CertPrepNow
IAPPCIPP/E5 domains

CIPP/E Exam Notes

Last-minute traps, must-know facts, and scenario tips for the IAPP Certified Information Privacy Professional/Europe exam.

General Exam Tips

  • 1.Read ALL four answer options before choosing. IAPP questions often have two plausible-looking answers; the difference is usually one precise word or condition.
  • 2.Watch for qualifier words: 'most likely,' 'best,' 'primary,' and 'except' change the entire question. Underline them mentally before reading options.
  • 3.Read scenario questions by scanning the QUESTION FIRST, then the scenario. This tells you exactly what detail to look for and prevents information overload.
  • 4.Flag tricky questions and bank easy points first. Return to flagged items with remaining time rather than stalling mid-exam.
  • 5.When two answers seem equally correct, go with your first instinct. Do not talk yourself into an answer by inventing context not given in the question.
  • 6.Of 90 questions, only 75 are scored. Pilot questions are indistinguishable, so treat every question as scored.
  • 7.Aim for 65-70% correct on practice exams before sitting. The passing scaled score of 300/500 corresponds to roughly 62-65% correct on scored questions, but the psychometric weighting varies.
  • 8.Avoid non-IAPP practice question banks. Unofficial questions frequently contain wrong answers that create false confidence and wrong mental models.
  • 9.Time budget: 150 minutes / 90 questions = 100 seconds per question. Scenarios with longer text deserve more time; budget accordingly.
  • 10.On questions about 'which lawful basis applies,' eliminate those that clearly don't fit, then distinguish between the two most plausible by asking: does the data subject have genuine free choice, and is there a documented balancing test?
Domain 113% of exam

Introduction to European Data Protection

Must-Know Facts

  • The chronological chain of instruments: UDHR Article 12 (1948, universal privacy right) → ECHR Article 8 (1950, binding European privacy right) → Convention 108 (1981, first binding data protection treaty) → OECD Guidelines (1980, non-binding) → Directive 95/46/EC (1995, EU-level, required national transposition) → GDPR (2016 entry into force, May 2018 applicable)
  • Convention 108 is a COUNCIL OF EUROPE instrument. The Council of Europe is a separate international body distinct from EU institutions. 54 countries have ratified it, well beyond EU membership.
  • Convention 108+ (2018 modernization) extended the original treaty to cover new technologies and government data processing.
  • GDPR replaced Directive 95/46/EC because directives require national transposition, producing 28 divergent national implementations. A regulation applies directly in all member states without transposition.
  • ePrivacy Directive (2002/58/EC) is lex specialis for electronic communications: governs cookies, direct marketing via electronic means, confidentiality of communications, traffic and location data. The proposed ePrivacy Regulation to replace it has NOT been adopted.
  • NIS2 Directive: cybersecurity obligations for essential and important entities (energy, transport, banking, health, digital infrastructure). It intersects with but does not replace GDPR security obligations under Article 32.
  • EU AI Act risk tiers: Unacceptable (banned — social scoring, real-time biometric ID in public by law enforcement with narrow exceptions), High (strict compliance — hiring, credit, critical infrastructure), Limited (transparency obligations), Minimal (no requirements). GDPR principles of data minimisation, transparency, and accountability apply to all AI processing.
  • EU Data Act: focuses on non-personal data sharing and user rights to data generated by connected devices. Where it involves personal data, GDPR applies simultaneously.
  • EU institutions for exam purposes: European Commission (proposes legislation, issues adequacy decisions, adopts SCCs), European Parliament + Council of the EU (co-legislators), CJEU (interprets EU law — issued Schrems I and II rulings), EDPB (consistency and guidance body, replaces WP29).

