CIPP/E® Sample Questions

An IAPP Publication
v5.0
 About the IAPP CIPP/E Sample Questions

The IAPP CIPP/E Sample Questions are designed to support your preparation for
the CIPP/E certification exam. Developed using IAPP study resources as well as
subject matter experts’ practical knowledge of the topics set forth in the
IAPP’s CIPP/E Body of Knowledge, the sample questions can help identify your
relative strengths and weaknesses in the major domains of the CIPP/E Body of
Knowledge.

All items on the IAPP CIPP/E Sample Questions were reviewed for accuracy at
the time of publication.

The IAPP CIPP/E Sample Questions were developed independently of the

CIPP/E certification exam and are not intended to represent actual CIPP/E
certification exam content.

Your performance on the IAPP CIPP/E Sample Questions is not a

predictor of your performance on the CIPP/E certification exam.

Do you have questions or comments?

Please contact us at training@iapp.org

The CIPP/E Sample Questions and references may not be reproduced

in any manner other than for use by the original purchaser.

CIPP, CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPM and CIPT are registered trademarks of the
International Association of Privacy Professionals, Inc. registered in the U.S. CIPP, CIPP/E, CIPM
and CIPT are also registered in the EU as Community Trademarks (CTM).

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved. No
part of this publication may be reproduced, stored in a retrieval system or transmitted in any
form or by any means, mechanical, photocopying, recording or otherwise, without the prior,
written permission of the publisher, International Association of Privacy Professionals, Pease
International Tradeport, 75 Rochester Ave., Portsmouth, NH 03801 United States of America.
 Instructions

1. Remove a copy of the Answer Sheet.

2. To simulate a timed test, set a timer for 60 minutes.

3. Complete the test without referring to the Answer Key or References.

4. Check your answers against the Answer Key.

5. For each correct response, write a ‘1’ in the corresponding domain column of
the Answer Key.

6. Add up the number of correct answers under each domain column.

7. To compare how you did in each domain, calculate your scores as a percent:

a) Divide the number of correct answers by the total number of

questions in that domain
b) Multiply that number by 100

8. Consult the References for detailed explanations of each answer and the
section of the Body of Knowledge to which the question relates.

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 CIPP/E Sample Questions

1. According to the General Data Protection Regulation (GDPR), when does an

organisation need to take action to legitimise cross-border data transfers of personal
data?

A. When the data is routed through another jurisdiction in or outside the European
Union.
B. When the data is transferred from one jurisdiction in the European Union to
another.
C. When the data is transferred from a jurisdiction outside the European Union to a
member state of the European Union.
D. When the data is transferred from a jurisdiction in the European Union to a third
country which is not deemed adequate.

2. The GDPR and its predecessor, the Data Protection Directive 95/46/EC, were allowed
to be set up as a harmonisation measure for European member states by which of the
following?

A. Lisbon Treaty.
B. Treaty of Rome.
C. Council of Europe Convention.
D. European Convention on Human Rights.

3. Which is an example of direct marketing?

A. An email sent to an individual about an order she has placed for a book.
B. An email sent to an individual promoting a new book which is on sale.
C. A letter addressed to ‘the household’ about a charity bookstore.
D. An advertisement on a website promoting a new book which is on sale.

4. The e-Privacy Directive 2002/58/EC contains which provision?

A. Location data may be freely processed.

B. Unsolicited commercial telephone calls, emails and faxes need opt-out consent.
C. Corporate communication systems must have adequate security.
D. Cookies require prior information and consent.

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.
5. Which statement describes a European best practices approach to the protection of
employment data held by an organisation?

A. Employers should avoid all types of monitoring when collecting employee

information within the workplace.
B. Organisations should seek legal advice from a privacy lawyer before processing
employee data.
C. Employee data should not be processed without expressed, verbal permission by
the employee.
D. Employers should consult with regulatory bodies such as works councils about
proposed data processing activity.

6. When should a controller notify the supervisory authority of a loss of personal

information which is likely to result in harm to an individual?

A. Within 72 hours after having become aware of it.

B. No later than 5 calendar days after the incident is identified.
C. Notice must be provided without unreasonable delay; no later than 30 days; law
enforcement can delay notification.
D. There is no need to notify the supervisory authority of a loss of personal
information.

7. Under what condition is processing ‘sensitive employee data’ acceptable?

A. The processing is necessary to improve the quality of the employer-employee

relationship.
B. The processing is necessary for the data controller to carry out their obligation in
the field of employment law.
C. The processing is necessary for the interest of both the data controller and the
employee.
D. The processing is necessary for the interests pursued by the data controller.

8. Under the GDPR, which term is defined as ‘any freely given, specific, informed and
unambiguous indication of the data subject's wishes by which he or she, by a
statement or by a clear affirmative action, signifies agreement to the processing of
personal data relating to him or her’?

