Free IAPP CIPP-E Exam Questions

Become IAPP Certified with updated CIPP-E exam questions and correct answers

Page: 1 / 64

Total 320 Questions | Updated On: Apr 21, 2026

Add To Cart

Question 1

Bioface is a company based in the United States. It has no servers, personnel or assets in the European Union. By collecting photographs from social media and other web-based services, such as newspapers and blogs, it uses machine learning to develop a facial recognition algorithm. The algorithm identifies individuals in photographs who are not in its data set based the algorithm and its existing data.

The service collects photographs of data subjects in the European Union and will identify them if presented with their photographs. Bioface offers its service to government agencies and companies in the United States and Canada, but not to those in the European Union. Bioface does not offer the service to individuals.

Why is Bioface subject to the territorial scope of the General Data Protection Regulation?

A : collects data from European Union websites, which constitutes an establishment in the European Union.

B : offers services in the European Union by identifying data subjects in the European Union

C : collects data from subjects and uses it for automated processing.

D : It monitors the behavior of data subjects in the European Union.

Answer: A

Question 2

A data controller appoints a data protection officer. Which of the following conditions would NOT result in an infringement of Articles 37 to 39 of the GDPR?

A : If the data protection officer lacks ISO 27001 auditor certification

B : If the data protection officer is provided by the data processor.

C : If the data protection officer also manages the marketing budget.

D : If the data protection officer receives instructions from the data controller.

Answer: D

Question 3

Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?

A : me and contact details of each controller on behalf of which the processor is acting

B : tegories of processing carried out on behalf of each controller for which the processor is acting.

C : tails of transfers of personal data to a third country carried out on behalf of each controller for which the processor is acting.

D : tails of any data protection impact assessment conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting.

Answer: C

Question 4

Through a combination of hardware failure and human error, the decryption key for a bank’s customer account transaction database has been lost. An investigation has determined that this was not the result of hacking or malfeasance, simply an unfortunate combination of circumstances. Which of the following accurately indicates the nature of this incident?

A : A data breach has not occurred because the loss was not the result of hacking.

B : A data breach has not occurred because no data was exposed to any unauthorized individual.

C : A data breach has occurred because the loss of the key has resulted in the data no longer being accessible.

D : A data breach has occurred because the loss of the key has resulted in the loss of confidentiality or integrity of the data.

Answer: D

Question 5

What was the aim of the European Data Protection Directive 95/46/EC?

A : harmonize the implementation of the European Convention of Human Rights across all member states.

B : To implement the OECD Guidelines on the Protection of Privacy and trans-border flows of Personal Data.

C : To completely prevent the transfer of personal data out of the European Union.

D : further reconcile the protection of the fundamental rights of individuals with the free flow of data from one member state to another.

Answer: D

Page: 1 / 64

Total 320 Questions | Updated On: Apr 21, 2026

Add To Cart