Common Traps

TrapConfusing the Council of Europe with the Council of the EU or the European Council
RealityThe Council of Europe is a broader international organization (47+ members) that produced Convention 108 and the ECHR. The Council of the EU and European Council are EU-specific bodies. They are entirely different institutions and this distinction appears in exam questions.
TrapAssuming the ePrivacy Regulation has replaced the ePrivacy Directive
RealityAs of 2026, the ePrivacy Regulation is still proposed and not adopted. The 2002 ePrivacy Directive remains in force. Cookie consent and electronic marketing rules come from the Directive, not from GDPR or any new regulation.
TrapThinking GDPR 'entered into force' in May 2018
RealityGDPR entered into force in May 2016. It became applicable (enforceable) in May 2018 after a two-year transition period. The distinction matters if a question asks about the entry-into-force date vs the applicable date.
TrapTreating Convention 108 as the first privacy instrument in history
RealityThe ECHR Article 8 (1950) and the OECD Guidelines (1980) predated Convention 108 (1981). However, Convention 108 was the first BINDING international data protection treaty specifically dedicated to data protection.

Confusing Pairs

GDPRePrivacy Directive

GDPR = general data protection framework applying to all personal data processing. ePrivacy Directive = lex specialis for electronic communications (cookies, e-marketing, traffic data). Where they overlap (e.g., cookies), ePrivacy Directive takes precedence. Where ePrivacy is silent, GDPR applies as the general law.

Directive 95/46/ECGDPR

Directive 95/46/EC required national transposition, produced divergent national laws, and could not keep pace with the digital economy. GDPR is a regulation: directly applicable in all member states simultaneously, creating a single unified legal framework.

NIS2 DirectiveGDPR

NIS2 = cybersecurity obligations (incident reporting to cybersecurity authorities, security measures for essential entities). GDPR = personal data protection (breach notification to data protection authorities, privacy rights). A single security incident can trigger obligations under BOTH: NIS2 reporting to cybersecurity authority AND GDPR Article 33 notification to supervisory authority.

Scenario Tips

If the question asks about:

A question asks which legal instrument was the FIRST binding international treaty specifically on data protection

Answer:

Convention 108 (1981). The ECHR (1950) established a privacy right but not a data protection framework. OECD Guidelines (1980) were non-binding. Convention 108 was the first binding data protection treaty.

Distractor to avoid:

ECHR Article 8 (1950) is tempting because it came first and is binding, but it is a human rights treaty with a general privacy right, not a specific data protection instrument.

If the question asks about:

A question asks which framework governs consent for placing analytics cookies on EU users' browsers

Answer:

The ePrivacy Directive as lex specialis. Although the quality of consent is judged by GDPR standards, the requirement to obtain consent for non-essential cookies comes from the ePrivacy Directive, not GDPR directly.

Distractor to avoid:

GDPR Article 6(1)(a) is often chosen, but this conflates the source of the cookie consent obligation (ePrivacy Directive) with the quality standard of consent (GDPR). The exam specifically tests this distinction.

Last-Minute Facts

1Convention 108 signed: 1981. Convention 108+ modernization: 2018.
2Directive 95/46/EC adopted: 1995. GDPR entered into force: May 25, 2016. GDPR applicable: May 25, 2018.
3ePrivacy Directive: 2002/58/EC. Still in force. ePrivacy Regulation: proposed only, not adopted.
4EDPB replaced the Article 29 Working Party (WP29) when GDPR became applicable in 2018.
5EU AI Act: entered into force August 1, 2024. Prohibited AI practices applicable February 2, 2025. GPAI model rules applicable August 2, 2025. High-risk AI (Annex III) originally due August 2, 2026 — as of mid-2026, the EU AI omnibus simplification package (political agreement May 2026) may delay this to December 2027 pending Council adoption. Know the original dates; acknowledge delay risk is in progress.
6WP29 guidelines were adopted/confirmed by the EDPB and remain valid — on the exam they carry equal authority.
Domain 231% of exam