A. Consent.
B. Expressed permission.
C. Lawful agreement.
D. Prior authorisation.

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.
9. Why do Binding Corporate Rules (BCRs) prohibit the transfer of employee names to
telecom providers within the same country in order to provide them with mobile
phone services?

A. Because BCRs only provide adequate safeguards for organisations who move data
outside their corporation.
B. Because BCRs secure transfers to third parties without additional requirements.
C. Because BCRs only deal with intra-organisational transfers and not with transfers to
third parties.
D. Because BCRs require contractual arrangements to legitimise international
transfers of data.

10. Along with the name and contact details of the data controller processing the personal
data, what other information must be included in the records of processing to be
maintained by the data controller under the GDPR?

A. Retention period of each category of personal data, where possible.

B. Reason(s) for processing the personal data.
C. Third countries to which the information may be transferred.
D. All of A, B and C.

11. Which statement is correct concerning the information to be provided when collecting
personal data directly from the data subject?

A. There is one mandated form for such information which sets out all information
requirements.
B. Data controllers are obliged to inform data subjects about the creation of copies of
their personal data for backup reasons.
C. The information needs to detail if the personal data will be passed to another
organisation.
D. An employer is not required to provide such information to its employees
concerning the processing of their employment records.

12. Under the GDPR, would a European company be allowed to use video surveillance to
monitor employee access to inventory?

A. No, under the GDPR this is never allowed.

B. No, video surveillance is too intrusive a solution.
C. Yes, provided that certain conditions have been met.
D. Yes, without any further conditions to be taken into account.

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.
13. Which institution is responsible for ensuring that directives are implemented properly
by the member states?

A. European Court of Justice.

B. European Commission.
C. European Parliament.
D. European Data Protection Supervisor.

14. What is true for a contract based on European Commission (EC) Standard Contractual
Clauses with a processor outside the European Economic Area?

A. For subcontracting, the processor must inform the controller and obtain written
approval.
B. Before the processing starts, the processor must obtain permission from the
European Commission.
C. The data subject must consent to processing by the processor.
D. The processor must provide a compliance statement from its data protection
authority.

15. Which type of data subject is NOT covered by the GDPR?

A. Newborn children.
B. Persons under 18.
C. Persons over 65.
D. Deceased individuals.

Use the following scenario to answer questions 16-18:

Rob, a former employee of the Tea & Biscuits Corporation (a U.S.-based multi-national)
has hand-delivered a letter to the Reception of the Irish Subsidiary, on 1 May. Rob asked
for a copy of all data that Tea & Biscuits Corporation holds about him from the start of his
employment with them over 18 years ago, including all email correspondence about him
from his past three managers, and anyone from the HR Department. Rob has included a
copy of his passport, his old employee identification number, and his current address.

One of Rob's previous managers was made redundant at the same time as Rob; another has
relocated to Tea & Biscuits’ Singapore office. The receptionist was not sure what to do
with the letter, so she sent it via internal mail to the Facilities Manager who was out of
the office on holiday until 5 May. The Facilities Manager sent it to the HR Manager who is
very busy on a new redundancy program. The HR Manager emailed the legal team to ask

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.
what he should do with the letter on 21 May. The local Irish lawyers got back to the HR
Manager on 25 May and suggested that the HR Manager get in touch with Rob immediately
and tell him that his issue has been looked into.

16. What should Tea & Biscuits do before responding to Rob with the information he has
requested?

A. Make sure that no U.S. data protection laws will be violated before sending any
information.
B. Take into account GDPR compliance before sending any information. Then contact
Rob ‘without undue delay’ to clarify any questions about the subject access
request (SAR) and let him know the SAR is being processed.
C. Consult with a security lawyer before sending any information.
D. Wait for advice from the Irish Data Protection Authority before sending any
information.

17. What is the time period within which Tea & Biscuits Corporation needs to respond to
the data subject?

A. Within a month of having received the request.

B. Within six months of having received the request.
C. Without undue delay or within a month of receiving the request.
D. Three months after they have authenticated the identity of the requestor.

18. What should Tea & Biscuits do next to respond to Rob's request for email?

A. Nothing. Email does not need to be provided in response to a subject access

request under the local Irish Data Protection law.
B. The HR Manager should ask employees who still work at Tea & Biscuits if they have
any email correspondence with Rob in their possession.
C. Conduct an email search in accordance with its monitoring policy and inform
affected employees before any disclosures to Rob.
D. HR should provide Rob the information he requested. There are only 5 days left
and no need to get other employees’ consent because the emails are all work-
related not personal.

