CIPP/E Sample Questions

An IAPP Publication
V6.0
 About the IAPP CIPP/E Sample Questions

The IAPP CIPP/E Sample Questions are designed to support your preparation for
the CIPP/E certification exam. Developed using IAPP study resources as well as
subject matter experts’ practical knowledge of the topics set forth in the
IAPP’s CIPP/E Body of Knowledge, the sample questions can help identify your
relative strengths and weaknesses in the major domains of the CIPP/E Body of
Knowledge.

All items on the IAPP CIPP/E Sample Questions were reviewed for accuracy at
the time of publication.

The IAPP CIPP/E Sample Questions were developed independently of the

CIPP/E certification exam and are not intended to represent actual CIPP/E
certification exam content.

Your performance on the IAPP CIPP/E Sample Questions is not a

predictor of your performance on the CIPP/E certification exam.

Do you have questions or comments?

Please contact us at training@iapp.org

The CIPP/E Sample Questions and references are for the use of the
original purchaser only and may not be reproduced in any manner.

CIPP, CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPM and CIPT are registered trademarks of the
International Association of Privacy Professionals, Inc. registered in the U.S. CIPP, CIPP/E, CIPM
and CIPT are also registered in the EU as Community Trademarks (CTM).

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved. No
part of this publication may be reproduced, stored in a retrieval system or transmitted in any
form or by any means, mechanical, photocopying, recording or otherwise, without the prior,
written permission of the publisher, International Association of Privacy Professionals, Pease
International Tradeport, 75 Rochester Ave., Portsmouth, NH 03801 United States of America.
 Instructions

1. Remove a copy of the Answer Sheet.

2. To simulate a timed test, set a timer for 40 minutes.

3. Complete the test without referring to the Answer Key or References.

4. Check your answers against the Answer Key.

5. For each correct response, write a ‘1’ in the corresponding domain column of
the Answer Key.

6. Add up the number of correct answers under each domain column.

7. To compare how you did in each domain, calculate your scores as a percent:

a) Divide the number of correct answers by the total number of

questions in that domain
b) Multiply that number by 100

8. Consult the References for detailed explanations of each answer and the
section of the Body of Knowledge to which the question relates.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 CIPP/E Sample Questions

1. According to the General Data Protection Regulation (GDPR), when does an

organisation need to take action to legitimise cross-border data transfers of personal
data?

A. When the data is routed through another jurisdiction, whether the other
jurisdiction is in or outside the European Union.
B. When the data is transferred from one jurisdiction within the European Union to
another jurisdiction within the European Union.
C. When the data is transferred from a jurisdiction outside the European Union to a
member state of the European Union.
D. When the data is transferred from a jurisdiction in the European Union to a third
country which is not deemed adequate.

2. Which is an example of direct marketing?

A. An email sent to an individual about an order she has placed for a book.
B. An email sent to an individual promoting a new book which is on sale.
C. A letter addressed to ‘the household’ about a charity bookstore.
D. An advertisement on a website promoting a new book which is on sale.

3. When should a controller notify the supervisory authority of a loss of personal

information which is likely to result in harm to an individual?

A. Within 72 hours after the controller becomes aware of it.

B. No later than 5 calendar days after the incident is identified.
C. Without unreasonable delay but no later than 30 days.
D. Notification to the supervisory authority is not required.

4. Under what condition is processing ‘sensitive employee data’ acceptable?

A. The processing is necessary to improve the quality of the employer-employee

relationship.
B. The processing is necessary for the data controller to carry out their obligation in
the field of employment law.
C. The processing is necessary for the interest of both the data controller and the
employee.
D. The processing is necessary for the interests pursued by the data controller.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
5. Why do binding corporate rules (BCRs) prohibit the transfer of employee names to
telecom providers within the same country in order to provide them with mobile
phone services?