European Data Protection Law and Regulation

Must-Know Facts

  • Seven GDPR principles (Article 5, memorize in order): (1) Lawfulness/fairness/transparency, (2) Purpose limitation, (3) Data minimisation, (4) Accuracy, (5) Storage limitation, (6) Integrity and confidentiality, (7) Accountability.
  • Six lawful bases (Article 6): (a) Consent, (b) Contract, (c) Legal obligation, (d) Vital interests, (e) Public task, (f) Legitimate interests. Know which are available to public authorities and which to private actors — public authorities generally cannot use legitimate interests.
  • All eight data subject rights: Article 15 (access), Article 16 (rectification), Article 17 (erasure/right to be forgotten), Article 18 (restriction of processing), Article 19 (notification obligation), Article 20 (data portability), Article 21 (right to object), Article 22 (automated decision-making and profiling).
  • Consent validity conditions (Article 7): freely given, specific, informed, unambiguous. Must be as easy to withdraw as to give. Cannot be bundled with a contract where processing is not necessary. Cannot use pre-ticked boxes (CJEU Planet49 ruling).
  • Children's consent (Article 8): age threshold is 16 (member states may lower to 13). Below threshold requires verifiable parental/guardian consent.
  • Special categories (Article 9): racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data used for identification, health data, sex life/sexual orientation. Financial data, criminal convictions (covered by Article 10), and IP addresses are NOT Article 9 special categories.
  • Ten Article 9(2) exceptions: explicit consent, employment/social security, vital interests, legitimate activities of not-for-profit bodies, manifestly public data, legal claims, substantial public interest, health/social care, public health, archiving/research/statistics.
  • Breach notification to supervisory authority (Article 33): within 72 hours of becoming AWARE, unless breach is unlikely to result in RISK to rights and freedoms. Notification can be phased.
  • Breach notification to data subjects (Article 34): without undue delay when breach is likely to result in HIGH RISK. Not required if: data was encrypted/pseudonymised, controller has taken subsequent measures eliminating high risk, or it would involve disproportionate effort (public communication instead).
  • Security of processing (Article 32): 'appropriate' technical and organisational measures — the standard is risk-based, not absolute. Pseudonymisation, encryption, confidentiality, integrity, availability, and resilience are explicitly mentioned measures.
  • Article 22: right not to be subject to SOLELY automated decisions that produce LEGAL or SIMILARLY SIGNIFICANT effects. Exceptions: contract, legal authorisation, explicit consent. Even when automated decision-making is permitted under exceptions, the data subject has the right to human review and to contest the decision.
  • EDPB Guidelines 1/2024 (Legitimate Interests): three-part test — (1) identify a specific, real, and present legitimate interest; (2) demonstrate processing is strictly necessary (not merely useful); (3) balance interests against data subject's rights, considering context, nature of data, and reasonable expectations.
  • 2025 Body of Knowledge update added: EDPB Opinion 22/2024 (controller-processor chains and sub-processor liability), EDPB Opinion 04/2024 (main establishment criteria for one-stop-shop eligibility), Guidelines 1/2024 (legitimate interests), AI governance under GDPR.

Common Traps

TrapAssuming consent is always the correct or preferred lawful basis
RealityConsent is appropriate only when the data subject has genuine free choice. In employment, power imbalance makes consent generally invalid — use contract or legal obligation instead. In B2B contexts, legitimate interest may be more appropriate. The exam frequently presents consent as a tempting but wrong answer.
TrapThinking the right to erasure (Article 17) is absolute
RealityArticle 17(3) lists six exceptions: freedom of expression, compliance with legal obligation, public health in the public interest, archiving/research/statistics purposes, establishment or defence of legal claims. A healthcare provider can refuse erasure citing legal retention obligations.
TrapTreating pseudonymised data as outside GDPR scope
RealityPseudonymised data IS still personal data — it can be re-identified with additional information. Only TRULY ANONYMOUS data falls outside GDPR. Pseudonymisation is a security measure, not a way to escape GDPR obligations.
TrapBelieving the 72-hour breach notification clock starts when the breach occurred
RealityThe 72-hour clock starts when the controller BECOMES AWARE of the breach with reasonable certainty. Initial discovery triggers the clock even if full investigation is incomplete. The controller can notify in phases and supplement later.
TrapApplying data portability (Article 20) broadly to all data about a person
RealityData portability is narrow: ONLY applies to data the data subject actively provided, processed by AUTOMATED means, based on CONSENT or CONTRACT. Observed data (inferred from behaviour) and data processed on other lawful bases are NOT portable.
TrapTreating Article 9 exceptions as equally broad as Article 6 lawful bases
RealityArticle 9 requires BOTH a general Article 6 lawful basis AND an Article 9(2) exception. Meeting one without the other is insufficient. For example, processing health data for a contract does not automatically satisfy Article 9 — you also need an explicit Article 9(2) ground.
TrapAssuming 'improving services' or 'business efficiency' satisfies the legitimate interest test
RealityPer EDPB Guidelines 1/2024, legitimate interest must be specific, real, and present. Vague goals are not sufficient. Processing must also be strictly necessary — not merely convenient — and the balancing test must be documented.
TrapConfusing Article 33 (risk threshold) with Article 34 (high risk threshold)
RealityArticle 33 requires reporting ANY breach likely to result in ANY RISK. Article 34 requires notifying data subjects only when there is HIGH RISK. A breach can be reportable to the authority under Article 33 but not require data subject notification under Article 34.

