CIPP-E Exam Questions

What are the obligations of a processor that engages a sub-processor?

What must be included in a written agreement between the controller and processor in relation to processing conducted on the controller's behalf?

To provide evidence of GDPR compliance, a company performs an internal audit. As a result, it finds a data base, password-protected, listing all the social network followers of the...

There are three domains of security covered by Article 32 of the GDPR that apply to both the controller and the processor. These include all of the following EXCEPT?

In the event of a data breach, which type of information are data controllers NOT required to provide to either the supervisory authorities or the data subjects?

In which case would a controller who has undertaken a DPIA most likely need to consult with a supervisory authority?

According to the GDPR, what is the main task of a Data Protection Officer (DPO)?

In which of the following cases, cited as an example by a WP29 guidance, would conducting a single data protection impact assessment to address multiple processing operations be al...

Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

In which scenario is a Controller most likely required to undertake a Data Protection Impact Assessment?

Which of the following demonstrates compliance with the accountability principle found in Article 5, Section 2 of the GDPR?

SCENARIO Please use the following to answer the next question: Dynaroux Fashion (`Dynaroux') is a successful international online clothing retailer that employs approximately 650 p...

Which mechanism, new to the GDPR, now allows for the possibility of personal data transfers to third countries under Article 42?

Which sentence best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?

With respect to international transfers of personal data, the European Data Protection Board (EDPB) confirmed that derogations may be relied upon under what condition?

SCENARIO Please use the following to answer the next question: T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan citi...

SCENARIO Please use the following to answer the next question: T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan citi...

SCENARIO Please use the following to answer the next question: T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan citi...

Which of the following is one of the supervisory authority's investigative powers?

Many businesses print their employees' photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images po...

A worker in a European Union (EU) member state has ceased his employment with a company. What should the employer most likely do in regard to the worker's personal data?

Which of the following is NOT a role of works councils?

Under the Data Protection Law Enforcement Directive of the EU, a government can carry out covert investigations involving personal data, as long it is set forth by law and constitu...

Which GDPR requirement will present the most significant challenges for organizations with Bring Your Own Device (BYOD) programs?

A company in France suffers a robbery over the weekend owing to a faulty alarm system. When it is determined that the break-in involves the loss of a substantial amount of data, th...

Which of the following is an example of direct marketing that would be subject to European data protection laws?

Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric data. Which of the following is NOT one of these exceptions?

Which marketing-related activity is least likely to be covered by the provisions of Privacy and Electronic Communications Regulations (Directive 2002/58/EC)?

Which of the following is NOT recognized as being a common characteristic of cloud-computing services?

When may browser settings be relied upon for the lawful application of cookies?

SCENARIO Please use the following to answer the next question: The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its websit...

SCENARIO Please use the following to answer the next question: The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its websit...

SCENARIO Please use the following to answer the next question: The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its websit...

SCENARIO Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and call...

SCENARIO Please use the following to answer the next question: Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady's busi...

SCENARIO Please use the following to answer the next question: Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady's busi...

SCENARIO Please use the following to answer the next question: Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady's busi...

SCENARIO Please use the following to answer the next question: TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new mana...

SCENARIO Please use the following to answer the next question: Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquarte...

SCENARIO Please use the following to answer the next question: Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquarte...

SCENARIO Please use the following to answer the next question: Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquarte...

SCENARIO Please use the following to answer the next question: Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquarte...

SCENARIO Please use the following to answer the next question: WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website th...

SCENARIO Please use the following to answer the next question: WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website th...

Please use the following to answer the next question: WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a c...

An organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation or other...

When assessing the level of risk created by a data breach, which of the following would NOT have to be taken into consideration?

Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit organizations in a privacy group litigation or class action. These organizations are comm...

SCENARIO Please use the following to answer the next question: BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The...

SCENARIO Please use the following to answer the next question: BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The...