A. Because BCRs only provide adequate safeguards for organisations who move data
outside their corporation.
B. Because BCRs secure transfers to third parties without needing to fulfil additional
requirements.
C. Because BCRs only deal with intra-organisational transfers and not with transfers to
third parties.
D. Because BCRs require contractual arrangements to legitimize international
transfers of data.

6. Under the GDPR, would a European company be allowed to use video surveillance to
monitor employee access to inventory?

A. No, under the GDPR, using video surveillance is never allowed.

B. No, video surveillance is too intrusive a solution for inventory access.
C. Yes, provided that the company complies with specific conditions.
D. Yes, without any further conditions to be taken into account.

7. Which institution is responsible for ensuring that directives are implemented properly
by the member states?

A. European Court of Justice.

B. European Commission.
C. European Parliament.
D. European Data Protection Supervisor.

8. What is true for a contract based on European Commission standard contractual

clauses with a processor outside the European Economic Area?

A. For subcontracting, the processor must inform the controller and obtain written
approval.
B. Before the processing starts, the processor must obtain permission from the
European Commission.
C. The data subject must consent to processing by a processor located outside of the
European Economic Area.
D. The processor must provide a compliance statement from its data protection
authority.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 SCENARIO
Use the following to answer questions 9-11:

Rob, a former employee of the Tea & Biscuits Corporation (a U.S.-based multi-national),
has hand-delivered a letter to the Reception of the Irish Subsidiary on May 1. Rob asked
for a copy of all data that Tea & Biscuits Corporation holds about him from the start of his
employment with them over 18 years ago, including all email correspondence about him
from his past three managers, and anyone from the HR Department. Rob has included a
copy of his passport, his old employee identification number, and his current address.

One of Rob's previous managers was made redundant at the same time as Rob; another has
relocated to Tea & Biscuits’ Singapore office. The receptionist was not sure what to do
with the letter, so she sent it via internal mail to the facilities manager who was out of
the office on holiday until May 5. The facilities manager sent it to the HR manager who is
very busy on a new redundancy program. The HR manager emailed the legal team to ask
what he should do with the letter on May 21. The local Irish lawyers got back to the HR
manager on May 25 and suggested that the HR manager get in touch with Rob immediately
and tell him that his issue has been looked into.

9. What should Tea & Biscuits do before responding to Rob with the information he has
requested?

A. Meet with the legal department to ensure that no U.S. data protection laws will be
violated before sending any information.
B. After accounting for GDPR compliance, contact Rob ‘without undue delay’ to
clarify any questions about his request.
C. Consult with a security lawyer before sending any information to determine the
most secure way to fulfil the request.
D. Wait for advice from the Irish Data Protection Authority before sending any
information.

10. What is the time period within which Tea & Biscuits Corporation needs to respond to
the data subject?

A. Within a month of having received the request.

B. Within six months of having received the request.
C. Without undue delay or within a month of receiving the request.
D. Three months after they authenticate the identity of the requestor.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
11. What should Tea & Biscuits do next to respond to Rob's request for email?

A. Nothing. Email does not need to be provided in response to a subject access

request under the local Irish Data Protection law.
B. The HR manager should ask employees who still work at Tea & Biscuits if they have
any email correspondence with Rob in their possession.
C. Conduct an email search in accordance with its monitoring policy and inform
affected employees before any disclosures to Rob.
D. HR should provide Rob the information he requested. There is no need to get other
employees’ consent because the emails are all work related.

(End of scenario questions)

12. Which is NOT a compatible purpose for processing data beyond the purpose originally
specified at the time of collection?

A. Performance of a contract.
B. Transferring data to an archive.
C. Statistical purposes.
D. Historical or scientific research.

13. Along with legitimacy, what is another condition that must be met when carrying out
employee monitoring?

A. The monitoring must be in the public interest at the time of collection.

B. The monitoring must be done during agreed-upon time constraints.
C. The monitoring must be performed under an employment contract.
D. The monitoring must be limited to what is necessary for the purposes.