(End of scenario questions)

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.
19. The GDPR requires that the data controller notify the supervisory authority of a
personal data breach unless:

A. there is no disclosure of financial account information

B. the number of personal data records affected is under 500
C. the breach is unlikely to result in a risk to the rights and freedoms of natural
persons
D. the controller has already addressed the breach, including mitigation efforts

20. How is an employer obliged to proceed before engaging in the general monitoring of
email traffic and internet use of all its employees?

A. The employer must provide a prior opt-out option.

B. The employer must seek prior legal advice.
C. The employer must provide prior notice.
D. The employer must seek prior verbal consent.

21. Which is NOT a compatible purpose for processing data beyond the purpose originally
specified at the time of collection?

A. performance of a contract
B. transferring data to an archive
C. statistical purposes
D. historical or scientific research

22. Along with legitimacy, what is another condition that must be met when carrying out
employee monitoring?

A. The monitoring must be in the public interest.

B. The monitoring must be limited to what is necessary for the purposes.
C. The monitoring must be under an employment contract.
D. The monitoring must be held to time constraints.

23. Which is an example of cloud computing?

A. software package installed on a laptop

B. a web-based email platform
C. a portable mass storage device
D. a single web server

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.
24. According to the GDPR, the right to data portability applies:

A. when the processing was based on a public interest

B. when processing was originally based on the user’s consent
C. when the processing was done through ‘manual means’
D. when the processing was based on the controller’s legitimate interests

25. A collection of personal data is part of a historical research initiative. Which is the
most accurate statement concerning the obligations imposed by the GDPR?

A. As a Regulation rather than a Directive, the GDPR sets forth binding provisions for
EU member states to follow without discretion.
B. The GDPR provides a framework which member states can choose to use as a basis
for national legislation.
C. As a Regulation rather than a Directive, the GDPR sets forth binding provisions for
EU member states to follow but it leaves them discretion in some areas.
D. The GDPR imposes binding obligations on all EU member states as well as on all
countries deemed ‘adequate’ by the European Commission.

26. Which is the most accurate statement concerning the obligations imposed by the GDPR
regarding notification of data processing activities?

A. Notification is now optional but is recommended in order to foster the

transparency of an organisation's data processing activities.
B. Notification remains mandatory in order to finance the national DPA's operations.
C. Notification is no longer required as the GDPR has switched to an accountability
framework.
D. Notification is only required of processors but not of controllers.

27. According to the GDPR, which is NOT one of the considerations that should be taken
into account to determine the appropriate technical and organisational measures to
ensure a level of data security appropriate to the risk?

A. Costs of implementation.
B. The state of the art.
C. Scope of processing.
D. The size of the organization.

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.
28. Which is NOT a special category of data?

A. Political affiliation.
B. Health information.
C. Ethnic origin.
D. Social Security number.

29. Which institution has the power to adopt adequacy findings for the European Union?

A. Working Party 29.

B. European Commission.
C. European Data Protection Supervisor.
D. European Court of Justice.

30. Which exemption to the e-Privacy Directive 2002/58/EC allows the data controller to
send electronic marketing information?

A. The recipients are existing customers.

B. The controller is a non-profit organisation.
C. The data subject and controller work in the same industry.
D. The recipient’s email address is taken from a public register.

31. Under the GDPR, organisations that are not established in the EU that monitor
behaviour will be subject to the Regulation when:

A. The equipment being used for monitoring is located in the EU.

B. The behaviour being monitored occurs within the EU.
C. The individual being monitored is a citizen of an EU member state.
D. The individual being monitored is an EU citizen visiting the United States.

32. Big data projects often gather and generate a multitude of data and relations that
lead to additional data derivation opportunities. Which of the following statements is
correct with regard to big data?

A. Big data projects are exempt from the proportionality principle of the GDPR.
B. Big data projects are subject to case-by-case review under the GDPR.
C. Big data projects are subject to the proportionality principle of the GDPR.
D. Big data projects are permitted to retain all data collected prior to the GDPR
taking effect.

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.
33. Under the GDPR, processing must be done in a manner that ensures appropriate
security of personal data, including protection against unauthorised or unlawful
processing and against accidental loss, destruction or damage, using appropriate
technical or organisational measures (‘integrity and confidentiality’). Integrity and
confidentiality can best be achieved:

A. By using cross-functional teams to integrate security approaches.

B. By using legal teams to devise security approaches that address compliance.
C. By using advanced technical approaches to maintain security.
D. By using security experts to devise access restrictions.

34. Under the GDPR, privacy notices relating to services intended for children must be:

A. In a concise, transparent, intelligible, easily accessible form for adults to

understand and explain to the child.
B. In a concise, transparent, intelligible, easily accessible form and in language the
child can understand.
C. In concise legal language comprehendible to a subject matter expert or legal
professional.
D. In the same format as privacy notices intended for adults as children are not
addressed separately under the GDPR.

