Free Preparation Discussions
MENU
IAPP CIPP-E Exam Questions
- Topic 1: Introduction to the U.S. Privacy Environment: This section of the exam measures the skills of Privacy Program Managers and covers the foundational structure of U.S. privacy law, including the roles of different government branches, legal sources, and the authorities that regulate privacy. It explains how privacy is enforced through both civil and criminal liability and outlines key concepts like data inventory, privacy program development, and incident response. The section also touches on international compliance, including GDPR and APEC, and the challenges of cross-border data governance for multinational organisations.
- Topic 2: Limits on Private-Sector Collection and Use of Data: This section of the exam measures the skills of Compliance Analysts and explores sector-specific laws that limit how private entities collect and use data. It includes the FTC’s role in privacy enforcement, particularly through the FTC Act and COPPA. It also addresses industry-specific regulations for healthcare (HIPAA, HITECH), finance (GLBA, FCRA), education (FERPA), and telecommunications. The section highlights the evolving nature of privacy compliance across various sectors.
- Topic 3: Government and Court Access to Private-Sector Information: This section of the exam measures the skills of Legal Counsel and focuses on the mechanisms by which government agencies and courts access private-sector data. It reviews how law enforcement agencies obtain financial and communication records, national security tools like FISA and the USA Patriot Act, and legal procedures involving civil litigation and electronic discovery. The emphasis is on understanding the balance between government interests and individual privacy rights: Workplace Privacy: This section of the exam measures the skills of Human Resources Compliance Officers and reviews how privacy is managed in employment contexts. It explains workplace privacy regulations, the responsibilities of federal agencies, and key anti-discrimination laws. It also outlines privacy considerations throughout the employee lifecycle, such as hiring, background checks, monitoring, misconduct investigations, and post-employment data handling, including working with third-party services.
- Topic 4: State Privacy Laws: This section of the exam measures skills of State-Level Privacy Officers and examines the dynamic relationship between federal and state privacy laws. It explores the growing influence of state regulators like the California Privacy Protection Agency (CPPA) and covers key state-level privacy and security laws, including those related to consent, data retention, and AI regulations. It also looks at differences in data breach notification laws across states and highlights emerging legislation in biometric and facial recognition technologies.
Free IAPP CIPP-E Exam Actual Questions
Note: Premium Questions for CIPP-E were last updated On Aug. 15, 2025 (see below)
Which aspect of processing does the GDPR allow processors to determine for themselves?
The GDPR defines processors as entities that process personal data on behalf of controllers, typically under a contract or other legal act that sets out the subject matter, duration, nature, purpose, type and categories of personal data, and the obligations and rights of the controller. Processors must act only on the documented instructions of the controller, unless required by law to act otherwise. Processors must also comply with the GDPR's requirements regarding the security, confidentiality, transfer, sub-processing, notification, assistance, cooperation, and documentation of the personal data processing.
However, the GDPR does not prescribe the exact technical and organisational measures that processors must implement to ensure the security of the personal data processing. Instead, the GDPR requires that processors take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of data subjects. Therefore, processors have some discretion to determine their own type of hardware or software and the specific security measures for the processing, as long as they provide a level of security appropriate to the risk and comply with the controller's instructions. Processors may also adhere to approved codes of conduct or certification mechanisms to demonstrate their compliance with the GDPR's security requirements.
The other options listed in the question are not aspects of processing that the GDPR allows processors to determine for themselves. According to the GDPR:
Processors must inform the controller of any intended changes concerning the addition or replacement of other processors, and give the controller the opportunity to object to such changes. Processors must also impose the same data protection obligations on any sub-processors as those agreed with the controller.
Processors must not process the personal data for their own purposes, unless they have a legal basis to do so and inform the data subjects accordingly. Processors must only process the personal data for the purposes determined by the controller, and in accordance with the controller's instructions.
Processors must not use the personal data relating to the controller's customers for their own marketing campaigns, unless they have obtained the consent of the data subjects or have another legitimate interest to do so. Processors must respect the data subjects' rights to object to direct marketing and to withdraw their consent at any time.
GDPR, Articles 4, 28, 29, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42 and 43.
EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, pages 19, 20, 21, 22, 23, 24, 25, 26, 27 and 28.
Which sentence BEST summarizes the concepts of ''fairness,'' ''lawfulness'' and ''transparency'', as expressly required by Article 5 of the GDPR?
SCENARIO
Please use the following to answer the next question:
Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta (EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.
The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a
Are the cybersecurity assessors required to sign a data processing agreement with the company in order to comply with the GDPR''
A dynamic Internet Protocol (IP) address is considered persona! data when it is combined with what?
Start-up company MagicAI is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT Team decides to collect data about users' ethnic origin, nationality, and gender.
Which would be the most appropriate legal basis for this processing under the GDPR, Article 9 (Processing of special categories of personal data)?
Article 9 of the GDPR outlines strict conditions for processing special categories of personal data, which includes data revealing racial or ethnic origin. While options B, C, and D might seem relevant, they don't fully align with the core purpose of MagicAI's data collection.
Here's why option A is the most appropriate:
Scientific Research: MagicAI aims to improve the accuracy and fairness of its AI system by understanding how it performs across different ethnicities, nationalities, and genders. This directly ties into scientific research aimed at improving healthcare and reducing bias in medical technology.
It's important to note that even with 'scientific research' as the legal basis, MagicAI must still adhere to strict safeguards, such as:
Data Minimization: Collecting only the data absolutely necessary for the research.
Purpose Limitation: Using the data solely for the defined scientific purpose.
Appropriate Security Measures: Protecting the data against unauthorized access or disclosure.
Ethical Review: Ideally, obtaining ethical approval for the research project.
GDPR Article 9 - Processing of special categories of personal data
GDPR Recital 159 - Conditions for processing special categories of data for scientific research purposes
IAPP CIPP/E textbook, Chapter 2: Key Data Protection Principles (specifically, sections on special categories of data)
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Avery
1 months agoIra
2 months agoJade
2 months agoDesiree
2 months agoVeda
4 months agoShawna
4 months agoLatrice
5 months agoKristian
5 months agoShawna
5 months agoTherese
6 months agoGwenn
6 months agoTerry
6 months agoRikki
7 months agoCatalina
7 months agoRemona
7 months agoGilberto
7 months agoTesha
8 months agoGolda
8 months agoCatarina
8 months agoRuthann
8 months agoLouisa
9 months agoEsteban
9 months agoAhmad
9 months agoFernanda
9 months agoClarence
9 months agoMerissa
10 months agoPhil
10 months agoLinsey
10 months agoAlida
10 months agoWillodean
10 months agoJosephine
11 months agoErinn
11 months agoVeronique
11 months agoWayne
11 months agoJill
11 months agoHector
12 months agoFlorencia
1 years agoRaelene
1 years agoJoesph
1 years agoFidelia
1 years agoHyun
1 years agoMireya
1 years ago