Confusing Pairs

Consent (Article 6(1)(a))Legitimate Interests (Article 6(1)(f))

Consent = data subject gives affirmative, freely given, specific, informed, unambiguous agreement; can be withdrawn. Use when data subject has real choice. Legitimate interests = controller has documented interest outweighing data subject rights after three-part balancing test; data subject can object but cannot simply withdraw. Key: if data subject cannot genuinely refuse without negative consequences, consent is not freely given — use another basis.

Right to Erasure (Article 17)Right to Restriction (Article 18)

Erasure = data is deleted. Restriction = data is stored but not actively processed (frozen). Use restriction when: data subject contests accuracy, processing is unlawful but data subject opposes erasure, controller no longer needs data but data subject needs it for legal claims, or data subject has objected and the controller is assessing overriding grounds.

Right to Access (Article 15)Data Portability (Article 20)

Access = broad right to confirm processing and obtain a copy of ALL personal data regardless of lawful basis, including inferred/observed data. Portability = narrow right to receive only data the subject PROVIDED, only automated processing, only consent/contract basis, in machine-readable format for transmission to another controller.

Right to Object (Article 21(1))Right to Object to Direct Marketing (Article 21(2))

Article 21(1) general object = data subject can object to processing based on legitimate interests or public task; controller CAN override by demonstrating compelling legitimate grounds. Article 21(2) direct marketing object = ABSOLUTE right; controller CANNOT override with compelling grounds; must stop immediately without balancing test.

PseudonymisationAnonymisation

Pseudonymisation = personal data processed so it cannot be attributed to a specific individual without additional information held separately (encryption, tokenisation). Still personal data under GDPR. Anonymisation = irreversibly processed so individual cannot be identified. Falls outside GDPR scope entirely. The test: can anyone reasonably re-identify the data? If yes, it is pseudonymous.

Article 33 (Notification to Authority)Article 34 (Notification to Data Subjects)

Art. 33 = notifiable when breach is LIKELY to result in RISK. Deadline: 72 hours from awareness. Art. 34 = notifiable when breach is likely to result in HIGH RISK. Deadline: without undue delay. Three exceptions to Art. 34 notification: encryption eliminates intelligibility, subsequent measures eliminate high risk, or disproportionate effort (public communication instead). Key: risk vs. HIGH risk is the threshold difference.

Profiling (Article 4(4))Automated Decision-Making (Article 22)

Profiling = any form of automated processing to evaluate personal aspects (behavioural analysis, predicting outcomes). It does not by itself trigger Article 22 rights. Article 22 = solely automated decisions with LEGAL or SIMILARLY SIGNIFICANT effects on the individual. Profiling only triggers Article 22 rights when it produces such decisions. Many companies profile without triggering Article 22.