35. If a third-country data controller or processor does not wish to comply with the
Supervisory Authority decision, then under the GDPR, the supervisory authority has the
power:

A. to waive its decision as its powers are limited to the EU and its member states
B. to carry out its actions outside the EU without the target country’s consent
C. to force the data controller or processor to relocate to an EU member state
D. to order the suspension of data flows to a recipient in the third country

(end of sample questions)

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 References

1. The correct answer is D. Body of Knowledge Domain II(I): European Data Protection Law
and Regulation (International Data Transfers)
An organisation needs to take action to legitimise cross-border data transfers when the
data is transferred from a jurisdiction in the EU to a third country which is not deemed
adequate. In the absence of a decision pursuant to Article 45(3), a controller or processor
may transfer personal data to a third country or an international organisation only if the
controller or processor has provided appropriate safeguards, and on condition that
enforceable data subject rights and effective legal remedies for data subjects are
available. See GDPR, Article 46.

2. The correct answer is B. Body of Knowledge Domain I(A): Introduction to European Data
Protection (Origins and Historical Context of Data Protection Law)
The Treaty of Rome allowed the Data Protection Directive to be set up as a harmonisation
measure. As the successor, the GDPR continues to promote economic activities between
EU member countries and freedom of movement for citizens within its economic areas.
GDPR Article 1(3) provides that, ‘the free movement of personal data within the European
Union shall be neither restricted nor prohibited for reasons connected with the protection
of natural persons with regard to the processing of personal data’. The GDPR is the legal
framework that harmonises data protection processes and practices among member states
while providing adequate protection of personal data to citizens. This supports the Treaty
of Rome’s effort to abolish obstacles to the free movements of goods, persons, and
services.

3. The correct answer is B. Body of Knowledge Domain III(C): Compliance with European
Data Protection Law and Regulation (Direct Marketing)
An email sent to an individual promoting a new book which is on sale is an example of
direct marketing. The term ‘direct marketing’ refers specifically to the communication,
by whatever means, of any advertising or marketing material directed to particular
individuals. This means that data protection laws apply to the sending of marketing
messages only where individuals’ personal data is processed in order to communicate the
marketing message to them. Marketing that does not entail processing of any personal
data and is therefore not directed at individuals (for example, untargeted website banner
advertisements), is not subject to data protection compliance. In addition, messages that
are purely service-related in nature (messages sent to individuals to inform them, for
example, about the status of an order they have placed) do not generally constitute direct
marketing. The GDPR does, however, provide the data subject the right to object to
processing for the purposes of direct marketing. See GDPR Recitals 47 and 70, GDPR
Article 21, and Article 29 Working Party Opinion 5/2004.

4. The correct answer is D. Body of Knowledge Domain I(C): Introduction to European Data
Protection (Legislative Framework)
The e-Privacy Directive contains a provision requiring prior information about and consent
for cookies. Its main focus is personal data protection in communications and on the
internet. It is not a regulation. Rather, the e-Privacy Directive depends on the Privacy and

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 Electronic Communications Regulation (PECR) for implementation. It also relies on the
GDPR for overarching direction or rules and then applies these rules to specific
communications and internet concerns according to the definition of that concern in each
member state. e-Privacy has been undergoing reviews as there’s a need to harmonise or
standardise e-Privacy so that member states can rely on one interpretation. The GDPR
requires prior informed consent to the use of cookies and provides that a data subject’s
consent must be an affirmative action. Article 4(4) defines cookies and profiling as any
form of automated processing of personal data involving the evaluation of a person’s
performance, interests, preferences, behaviour, etc. Online identifiers are referenced in
Recital 30.

5. The correct answer is D. Body of Knowledge Domain III(A): Compliance with European
Data Protection Law and Regulation (Employment Relationship)
In dealing with employees’ personal data, employers should always consider any
obligations under local employment law that applies to the situation. For example, there
may be a requirement to consult with the various national works councils. Consultation is
often required in those jurisdictions where employee rights law is strong and in situations
where the collection of data impacts an employee’s privacy. Works councils are bodies
that represent employees and have certain rights under local law that affect the use of
employee data by employers. Generally, works councils are more active in certain
jurisdictions, such as France, Germany and Italy. The UK, by contrast, does not have
works councils and UK trade unions do not usually have any influence on how employers
use employee data. See Directive 2009/38/EC of the European Parliament and of the
Council of 6 May 2009 on the establishment of a European Works Council or a procedure in
Community-scale undertakings and Community-scale groups of undertakings for the
purposes of informing and consulting employees.

6. The correct answer is A. Body of Knowledge Domain II(K): European Data Protection Law
and Regulation (Consequences for GDPR Violations)
In the case of a personal data breach, the controller shall without undue delay and, where
feasible, not later than 72 hours after having become aware of it, notify the personal data
breach to the supervisory authority competent in accordance with Article 55, unless the
personal data breach is unlikely to result in a risk to the rights and freedoms of natural
persons. Where the notification to the supervisory authority is not made within 72 hours,
it shall be accompanied by reasons for the delay. See GDPR, Article 33.