14. Which is an example of cloud computing?

A. A software package installed on a laptop.

B. A web-based email platform.
C. A portable mass storage device.
D. A single web server.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
15. According to the GDPR, the right to data portability applies:

A. When processing was originally based on the user’s consent.

B. When the processing was based on a public interest.
C. When the processing was done through ‘manual means’.
D. When the processing was based on the controller’s legitimate interests.

16. A collection is part of a historical research initiative. Which is the most accurate
statement concerning the obligations imposed by the GDPR?

A. As a regulation rather than a directive, the GDPR sets forth binding provisions for
EU member states to follow without discretion.
B. The GDPR provides a framework which member states can choose to use as a basis
for national legislation.
C. As a regulation rather than a directive, the GDPR sets forth binding provisions for
EU member states to follow but it leaves them discretion in some areas.
D. The GDPR imposes binding obligations on all EU member states as well as on all
countries deemed ‘adequate’ by the European Commission.

17. Which is the most accurate statement concerning the obligations imposed by the GDPR
regarding notification of data processing activities?

A. Notification is now optional but is recommended to foster the transparency of data

processing activities.
B. Notification remains mandatory to finance the national data protection authority’s
operations.
C. Notification is no longer required as the GDPR has switched to an accountability
framework.
D. Notification is required of all processors but is not required of controllers.

18. Which, according to the GDPR, is NOT one of the considerations that should be taken
into account to determine the appropriate technical and organisational measures to
ensure a level of data security appropriate to the risk?

A. Costs of implementation.
B. The state of the art.
C. Scope of processing.
D. The size of the organisation.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
19. Which is NOT a special category of data?

A. Political affiliation.
B. Health information.
C. Ethnic origin.
D. Social Security number.

20. Which institution has the power to adopt adequacy findings for the European Union?

A. Working Party 29.

B. European Commission.
C. European Data Protection Supervisor.
D. European Court of Justice.

21. Which exemption to the e-Privacy Directive 2002/58/EC allows the data controller to
send electronic marketing information?

A. The recipients are existing customers.

B. The controller is a non-profit organisation.
C. The data subject and controller work in the same industry.
D. The recipient’s email address is taken from a public register.

22. Under the GDPR, organizations that are not established in the EU that monitor
behaviour will be subject to the Regulation when:

A. The equipment being used for monitoring is located in the EU.

B. The behaviour being monitored occurs within the EU.
C. The individual being monitored is a citizen of an EU member state.
D. The individual being monitored is an EU citizen visiting the United States.

23. Big data projects often gather and generate a multitude of data and relations that
lead to additional data derivation opportunities. Which of the following statements is
correct with regard to big data?

A. Big data projects are exempt from the proportionality principle of the GDPR.
B. Big data projects are subject to case-by-case review under the GDPR.
C. Big data projects are subject to the proportionality principle of the GDPR.
D. Big data projects are permitted to retain all data collected prior to the GDPR
taking effect.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
24. Under the GDPR, privacy notices relating to services intended for children, must be:

A. In a concise, transparent, intelligible, easily accessible form for adults to

understand and explain to the child.
B. In a concise, transparent, intelligible, easily accessible form and in language the
child can understand.
C. In concise legal language comprehendible to a subject matter expert or legal
professional.
D. In the same format as privacy notices intended for adults as children are not
addressed separately under the GDPR.

25. If a third-country data controller or processor does not wish to comply with the
supervisory authority decision, then under the GDPR, the supervisory authority has the
power:

A. To waive its decision as its powers are limited to the EU and its member states.
B. To carry out its actions outside the EU without the target country’s consent.
C. To force the data controller or processor to relocate to an EU member state.
D. To order the suspension of data flows to a recipient in the third country.