Scenario Tips

If the question asks about:

An employer makes all new hires sign a consent form for payroll data processing as a condition of starting work

Answer:

The consent is invalid. Employment creates a power imbalance: the employee cannot freely refuse without losing their job. The correct lawful basis for payroll is Article 6(1)(b) (contract performance) or Article 6(1)(c) (legal obligation). EDPB has explicitly stated employment consent is rarely freely given.

Distractor to avoid:

Option 'A — consent is valid because the employee signed' is wrong. The fact of signing is irrelevant if consent was not freely given.

If the question asks about:

A company uses behavioral advertising, collects browsing data, and wants to rely on legitimate interests. The question asks whether this is valid.

Answer:

For behavioral advertising specifically, legitimate interest CANNOT be used because the ePrivacy Directive requires prior consent for placing tracking cookies. Even if legitimate interest passes the three-part test under GDPR, the ePrivacy Directive as lex specialis overrides and requires consent.

Distractor to avoid:

Candidates often select legitimate interest as valid because it passes the three-part test in isolation, without applying the ePrivacy overlay.

If the question asks about:

A data subject requests deletion of their medical records. The healthcare provider has a statutory obligation to retain records for 10 years.

Answer:

The provider can refuse under Article 17(3)(b) — processing is necessary for compliance with a legal obligation. The right to erasure does not override statutory retention requirements.

Distractor to avoid:

Some candidates choose 'legitimate interest' as the basis for refusal. Wrong — the exception is LEGAL OBLIGATION under Article 17(3)(b), not a reliance on legitimate interest.

If the question asks about:

A company discovers a ransomware attack on Monday. Investigation reveals the scope only on Wednesday. When does the 72-hour clock start?

Answer:

Monday, when the controller first became aware with reasonable certainty that a breach occurred. The investigation timeline does not reset the clock. The controller can submit an initial notification on Monday and supplement it later as details emerge.

Distractor to avoid:

Choosing Wednesday (when full scope is known) is the common wrong answer. Article 33 says 'upon becoming aware' — initial awareness starts the clock.

If the question asks about:

A data subject asks for their data in portable format. The company holds: (1) name and email they provided during registration, (2) purchase history (inferred from transactions), (3) preference profile inferred from browsing behavior.

Answer:

Only the name and email provided during registration are portable. Purchase history and inferred preference profiles are not 'provided by the data subject' and fail the portability criteria. Portability requires the data subject to have actively provided the data.

Distractor to avoid:

Choosing all three items is wrong. The distinction between 'provided by the data subject' and 'observed/inferred' data is precisely what the exam tests.

If the question asks about:

A question presents a data subject exercising their right to object to direct marketing and asks what the controller must do

Answer:

Stop processing for direct marketing purposes immediately. The right to object to direct marketing under Article 21(2) is absolute — no balancing test, no overriding grounds. 'Without delay' means immediately upon receipt of the objection.

Distractor to avoid:

Choosing 'the controller can continue if they have a compelling legitimate interest' is wrong. The absolute nature of Article 21(2) is a favorite exam trap.

Last-Minute Facts

1Article 5 principles: 7 total. Accountability is the 7th and holds the controller responsible for demonstrating compliance with the other six.
2Article 6 lawful bases: 6 total. Public authorities CANNOT use legitimate interests (Article 6(1)(f)) as a general rule.
3Data subject rights: 8 total (Articles 15-22). Portability (Art 20) and right not to be subject to automated decisions (Art 22) have the narrowest applicability.
4Consent age threshold: 16 years default, member states may lower to 13.
5Special categories (Article 9): 8 categories. Financial data, criminal convictions, and IP addresses are NOT in this list.
6Article 33 breach to authority: 72 hours from awareness. Article 34 to data subjects: without undue delay when HIGH risk.
7Fine tiers: Art 83(4) — up to 10M EUR / 2% of global turnover for procedural violations. Art 83(5) — up to 20M EUR / 4% for principles, rights, and transfer violations.
8Planet49 ruling: pre-ticked consent boxes are invalid. Consent must be affirmative action.
Domain 323% of exam