7. The correct answer is B. Body of Knowledge Domain III(A): Compliance with European
Data Protection Law and Regulation (Employment Relationship)
GDPR Article 9(2)(b) provides that processing of sensitive employee data is acceptable
when the condition of ‘processing is necessary for the purposes of carrying out the
obligations and exercising specific rights of the controller’. The GDPR allows the
processing of ‘sensitive employee data’ if the controller has ‘explicit’ consent from the
data subject and the business obligation of the controller are justifiable reasons to
process sensitive information. It is also acceptable if the ‘data subject has given explicit
consent to the processing of those personal data for one or more specified purposes’.

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.
8. The correct answer is A. Body of Knowledge Domain II(D): European Data Protection Law
and Regulation (Lawful Processing Criteria)
Consent means any freely given, specific, informed and unambiguous indication of data
subject’s wishes by which he signifies his agreement to personal data relating to him
being processed. The GDPR Article 9(2) requires ‘explicit consent’ for sensitive personal
data. Article 6(1) requires consent for nonsensitive data. The GDPR also provides that the
agreement must be affirmative as explained in Recital 32.

9. The correct answer is C. Body of Knowledge Domain II(I): European Data Protection Law
and Regulation (International Data Transfers)
Binding Corporate Rules (BCRs) would not provide a basis to transfer names of employees
to a telecom provider in the same country in order to provide them with mobile phone
services because BCRs only deal with intra-organisational transfers and not with transfers
to third parties. BCRs are specifically designed to provide for adequate safeguards within
multinational corporations who move data within their corporation. See GDPR, Recital 110
and Articles 4(20) and 47.

10. The correct answer is D. Body of Knowledge Domain II(H): European Data Protection Law
and Regulation (Accountability Requirements)
Article 30 (Records of processing) of the GDPR requires that a data controller shall
maintain a record of the following relating to its processing activities:

(a) the name and contact details of the controller and, where applicable, the joint
controller, the controller's representative and the data protection officer;

(b) the purposes of the processing;

(c) a description of the categories of data subjects and of the categories of personal
data;

(d) the categories of recipients to whom the personal data have been or will be
disclosed including recipients in third countries or international organisations;

(e) where applicable, transfers of personal data to a third country or an

international organisation, including the identification of that third country or
international organisation and, in the case of transfers referred to in the second
subparagraph of Article 49(1), the documentation of suitable safeguards;

(f) where possible, the envisaged time limits for erasure of the different
categories of data;

(g) where possible, a general description of the technical and organisational security
measures.

11. The correct answer is C. Body of Knowledge Domain II(F and H): European Data Protection
Law and Regulation (Data Subject Rights; Accountability Requirements)

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 Information that must be provided to a data subject upon direct collection of their data
(among other things) are details if the personal data will be passed to another
organisation, the information of the recipients of the personal data, or the categories of
recipients. See GDPR, Article 13.

12. The correct answer is C. Body of Knowledge Domain III(A): Compliance with European
Data Protection Law and Regulation (Employment Relationship)
Certain conditions must be met for a European company to use video surveillance to
monitor employee access to inventory. Although the GDPR makes no specific reference to
surveillance, the use of video in the employment context amounts to the processing of
personal data and so the GDPR will apply. The data controller will be required to carry out
a balancing exercise to ensure that the surveillance is proportionate (see GDPR, Article 4)
and that the processing is lawful (see GDPR, Article 6(1)) and any derogations to member
states. See GDPR, Article 88.

13. The correct answer is B. Body of Knowledge Domain I(B): Introduction to European Data
Protection (European Union Institutions)
The European Commission is responsible for ensuring member state implementation. The
Commission not only acts as the executive body and influences the legislative function but
also acts as a guardian of the treaties by monitoring compliance of the other institutions,
member states, and ‘natural and legal persons’. To fulfil this task, Articles 226 and 228 of
the EC Treaty grant the Commission the power to take legal and administrative action,
including the power to impose a fine against a member state that has failed to comply
with the law. Articles 230 and 232 provide the necessary supervisory powers over the
other institutions. Article 1(18) of the Lisbon Treaty states that the Commission will shall
ensure the application of the Treaties, and of measures adopted by the institutions
pursuant to them. It shall oversee the application of Union law under the control of the
Court of Justice of the European Union.

14. The correct answer is A. Body of Knowledge Domain II(H): European Data Protection Law
and Regulation (Accountability Requirements)
When using contracts based on EC Standard Contractual Clauses, before subcontracting,
the processor must inform the controller and obtain written approval. Article 28(2) of the
GDPR states that a processor shall not engage another processor without prior specific or
general written authorisation of the controller. This is reinforced in the subprocessing
clause of the Standard Contractual Clauses where it clearly obliges the processor to obtain
prior written consent for the use of a subprocessor.

