Free IAPP CIPP-E Exam Questions

Become IAPP Certified with updated CIPP-E exam questions and correct answers

Page: 1 / 64

Total 320 Questions | Updated On: Apr 01, 2026

Add To Cart

Question 1

Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users’ ethnic origin, nationality, and gender.Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users’ ethnic origin, nationality, and gender.

A : Processing necessary for scientific or statistical purposes.

B : Processing necessary for reasons of substantial public interest.

C : Processing necessary for purposes of preventive or occupational medicine.

D : Processing necessary for the defense of legal claims in potential negligence cases.

Answer: C

Question 2

A data controller appoints a data protection officer. Which of the following conditions would NOT result in an infringement of Articles 37 to 39 of the GDPR?

A : If the data protection officer lacks ISO 27001 auditor certification

B : If the data protection officer is provided by the data processor.

C : If the data protection officer also manages the marketing budget.

D : If the data protection officer receives instructions from the data controller.

Answer: D

Question 3

Jerry, the Chief Marketing Officer for a sports apparel and trophy company, sells products to schools and athletic clubs globally. Recently the company has decided to invest in a new line of customized sports equipment. Jerry plans to email his current customer base to offer them a discount on their first purchase of such equipment.

Jerry tells Kate, the Director of Privacy, about his plan. What is the best guidance Kate can provide to Jerry?

A : Permit Jerry to carry out his plan on the basis of marketing similar products to existing customers.

B : Require Jerry to send all current customers a second notice to allow them to opt-in to marketing emails

C : Permit Jerry to carry out his marketing plan on the basis of legitimate interest

D : Require Jerry to include an option to opt out of marketing emails in the future

Answer: D

Question 4

Company X has entrusted the processing of their payroll data to Provider Y. Provider 'I stores this encrypted data on its server. The IT department of Provider 'I finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider 'I have the obligation to notify?

A : public

B : mpany X

C : w enforcement

D : The supervisory authority

Answer: B

Question 5

The GDPR forbids the practice of "forum shopping", which occurs when companies do what?

A : Choose the data protection officer that is most sympathetic to their business concerns.

B : ignate their main establishment in member state with the most flexible practices.

C : le appeals of infringement judgments with more than one EU institution simultaneously.

D : lect third-party processors on the basis of cost rather than quality of privacy protection.

Answer: B

Page: 1 / 64

Total 320 Questions | Updated On: Apr 01, 2026

Add To Cart