European Data Processing

Must-Know Facts

  • Transparency information split by source: Article 13 applies when data is collected DIRECTLY from the data subject (provide information AT TIME of collection). Article 14 applies when data is collected FROM THIRD PARTIES (provide within reasonable period, max one month; or at first communication; or before first disclosure to another recipient).
  • International transfer mechanism hierarchy: (1) Adequacy decision by European Commission → no additional safeguards needed. (2) Appropriate safeguards (SCCs, BCRs, approved codes of conduct, certification mechanisms) → may require Transfer Impact Assessment. (3) Article 49 derogations → last resort for occasional transfers only.
  • Current adequacy countries (2026): Japan, South Korea, UK, Canada (commercial sector), Israel, New Zealand, Switzerland, and the US under the EU-US Data Privacy Framework (DPF). The EU-US DPF only covers US organizations that SELF-CERTIFY.
  • SCCs (Standard Contractual Clauses): 2021 modular SCCs have four modules — C2C (controller-to-controller), C2P (controller-to-processor), P2C (processor-to-controller), P2P (processor-to-processor). Must be used without modification.
  • Schrems II (CJEU 2020): invalidated Privacy Shield, required TIAs for SCCs. Even with SCCs, you must assess whether the recipient country's laws (especially government surveillance) undermine contractual protections. If they do, supplementary measures are required.
  • Transfer Impact Assessment (TIA): mandatory assessment after Schrems II when using SCCs or other Article 46 mechanisms. Evaluates the legal framework of the recipient country, specifically whether government surveillance powers compromise GDPR-level protection.
  • Binding Corporate Rules (BCRs): for INTRA-GROUP transfers within a multinational corporate group. Require supervisory authority approval. Cover both controller BCRs and processor BCRs. Not available for transfers between unrelated organizations.
  • Article 49 derogations (use sparingly): explicit consent for occasional transfers, necessity for contract with data subject, necessity for important public interest reasons, vital interests, establishment or defence of legal claims, data from public register. Cannot be used as systematic transfer mechanism.
  • Transparency requirements under Article 12: information must be concise, transparent, intelligible, easily accessible, clear and plain language, and where possible supported visually. Free of charge. Provide within one month of request (can extend by two months for complex/numerous requests).

Common Traps

TrapUsing Article 49 derogations as a routine transfer mechanism
RealityArticle 49 derogations are EXCEPTIONS for OCCASIONAL transfers. The EDPB explicitly warns that systematic or large-scale transfers cannot rely on Article 49. Organizations that regularly transfer data to a country without an adequacy decision must use SCCs or BCRs.
TrapBelieving Standard Contractual Clauses provide a complete and automatic guarantee of protection
RealityPost-Schrems II, SCCs require a Transfer Impact Assessment. If the recipient country's surveillance laws can compel disclosure that undermines SCC protections, supplementary measures (technical or contractual) are required or transfers must be suspended.
TrapThinking the EU-US DPF covers all US companies
RealityThe EU-US Data Privacy Framework only covers US organizations that have SELF-CERTIFIED with the US Department of Commerce and remain on the DPF list. US organizations that have not self-certified are NOT covered by this adequacy decision and require a separate transfer mechanism.
TrapApplying the same transparency information requirements regardless of how data was collected
RealityArticle 13 (direct collection) and Article 14 (third-party collection) have different information requirements and different timing obligations. The exam tests whether candidates know which article applies and what the timing deadline is.
TrapAssuming BCRs can be used for transfers between unrelated organizations
RealityBCRs are ONLY for intra-group transfers within a corporate family. If a company wants to transfer to a business partner or client outside the corporate group, SCCs or another Article 46 mechanism is required.

Confusing Pairs

Adequacy DecisionStandard Contractual Clauses (SCCs)

Adequacy decision = European Commission has determined the country provides essentially equivalent protection; transfers proceed without additional safeguards. SCCs = pre-approved contractual clauses used when no adequacy decision exists; require TIA post-Schrems II; may need supplementary measures. Adequacy is easier but only available for listed countries.