15. The correct answer is D. Body of Knowledge Domain II(A): European Data Protection Law
and Regulation (Data Protection Concepts)
Deceased individuals’ personal data are not covered by the GDPR. Member states,
however, ‘… may provide for rules regarding the processing of personal data of deceased
persons’. Article 1 of the GDPR establishes the scope of the regulation as ‘… relating to
the protection of natural persons with regard to the processing of personal data …’ GDPR,
Article 1; GDPR, Recital 27.

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.
16. The correct answer is B. Body of Knowledge Domain II(F): European Data Protection Law
and Regulation (Data Subjects’ Rights)
Under the GDPR, Tea & Biscuits has just 30 days to complete Rob’s SAR but given this
scenario they’ve wasted many days and now have only 5 days left to both let Rob know
they’re processing his SAR and also deliver the request. There are benefits to contacting
the requestor early, such as:

(a) Contacting Rob quickly would help define what information Rob really needs with
specifics that may help narrow his request to a less complex volume.

(b) It would provide an understanding between the parties about particular

information being requested so that the level of effort needed to meet Rob’s
request will be determined early and relayed to Rob right away or within the same
month as required—and, if necessary, Tea & Biscuits could request an extension.

(c) It would inform Rob that the process has begun and identify steps that Tea &
Biscuits is taking. This will help avoid a situation where Rob files a complaint. See
GDPR, Recital 63; GDPR, Article 15.

17. The correct answer is C. Body of Knowledge Domain II(F): European Data Protection Law
and Regulation (Data Subjects’ Rights)
The GDPR Article 12(3) requires that the controller or employer responds without undue
delay or within a month. Tea & Biscuits is required to respond to Rob’s request as soon as
possible and at the latest within one month of receipt of his request. The first response is
to let him know the SAR is undergoing processing. The second response should be the
completed SAR. GDPR allows Tea & Biscuits to request an extension of up to two months
to complete the SAR but only if Rob is making multiple requests or his request is complex
in nature. In this case, whether gathering 18 years of Rob’s email records is complicated
depends on the company’s justification. Tea & Biscuits would have to provide Rob an
explanation as to why his request requires an extension. See GDPR, Recital 59; GDPR,
Article 12(3)-(4).

18. The correct answer is C. Body of Knowledge Domain II(F): European Data Protection Law
and Regulation (Data Subjects’ Rights)
Tea & Biscuits should carry out an email search and inform affected employees before any
disclosure of emails to Rob. Article 4(3) of the GDPR states that the data subject has the
right to obtain a copy of his personal information being processed. Article 4(4) states that
the right to obtain a copy as stated in Article 4 referred to in paragraph 3 ‘shall not
adversely affect the rights and freedoms of others’. Where the processing activity
changes, there may be a requirement to seek new consents from all the affected
individuals since the previously given consent does not cover the new processing. Tea &
Biscuits should take into account that obtaining other data subjects’ consent may require
additional time. The GDPR allows companies only 30 days to complete a SAR. The GDPR
does not specifically prescribe how third-party individual’s consent should be obtained.
Rather, the employer has to make the judgement on a case-by-case basis depending on
the SAR made and the risks associated with a breach of confidentiality to fulfil such a
request. The needs of the requester should be balanced with the employer’s
confidentiality obligation to the third-party individual(s) in the emails. Tea & Biscuits

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 should also be prepared to provide Rob supplemental disclosures required by the GDPR
along with the email records he will be provided. See GDPR, Article 15(1).

19. The correct answer is C. Body of Knowledge Domain II(G): European Data Protection Law
and Regulation (Security of Personal Data)
Article 33(1) of the GDPR provides a key exception to the requirement of the data
controller to notify the supervisory authority of a personal data breach. Notice is not
required if ‘the personal data breach is unlikely to result in a risk to the rights and
freedoms of natural persons’. If notification is required, the notification must ‘at least’
describe the nature of the personal data breach, including the number and categories of
the data subjects and personal data records affected; provide the data protection
officer’s contact information, ‘describe the likely consequences of the personal data
breach’; and describe how the controller proposes to address the breach, including any
mitigation efforts. See GDPR, Article 33(1).

