Free IAPP CIPP-E Exam Questions

Become IAPP Certified with updated CIPP-E exam questions and correct answers

Page: 1 / 64

Total 320 Questions | Updated On: Feb 19, 2026

Add To Cart

Question 1

According to the European Data Protection Board, if a controller that is not established in the EU but still subject to the GDPR becomes aware of a personal data breach, which supervisory authority or authorities must be notified?

A : Only the supervisory authority of the EU member state in which the controller's EU representative (pursuant to Article 27) is established.

B : Only one lead supervisory authority, as a controller benefits from the one-stop shop mechanism under the GDPR’s enforcement regime.

C : Every supervisory authority of the EU member states where the controller is offering goods or services.

D : Every supervisory authority for which affected data subjects reside in their EU member state.

Answer: A

Question 2

What was the aim of the European Data Protection Directive 95/46/EC?

A : harmonize the implementation of the European Convention of Human Rights across all member states.

B : To implement the OECD Guidelines on the Protection of Privacy and trans-border flows of Personal Data.

C : To completely prevent the transfer of personal data out of the European Union.

D : further reconcile the protection of the fundamental rights of individuals with the free flow of data from one member state to another.

Answer: D

Question 3

What is the key difference between the European Council and the Council of the European Union?

A : Council of the European Union is helmed by a president.

B : Council of the European Union has a degree of legislative power.

C : European Council focuses primarily on issues involving human rights.

D : European Council is comprised of the heads of each EU member state.

Answer: D

Question 4

Which of the following is NOT an explicit right granted to data subjects under the GDPR?

A : right to request access to the personal data a controller holds about them.

B : right to request the deletion of data a controller holds about them.

C : right to opt-out of the sale of their personal data to third parties.

D : right to request restriction of processing of personal data, under certain scenarios.

Answer: A

Question 5

A news website based m (he United Slates reports primarily on North American events The website is accessible to any user regardless of location, as the website operator does not block connections from outside of the U.S. The website offers a pad subscription that requires the creation of a user account; this subscription can only be paid in U.S. dollars.

Which of the following explains why the website operator, who is the responsible for all processing related to account creation and subscriptions, is NOT required to comply with the GDPR?

A : yments cannot be made in a European Union currency.

B : controller does not have an establishment in the European Union.

C : website is not available in several official languages of European Un on Member States

D : website cannot block connections from outside the U.S. that use a Virtual Private Network (VPN) to simulate a US location.

Answer: B

Page: 1 / 64

Total 320 Questions | Updated On: Feb 19, 2026

Add To Cart