(end of sample questions)

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 References

1. The correct answer is D. Body of Knowledge Domain II(I): European Data Protection Law and
Regulation (International Data Protection Transfers)
An organization needs to take action to legitimise cross-border data transfers when the data
is transferred from a jurisdiction in the EU to a third country which is not deemed adequate.
In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer
personal data to a third country or an international organisation only if the controller or
processor has provided appropriate safeguards, and on condition that enforceable data
subject rights and effective legal remedies for data subjects are available. See GDPR
Article 46.

2. The correct answer is B. Body of Knowledge Domain III(C): Compliance with European Data
Protection Law and Regulation (Direct Marketing)
An email sent to an individual promoting a new book which is on sale is an example of direct
marketing. The term ‘direct marketing’ refers specifically to the communication, by whatever
means, of any advertising or marketing material directed to particular individuals. This means
that data protection laws apply to the sending of marketing messages only where individuals’
personal data is processed in order to communicate the marketing message to them.
Marketing that does not entail processing of any personal data and is therefore not directed
at individuals (for example, untargeted website banner advertisements), is not subject to
data protection compliance. In addition, messages that are purely service-related in nature
(messages sent to individuals to inform them, for example, about the status of an order they
have placed) do not generally constitute direct marketing. The GDPR does, however, provide
the data subject the right to object to processing for the purposes of direct marketing. See
GDPR Recitals 47 and 70, GDPR Article 21, and Article 29 Working Party Opinion 5/2004.

3. The correct answer is A. Body of Knowledge Domain II(K): European Data Protection Law and
Regulation (Consequences for GDPR Violations)
In the case of a personal data breach, the controller shall without undue delay and, where
feasible, not later than 72 hours after having become aware of it, notify the personal data
breach to the supervisory authority competent in accordance with Article 55, unless the
personal data breach is unlikely to result in a risk to the rights and freedoms of natural
persons. Where the notification to the supervisory authority is not made within 72 hours, it
shall be accompanied by reasons for the delay. See GDPR, Article 33.

4. The correct answer is B. Body of Knowledge Domain III(A): Compliance with European Data
Protection Law and Regulation (Employment Relationships)
GDPR Article 9(2)(b) provides that processing of sensitive employee data is acceptable when
the condition of ‘processing is necessary for the purposes of carrying out the obligations and
exercising specific rights of the controller’. The GDPR allows the processing of ‘sensitive
employee data’ if the controller has ‘explicit’ consent from the data subject and the business
obligation of the controller are justifiable reasons to process sensitive information. It is also
acceptable if the ‘data subject has given explicit consent to the processing of those personal
data for one or more specified purposes’.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
5. The correct answer is C. Body of Knowledge Domain II(I): European Data Protection Law and
Regulation (International Data Transfers)
BCRs would not provide a basis to transfer names of employees to a telecom provider in the
same country in order to provide them with mobile phone services because BCRs only deal
with intra-organisational transfers and not with transfers to third parties. BCRs are
specifically designed to provide for adequate safeguards within multinational corporations
who move data within their corporation. See GDPR, Recital 110 and Articles 4(20) and 47.

6. The correct answer is C. Body of Knowledge Domain III(A): Compliance with European Data
Protection Law and Regulation (Employment Relationships)
Certain conditions must be met for a European company to use video surveillance to monitor
employee access to inventory. Although the GDPR makes no specific reference to
surveillance, the use of video in the employment context amounts to the processing of
personal data, so the GDPR will apply. The data controller will be required to carry out a
balancing exercise to ensure that the surveillance is proportionate (see GDPR, Article 4) and
that the processing is lawful (see GDPR, Article 6(1)) and any derogations to member states.
See GDPR, Article 88.

7. The correct answer is B. Body of Knowledge Domain I(B): Introduction to European Data
Protection (European Union Institutions)
The European Commission is responsible for ensuring member state implementation. The
Commission not only acts as the executive body and influences the legislative function but
also acts as a guardian of the treaties by monitoring compliance of the other institutions,
member states, and ‘natural and legal persons’. To fulfil this task, Articles 226 and 228 of the
EC Treaty grant the Commission the power to take legal and administrative action, including
the power to impose a fine against a member state that has failed to comply with the law.
Articles 230 and 232 provide the necessary supervisory powers over the other institutions.
Article 1(18) of the Lisbon Treaty states that the Commission shall ensure the application of
the Treaties, and of measures adopted by the institutions pursuant to them. It shall oversee
the application of Union law under the control of the Court of Justice of the European Union.