20. The correct answer is C. Body of Knowledge Domain III(B): Compliance with European
Data Protection Law and Regulation (Surveillance Activities)
As required by the notice requirement under the General Data Protection Regulation,
employers must provide employees with sufficient notice and information about the
monitoring activity. This transparency is important not only to meet the notice
requirement but also to set employees’ expectations about how their time at work will be
monitored. Setting expectations is central to ensuring that monitoring is lawful. If
employees have been notified in advance of the standards expected in the workplace
concerning their use of employer equipment and that this use will be monitored, then
employees have less scope to argue in the future that they were unaware their activity
was contrary to the standards and was being monitored. In the past, the requirement to
inform employees in advance about monitoring has been crucial to how courts see this
issue. If an employer fails to notify employees that their activity will be monitored, that
employer could lose an action against a rogue employee whose behaviour was caught only
through monitoring. Consent is generally not required for workplace monitoring, but
certain EU member states may require consent, and some collective agreements may
require the employer to obtain the consent of the works council before commencing
monitoring. GDPR, Article 11, Article 88; Working document on the surveillance of
electronic communications in the workplace, Article 29 Working Party: WP 55 (29.5.2002).

21. The correct answer is A. Body of Knowledge Domain II(D): European Data Protection Law
and Regulation (Lawful Processing Activities)
Performance of a contract is not a compatible purpose for processing data beyond the
purpose originally specified at the time of collection. The GDPR does allow for further
processing of data for ‘archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes, in accordance with Article 89(1)’ as compatible
with initial purposes. See GDPR, Article 5(1); Article 89(1).

22. The correct answer is B. Body of Knowledge Domain III(B): Compliance with European
Data Protection Law and Regulation (Surveillance Activities)

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 Employee monitoring must be limited to what is necessary for the purposes, be done
lawfully, and should follow the principles relating to the processing of personal data as
outlined in the GDPR, Article 5. An employer must consider whether the proposed
monitoring is proportionate to the employer’s concern. The wholesale monitoring of all
employee emails to ensure that employees are not passing on confidential information
about the employer would be disproportionate. However, wholesale monitoring of emails
may be proportionate to ensure the security of the employer’s IT systems where such
monitoring is carried out using technical means that detect weaknesses in the system. See
GDPR, Article 5(1).

23. The correct answer is B. Body of Knowledge Domain III(D): Compliance with European
Data Protection Law and Regulation (Internet Technology and Communications)
A web-based email platform is an example of cloud computing. ‘Cloud computing’ refers
to the provision of IT services over the internet. In cloud computing, data is stored,
managed and/or processed on a network of remote servers over the internet. See the
European Data Protection Supervisor’s Q&A on cloud computing at
https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/Dataprotection/QA/QA10.

24. The correct answer is B. Body of Knowledge Domain II(F): European Data Protection Law
and Regulation (Data Subject Rights)
Right to data portability applies when the data processing is based on the user’s consent
or on a contract and the data processing is carried out by automated means. It does not
apply to ‘processing necessary for the performance of a task carried out in the public
interest or in the exercise of official authority vested in the controller’. See GDPR,
Article 20.

25. The correct answer is C. Body of Knowledge Domain I(C): Introduction to European Data
Protection (Legislative Framework)
As a regulation rather than a directive, it is directly imposed on the member states as a
national law, without the need for a local implementation acts. However, in some key
areas, including historical research, the GDPR leaves the member states room to
implement further rules or to deviate from the GDPR. In fact, about 50 provisions in the
GDPR allow for local law clarification or exception. See Recital 156.

26. The correct answer is C. Body of Knowledge Domain II(H): European Data Protection Law
and Regulation (Accountability Requirements)
The GDPR has abolished the need to notify the DPAs of processing of personal data
activities given the shift to an accountability framework that includes appointment of
DPOs and maintains a register of data processing activities. See GDPR, Articles 30 and 37.

27. The correct answer is D. Body of Knowledge Domain II(G): European Data Protection Law
and Regulation (Security of Personal Data)
The size of the organisation is not one of the considerations to be taken into account in
determining the appropriate technical and organisational measures to ensure a level of
data security approporate to the risk. Article 32 of the GDPR, which focuses on the

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 security of processing, provides that ‘the state of the art, the costs of implementation
and the nature, scope, context and purposes of processing as well as the risk of varying
likelihood and severity for the rights and freedoms of natural persons’ be taken into
account so that ‘the controller and the processor shall implement appropriate technical
and organisational measures to ensure a level of security appropriate to the risk …’. The
article continues by identifying appropriate measures that can be employed. Though the
size of the organisation may affect the costs of implementation, it, by itself, is not a
determining factor.

28. The correct answer is D. Body of Knowledge Domain II(A): European Data Protection Law
and Regulation (Data Protection Concepts)
Social Security numbers are not considered a special category of data under the GDPR.
Article 9 of the GDPR defines special categories of personal data to include: racial or
ethnic origin, political opinions, religious or philosophical beliefs, trade-union
membership, the processing of genetic or biometric data for uniquely identifying a person,
and the processing of data concerning health, sex life or sexual orientation.

