CIPP-E Online Practice Questions

Home / IAPP / CIPP-E

Latest CIPP-E Exam Practice Questions

The practice questions for CIPP-E exam was last updated on 2025-06-03 .

Viewing page 1 out of 20 pages.

Viewing questions 1 out of 104 questions.

Question#1

What is true if an employee makes an access request to his employer for any personal data held about him?

A. The employer can automatically decline the request if it contains personal data about a third person.
B. The employer can decline the request if the information is only held electronically.
C. The employer must supply all the information held about the employee.
D. The employer must supply any information held about an employee unless an exemption applies.

Question#2

In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?

A. When creating an untargeted pop-up ad on a website.
B. When calling a potential customer to notify her of an upcoming product sale.
C. When emailing a customer to announce that his recent order should arrive earlier than expected.
D. When paying a search engine company to give prominence to certain products and services within specific search results.

Explanation:
Both ePrivacy and data protection rules (like the GDPR) can be applicable simultaneously in certain scenarios, particularly when it comes to direct marketing.
A brief overview of each option:
A. Untargeted pop-up ads on a website are mainly an ePrivacy issue as they involve the use of cookies or similar technologies. There might be a limited GDPR implication if personal data is collected through such cookies, but it's less direct than other options.
B. Direct marketing calls, especially unsolicited ones, require compliance with ePrivacy rules (for example, checking against "do not call" lists). Additionally, any processing of personal data in relation to such calls (like storing phone numbers or using them for further processing) would fall under GDPR.
C. Informing a customer about their order status is transactional and necessary for the performance of a contract. It would not be considered direct marketing, so ePrivacy's direct marketing provisions wouldn't likely apply, although GDPR would still be relevant.
D. Paying for prominence in search results is an advertising activity. While this might involve some data protection considerations, it's less direct in terms of combining both ePrivacy and GDPR implications compared to direct marketing activities.
Therefore, option B represents a scenario where both ePrivacy (related to direct marketing communications) and GDPR (related to the processing of personal data) would likely apply.

Question#3

Under Article 21 of the GDPR, a controller must stop profiling when requested by a data subject, unless it can demonstrate compelling legitimate grounds that override the interests of the individual.
In the Guidelines on Automated individual decision-making and Profiling, the WP 29 says the controller needs to do all of the following to demonstrate that it has such legitimate grounds EXCEPT?

A. Carry out an exercise that weighs the interests of the controller and the basis for the data subject’s objection.
B. Consider the impact of the profiling on the data subject’s interest, rights and freedoms.
C. Demonstrate that the profiling is for the purposes of direct marketing.
D. Consider the importance of the profiling to their particular objective.

Explanation:
Reference: https://gdpr-info.eu/art-21-gdpr/

Question#4

Which aspect of processing does the GDPR allow processors to determine for themselves?

A. The question of whether the controller needs to be informed about the substitution of another processor carrying out specific processing activities on behalf of the controller.
B. Their own purposes for the processing, if such purposes are compatible with those for which the personal data were initially collected.
C. The parameters of their marketing campaigns using personal data relating to the controller's customers.
D. Their own type of hardware or software and the specific security measures for the processing.

Explanation:
The GDPR defines processors as entities that process personal data on behalf of controllers, typically under a contract or other legal act that sets out the subject matter, duration, nature, purpose, type and categories of personal data, and the obligations and rights of the controller. Processors must act only on the documented instructions of the controller, unless required by law to act otherwise. Processors must also comply with the GDPR’s requirements regarding the security, confidentiality, transfer, sub-processing, notification, assistance, cooperation, and documentation of the personal data processing.
However, the GDPR does not prescribe the exact technical and organisational measures that processors must implement to ensure the security of the personal data processing. Instead, the GDPR requires that processors take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of data subjects. Therefore, processors have some discretion to determine their own type of hardware or software and the specific security measures for the processing, as long as they provide a level of security appropriate to the risk and comply with the controller’s instructions. Processors may also adhere to approved codes of conduct or certification mechanisms to demonstrate their compliance with the GDPR’s security requirements.
The other options listed in the question are not aspects of processing that the GDPR allows processors to determine for themselves. According to the GDPR:
Processors must inform the controller of any intended changes concerning the addition or replacement of other processors, and give the controller the opportunity to object to such changes. Processors must also impose the same data protection obligations on any sub-processors as those agreed with the controller.
Processors must not process the personal data for their own purposes, unless they have a legal basis to do so and inform the data subjects accordingly. Processors must only process the personal data for the purposes determined by the controller, and in accordance with the controller’s instructions.
Processors must not use the personal data relating to the controller’s customers for their own marketing campaigns, unless they have obtained the consent of the data subjects or have another legitimate interest to do so. Processors must respect the data subjects’ rights to object to direct marketing and to withdraw their consent at any time.
Reference: GDPR, Articles 4, 28, 29, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42 and 43.
EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, pages 19, 20, 21, 22, 23, 24, 25, 26, 27 and 28.

Question#5

What is the main task of the European Data Protection Board?

A. To assess adequacy of data protection in third countries
B. To ensure consistent application of the GDP
C. To proactively prevent disputes between national supervisory authorities.
D. To publish guidelines tor data subjects on how to property enforce their rights

Exam Code: CIPP-EQ & A: 292 Q&AsUpdated:  2025-06-03

 Get All CIPP-E Q&As

Top 20 Exams

CertQuestionsBank doesn't offer Real Microsoft, Amazon, Cisco Exam Questions. All CertQuestionsBank content is sourced from the Internet.

Important Links

Know Us

Follow Us

Copyright © 2025 CertQuestionsBank NETWORK CO.,LIMITED. All Rights Reserved.