the EU member states where the controller is offering goods or services.

D : Every supervisory authority for which affected data subjects reside in their EU member state.

Answer: A

Question 2

Which failing of Privacy Shield, cited by the CJEU as a reason for its invalidation, is the Trans-Atlantic Data Privacy Framework intended to address?

A : Data Subject Rights.

B : Right of Action.

C : Necessity.

D : Consent.

Answer: B

Question 3

A grade school is planning to use facial recognition to track student attendance. Which of the following may provide a lawful basis for this processing?

A : school places a notice near each camera.

B : school gets explicit consent from the students.

C : ocessing is necessary for the legitimate interests pursed by the school.

D : tate law requires facial recognition to verify attendance.

Answer: A

Question 4

Through a combination of hardware failure and human error, the decryption key for a bank’s customer account transaction database has been lost. An investigation has determined that this was not the result of hacking or malfeasance, simply an unfortunate combination of circumstances. Which of the following accurately indicates the nature of this incident?

A : A data breach has not occurred because the loss was not the result of hacking.

B : A data breach has not occurred because no data was exposed to any unauthorized individual.

C : A data breach has occurred because the loss of the key has resulted in the data no longer being accessible.

D : A data breach has occurred because the loss of the key has resulted in the loss of confidentiality or integrity of the data.

Answer: D

Question 5

What is the primary purpose of Convention 108+, which amends the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data?

A : To issue updated guidelines for data transfers from the EU to third-country signatories to the Convention.

B : To modify the process for third countries to obtain an adequacy decision from the European Commission.

C : To strengthen data protection in line with the European and international regulatory framework.

D : To establish new data subject rights and safeguards for consumers in the EU member states.

Answer: C

Page: 1 / 64

Total 320 Questions | Updated On: Dec 17, 2025

Add To Cart