29. The correct answer is B. Body of Knowledge Domain I(A): Introduction to European Data
Protection (Origins and Historical Context of Data Protection Law)
The European Commission has the power to adopt adequacy findings. Article 45 of the
GDPR specifically states that the Commission may find, in accordance with the elements
of Article 45, that a third country ensures an adequate level of protection within the
meaning of this Article, by reason of its domestic law or of the international commitments
it has entered into, and the existence of an independent supervisory authority, for the
protection of the private lives and basic freedoms and rights of individuals. Unlike the
Directive, the GDPR gives the Commission the power to revoke a finding of adequacy; it
also gives the newly formed European Data Protection Board advisory powers related to
adequacy decisions.

30. The correct answer is A. Body of Knowledge Domain III(C): Compliance with European
Data Protection Law and Regulation (Direct Marketing)
Under the e-Privacy Directive, data controllers may send electronic marketing information
to existing customers. Article 13(2) of the e-Privacy Directive states that when a person or
business obtains from its customers their electronic contact details for electronic mail, in
the context of the sale of a product or a service, the same entity may use these electronic
contact details for direct marketing of its own similar products or services provided that
customers clearly and distinctly are given the opportunity to object, free of charge and in
an easy manner, to such use of electronic contact details when they are collected and on
the occasion of each message in case the customer has not initially refused such use. See
also European Privacy, pp. 42; e-Privacy Directive, Article 13(2).

31. The correct answer is B. Body of Knowledge Domain II(B): European Data Protection Law
and Regulation (International Data Transfers)
Under the GDPR, Non-EU organisations that monitor behaviour of EU individuals will also
be subject to the Regulation provided that the behaviour being monitored occurs within
the EU. Some examples of monitoring provided by the European Data Protection Board

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 include: tracking individuals online to create profiles, behavioural advertising, geolocation
tracking, online tracking through cookies, and CCTV. See GDPR article 3(2).

32. The correct answer is C. Body of Knowledge Domain II(C): European Data Protection Law
and Regulation (Data Processing Principles)
The proportionality principle is based on necessity. Data should be processed only as
necessary and should be proportionate to the specific processing needs. The Article 29
Working Party stated that all data protection principles, including data minimisation,
apply to big data projects, despite the challenges that will arise. Article 5(1)(c) of the
GDPR states data collected must be ‘adequate, relevant and limited to what is necessary
in relation to the purposes for which they are processed (“data minimisation”)’.

33. The correct answer is A. Body of Knowledge Domain II(C): European Data Protection Law
and Regulation (Data Processing Principles)
Article 5(1)(f) of the GDPR sets forth the principles of integrity and confidentiality. Having
a cross-functional team is standard practice to create effective and compliant information
security strategies and policies.

34. The correct answer is B. Body of Knowledge Domain II(E): European Data Protection Law
and Regulation (Information Provision Obligations)
Under GDPR Article 12(1) the privacy notice should be conveyed in a concise, transparent,
intelligible and easily accessible form, using clear and plain language, in particular for any
information addressed specifically to a child. The Regulation is clear that to process
children’s data under the legal basis of consent, not only does the language of the privacy
notice have to comply, but the consent must come from the ‘holder of personal
responsibility over the child’.

35. The correct answer is D. Body of Knowledge Domain II(J): European Data Protection Law
and Regulation (Supervision and Enforcement)
Under GDPR Article 58(2)(j), each supervisory authority shall have the power to order the
suspension of data flows to a recipient in a third country or to an international
organisation.

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 Answer Sheet

A B C D A B C D A B C D A B C D
1 2 3 4

A B C D A B C D A B C D A B C D
5 6 7 8

A B C D A B C D A B C D A B C D
9 10 11 12

A B C D A B C D A B C D A B C D
13 14 15 16

A B C D A B C D A B C D A B C D
17 18 19 20

A B C D A B C D A B C D A B C D
21 22 23 24

A B C D A B C D A B C D A B C D
25 26 27 28

A B C D A B C D A B C D A B C D
29 30 31 32

A B C D A B C D A B C D
34 END
33 35

This page may be reproduced.

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 Answer Key
Item Correct Introduction to European European Data Compliance with European
Number Answer Data Protection Protection Law and Data Protection Law and
Regulation Regulation
1 D
2 B
3 B
4 D
5 D
6 A
7 B
8 A
9 C
10 D
11 C
12 C
13 B
14 A
15 D
16 B
17 C
18 C
19 C
20 C
21 A
22 B
23 B
24 B
25 C
26 C
27 D
28 D
29 B
30 A
31 B
32 C
33 A
34 B
35 D

SUMMARY
___ of 5 correct ___ of 22 correct ___ of 8 correct
PERCENTAGE
(# correct/# total) x 100

This page may be reproduced.

© 2020 by the International Association of Privacy Professionals (IAPP). All rights reserved.