8. The correct answer is A. Body of Knowledge Domain II(H): European Data Protection Law and
Regulation (Accountability Requirements)
When using contracts based on European Commission standard contractual clauses, before
subcontracting, the processor must inform the controller and obtain written approval. Article
28(2) of the GDPR states that a processor shall not engage another processor without prior
specific or general written authorisation of the controller. This is reinforced in the
subprocessing clause of the standard contractual clauses where it clearly obliges the
processor to obtain prior written consent for the use of a subprocessor.

9. The correct answer is B. Body of Knowledge Domain II(F): European Data Protection Law and
Regulation (Data Subject Rights)
Under the GDPR, Tea & Biscuits has just 30 days to complete Rob’s SAR but given this scenario
they have wasted many days and now have only 5 days left to both let Rob know they are

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 processing his SAR and to deliver the request. There are benefits to contacting the requestor
early, such as:
(a) Contacting Rob quickly would help define what information Rob really needs with specifics
that may help narrow his request to a less complex volume.
(b) It would provide an understanding between the parties about particular information being
requested so that the level of effort needed to meet Rob’s request will be determined
early and relayed to Rob right away or within the same month as required—and, if
necessary, Tea & Biscuits could request an extension.
(c) It would inform Rob that the process has begun and identify steps that Tea & Biscuits is
taking. This will help avoid a situation where Rob files a complaint. See GDPR, Recital 63;
GDPR, Article 15.

10. The correct answer is C. Body of Knowledge Domain II(F): European Data Protection Law and
Regulation (Data Subject Rights)
The GDPR Article 12(3) requires that the controller or employer responds without undue delay
or within a month. Tea & Biscuits is required to respond to Rob’s request as soon as possible
and at the latest within one month of receipt of his request. The first response is to let him
know the SAR is undergoing processing. The second response should be the completed SAR.
The GDPR allows Tea & Biscuits to request an extension of up to two months to complete the
SAR but only if Rob is making multiple requests or his request is complex in nature. In this
case, whether gathering 18 years of Rob’s email records is complicated depends on the
company’s justification. Tea & Biscuits would have to provide Rob an explanation as to why
his request requires an extension. See GDPR, Recital 59; GDPR, Article 12(3)-(4).

11. The correct answer is C. Body of Knowledge Domain I(IF): European Data Protection Law and
Regulation (Data Subject Rights)
Tea & Biscuits should carry out an email search and inform affected employees before any
disclosure of emails to Rob. Article 4(3) of the GDPR states that the data subject has the right
to obtain a copy of his personal information being processed. Article 4(4) states that the right
to obtain a copy as stated in Article 4 referred to in paragraph 3 ‘shall not adversely affect
the rights and freedoms of others’. Where the processing activity changes, there may be a
requirement to seek new consents from all the affected individuals since the previously given
consent does not cover the new processing. Tea & Biscuits should take into account that
obtaining other data subjects’ consent may require additional time. The GDPR allows
companies only 30 days to complete a SAR. The GDPR does not specifically prescribe how
third-party individual’s consent should be obtained. Rather, the employer has to make the
judgement on a case-by-case basis depending on the SAR made and the risks associated with a
breach of confidentiality to fulfil such a request. The needs of the requester should be
balanced with the employer’s confidentiality obligation to the third-party individual(s) in the
emails. Tea & Biscuits should also be prepared to provide Rob supplemental disclosures
required by the GDPR along with the email records he will be provided. See GDPR, Article
15(1).