Standard Contractual Clauses (SCCs)Binding Corporate Rules (BCRs)

SCCs = pre-approved terms usable by any organization for transfers to non-EEA recipients; four modules available; no supervisory authority approval needed. BCRs = internal rules for intra-group multinational transfers; require supervisory authority approval; provide more operational flexibility for large corporate groups but have higher setup cost.

Article 13 TransparencyArticle 14 Transparency

Article 13 = data collected DIRECTLY from the data subject → information provided AT THE TIME of collection. Article 14 = data obtained from a THIRD PARTY → information provided within ONE MONTH of obtaining the data, or at first communication, or before first disclosure. Key difference: timing and trigger.

Privacy ShieldEU-US Data Privacy Framework (DPF)

Privacy Shield = adequacy decision for US, invalidated by CJEU in Schrems II (2020) due to US surveillance law concerns. EU-US DPF = replacement adequacy decision adopted in 2023 addressing Schrems II concerns via US executive order limiting intelligence access; only covers self-certified US companies. The DPF faces ongoing legal challenges — the exam tests that you know the current status.

Scenario Tips

If the question asks about:

A multinational company regularly transfers employee data from its EU subsidiary to its US parent company for HR management purposes. No adequacy decision covers this transfer type. What mechanism should it use?

Answer:

Binding Corporate Rules (BCRs) are ideal for regular, systematic intra-group transfers. SCCs would also work but BCRs provide more operational flexibility for a corporate group. Article 49 derogation (employee consent) is wrong because the employment power imbalance makes consent non-freely-given, and derogations cannot serve as the systematic mechanism for regular transfers.

Distractor to avoid:

Consent derogation under Article 49 appears plausible because there are named employees, but it is wrong for two reasons: employment consent is not freely given, and Article 49 is for occasional transfers only.

If the question asks about:

After Schrems II, a company implements SCCs for its transfer to a US vendor. Is anything else needed?

Answer:

Yes. The company must conduct a Transfer Impact Assessment (TIA) to evaluate US surveillance law (FISA Section 702, Executive Order 12333) and determine whether it undermines SCC protections. If the TIA reveals risks, supplementary measures (encryption with keys held in the EU, pseudonymisation, data minimisation, contractual prohibitions on disclosure) must be implemented.

Distractor to avoid:

Selecting 'SCCs alone are sufficient' is the classic Schrems II trap. SCCs do not automatically ensure adequate protection — they must be backed by a TIA.

If the question asks about:

A company acquires personal data about EU residents from a data broker and wants to use it for marketing. When must it provide transparency information to data subjects?

Answer:

Article 14 applies (data not collected directly). Information must be provided within a reasonable period and no later than one month after obtaining the data, or at first communication with the data subject, or before first disclosure to another party — whichever comes first.

Distractor to avoid:

Selecting Article 13 (at time of collection) is wrong because Article 13 only applies when the data subject directly provides data to the controller.

Last-Minute Facts

1Transfer mechanism hierarchy: Adequacy → Article 46 safeguards (SCCs, BCRs, codes, certification) → Article 49 derogations.
2TIA (Transfer Impact Assessment) is required post-Schrems II when using any Article 46 mechanism to transfer to a country without an adequacy decision.
3Article 14 timing: provide transparency within 1 month, or at first communication, or before first disclosure — whichever is EARLIEST.
4EU-US DPF adopted July 2023. Covers ONLY self-certified US organizations.
5Schrems I (2015): invalidated Safe Harbor. Schrems II (2020): invalidated Privacy Shield. Both brought by Max Schrems against Facebook.
6BCRs require prior approval by the competent supervisory authority — allow 2+ years for the approval process.
72021 SCCs replaced the old 2001/2004 SCCs. Four modules: C2C, C2P, P2P, P2C. The old SCCs are no longer valid for new transfers.
Domain 417% of exam