12. The correct answer is A. Body of Knowledge Domain II(D): European Data Protection Law and
Regulation (Lawful Processing Criteria)
Performance of a contract is not a compatible purpose for processing data beyond the
purpose originally specified at the time of collection. The GDPR does allow for further

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 processing of data for ‘archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes, in accordance with Article 89(1)’ as compatible
with initial purposes. See GDPR, Article 5(1); Article 89(1).

13. The correct answer is D. Body of Knowledge Domain III(B): Compliance with European Data
Protection Law and Regulation (Surveillance Activities)
Employee monitoring must be limited to what is necessary for the purposes, be done lawfully,
and should follow the principles relating to the processing of personal data as outlined in the
GDPR, Article 5. An employer must consider whether the proposed monitoring is
proportionate to the employer’s concern. The wholesale monitoring of all employee emails to
ensure that employees are not passing on confidential information about the employer would
be disproportionate. However, wholesale monitoring of emails may be proportionate to
ensure the security of the employer’s IT systems where such monitoring is carried out using
technical means that detect weaknesses in the system. See GDPR, Article 5(1).

14. The correct answer is B. Body of Knowledge Domain III(D): Compliance with European Data
Protection Law and Regulation (Internet Technologies and Communications)
A web-based email platform is an example of cloud computing. ‘Cloud computing’ refers to
the provision of IT services over the internet. In cloud computing, data is stored, managed
and/or processed on a network of remote servers over the internet.

15. The correct answer is A. Body of Knowledge Domain II(F): European Data Protection Law and
Regulation (Data Subject Rights)
Right to data portability applies when the data processing is based on the user’s consent or on
a contract and the data processing is carried out by automated means. It does not apply to
‘processing necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller’. See GDPR, Article 20.

16. The correct answer is C. Body of Knowledge Domain I(C): Introduction to European Data
Protection (Legislative Framework)
As a regulation rather than a directive, it is directly imposed on the member states as a
national law, without the need for a local implementation act. However, in some key areas
the GDPR leaves the member states room to implement further rules or to deviate from the
GDPR. In fact, about 50 provisions in the GDPR allow for local law clarification or exception.

17. The correct answer is C. Body of Knowledge Domain II(H): European Data Protection Law and
Regulation (Accountability Requirements)
The GDPR has abolished the need to notify the DPAs of processing of personal data activities
given the shift to an accountability framework that includes appointment of DPOs and
maintains a register of data processing activities. See GDPR, Articles 30 and 37.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
18. The correct answer is D. Body of Knowledge Domain II(G): European Data Protection Law and
Regulation (Security of Personal Data)
The size of the organisation is not one of the considerations to be taken into account in
determining the appropriate technical and organisational measures to ensure a level of data
security appropriate to the risk. Article 32 of the GDPR, which focuses on the security of
processing, provides that ‘the state of the art, the costs of implementation and the nature,
scope, context and purposes of processing as well as the risk of varying likelihood and severity
for the rights and freedoms of natural persons’ be taken into account so that ‘the controller
and the processor shall implement appropriate technical and organisational measures to
ensure a level of security appropriate to the risk …’. The article continues by identifying
appropriate measures that can be employed. Though the size of the organisation may affect
the costs of implementation, it, by itself, is not a determining factor.

19. The correct answer is D. Body of Knowledge Domain II(A): European Data Protection Law and
Regulation (Data Protection Concepts)
Social Security numbers are not considered a special category of data under the GDPR. Article
9 of the GDPR defines special categories of personal data to include: racial or ethnic origin,
political opinions, religious or philosophical beliefs, trade-union membership, the processing
of genetic or biometric data for uniquely identifying a person, and the processing of data
concerning health, sex life or sexual orientation.

20. The correct answer is B. Body of Knowledge Domain I(A): Introduction to European Data
Protection (Origins and Historical Context of Data Protection Law)
The European Commission has the power to adopt adequacy findings. Article 45 of the GDPR
specifically states that the Commission may find, in accordance with the elements of Article
45, that a third country ensures an adequate level of protection within the meaning of this
Article, by reason of its domestic law or of the international commitments it has entered into,
and the existence of an independent supervisory authority, for the protection of the private
lives and basic freedoms and rights of individuals. Unlike the Directive, the GDPR gives the
Commission the power to revoke a finding of adequacy; it also gives the newly formed
European Data Protection Board advisory powers related to adequacy decisions.

21. The correct answer is A. Body of Knowledge Domain III(C): Compliance with European Data
Protection Law and Regulation (Direct Marketing)
Under the e-Privacy Directive, data controllers may send electronic marketing information to
existing customers. Article 13(2) of the e-Privacy Directive states that when a person or
business obtains from its customers their electronic contact details for electronic mail, in the
context of the sale of a product or a service, the same entity may use these electronic
contact details for direct marketing of its own similar products or services provided that
customers clearly and distinctly are given the opportunity to object, free of charge and in an
easy manner, to such use of electronic contact details when they are collected and on the
occasion of each message in case the customer has not initially refused such use. See also
European Privacy, pp. 42; e-Privacy Directive, Article 13(2).

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
22. The correct answer is B. Body of Knowledge Domain II(B): European Data Protection Law and
Regulation (Territorial and Material Scope of the GDPR)
Under the GDPR, non-EU organizations that monitor behaviour of EU individuals will also be
subject to the Regulation provided that the behaviour being monitored occurs within the EU.
Some examples of monitoring provided by the European Data Protection Board include:
tracking individuals online to create profiles, behavioural advertising, geolocation tracking,
online tracking through cookies, and CCTV. See GDPR article 3(2).

23. The correct answer is C. Body of Knowledge Domain II(C): European Data Protection Law and
Regulation (Data Processing Principles)
The proportionality principle is based on necessity. Data should be processed only as
necessary and should be proportionate to the specific processing needs. The Article 29
Working Party stated that all data protection principles, including data minimization, apply to
big data projects, despite the challenges that will arise. Article 5(1)(c) of the GDPR states
data collected must be “adequate, relevant and limited to what is necessary in relation to
the purposes for which they are processed (‘data minimization’).”

24. The correct answer is B. Body of Knowledge Domain II(E): European Data Protection Law and
Regulation (Information Provision Obligations)
Under GDPR Article 12(1), the privacy notice should be conveyed in a concise, transparent,
intelligible and easily accessible form, using clear and plain language, in particular for any
information addressed specifically to a child. The Regulation is clear that to process
children’s data under the legal basis of consent, not only does the language of the privacy
notice have to comply, but the consent must come from the ‘holder of personal responsibility
over the child’.

25. The correct answer is D. Body of Knowledge Domain II(J): European Data Protection Law and
Regulation (Supervision and Enforcement)
Under GDPR Article 58(2)(j), each supervisory authority shall have the power to order the
suspension of data flows to a recipient in a third country or to an international organization.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 Answer Sheet

A B C D A B C D A B C D A B C D
1 2 3 4

A B C D A B C D A B C D A B C D
5 6 7 8

A B C D A B C D A B C D A B C D
9 10 11 12

A B C D A B C D A B C D A B C D
13 14 15 16

A B C D A B C D A B C D A B C D
17 18 19 20

A B C D A B C D A B C D A B C D
21 22 23 24

A B C D END
25

This page may be reproduced.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 Answer Key
Item Correct Introduction to European European Data Compliance with European
Number Answer Data Protection Protection Law and Data Protection Law
Regulation and Regulation
1 D
2 B
3 A
4 B
5 C
6 C
7 B
8 A
9 B
10 C
11 C
12 A
13 D
14 B
15 A
16 C
17 C
18 D
19 D
20 B
21 A
22 B
23 C
24 B
25 D

SUMMARY
___ of 3 correct ___ of 16 correct ___ of 6 correct
PERCENTAGE
(# correct/# total) x 100

This page may be reproduced.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.