European Data Protection: Scope and Accountability

Must-Know Facts

  • Territorial scope (Article 3): three triggers — (1) ESTABLISHMENT: any processing in the context of activities of an EU establishment, regardless of where processing occurs. (2) TARGETING: non-EU organization offering goods or services to EU data subjects (free or paid). (3) MONITORING: non-EU organization monitoring behavior of EU data subjects.
  • Indicators of 'targeting' per EDPB: use of EU country languages (not just English), EU currencies, delivery options to EU countries, mention of EU users in marketing, .eu domains or local EU domains.
  • Article 27 Representative: non-EU controllers and processors subject to GDPR via Article 3(2) must designate an EU representative IN WRITING. Exceptions: occasional processing not on large scale, no high risk, public authority.
  • Controller vs. Processor distinction (Articles 4, 26, 28): Controller = determines purposes AND means. Processor = processes on behalf of and under instructions of the controller. Joint controllers = two or more jointly determining purposes and means, must have a joint controller arrangement (Article 26).
  • DPIA triggers (Article 35, GDPR + EDPB guidance): (1) Systematic and extensive profiling with legal/significant effects, (2) Large-scale processing of special categories or criminal conviction data, (3) Systematic monitoring of publicly accessible areas. EDPB and national authorities publish positive lists of additional triggers.
  • DPIA content requirements: description of processing and purposes, assessment of necessity and proportionality, assessment of risks to data subjects, measures envisaged to address the risks. Must be done BEFORE processing begins.
  • Mandatory DPO appointment (Articles 37-39): public authorities (except courts in judicial capacity), organizations carrying out large-scale systematic monitoring, organizations processing special categories or criminal data on a large scale. DPO can be internal or external, shared among a group, but must be an expert in data protection law and practices.
  • DPO independence requirements: cannot receive instructions on how to perform their tasks, cannot be dismissed for performing their duties, must report directly to highest management level, must not have conflicts of interest from other responsibilities.
  • Administrative fines tiers (Article 83): Lower tier — up to 10M EUR or 2% of total worldwide annual turnover for Articles 8, 11, 25-39, 42-43 violations (procedural, DPO, DPIA, Records of Processing). Higher tier — up to 20M EUR or 4% for Articles 5-7, 9, 12-22, 44-49, and supervisory authority orders.
  • One-stop-shop mechanism: organizations with cross-border processing are regulated primarily by the supervisory authority of their MAIN ESTABLISHMENT (where central administration is, or where decisions on purposes/means are taken). Under EDPB Opinion 04/2024, proof of main establishment requires governance documentation, decision-making logs, and organizational charts.
  • Records of Processing Activities (ROPA, Article 30): controllers must maintain written records documenting controller identity, purposes, categories of data and data subjects, recipients, international transfers, retention periods, and security measures. Processors maintain their own separate ROPA. Exception: organisations with fewer than 250 employees are EXEMPT unless processing poses a risk, is not occasional, or involves special categories or criminal data — in practice most organisations must maintain a ROPA regardless.

Common Traps

TrapAssuming GDPR only applies to organizations with a physical presence in the EU
RealityGDPR applies to any non-EU organization that TARGETS EU data subjects (offering goods/services) or MONITORS their behavior, even with zero EU presence. A US app with no EU office that collects data from EU users is fully subject to GDPR.
TrapAppointing the Head of IT or Chief Information Officer as DPO without checking for conflicts of interest
RealityA person who determines the purposes and means of data processing (a controller function) cannot also serve as DPO (an oversight function). CIO, CISO, Head of IT, General Counsel, or HR Director roles can all create conflicts. The DPO must be able to independently oversee the very functions they previously managed.
TrapBelieving that 4% of 'EU revenues' is the maximum fine calculation basis
RealityThe 4% fine is calculated on TOTAL WORLDWIDE ANNUAL TURNOVER of the ENTIRE UNDERTAKING (corporate group). Not EU revenues, not just the sanctioned subsidiary. Meta's billions in fines are calculated on global Meta group revenue.
TrapStarting a high-risk processing activity and then conducting a DPIA during or after
RealityA DPIA must be completed BEFORE the processing begins. If a DPIA reveals unacceptable residual risk, the supervisory authority must be consulted under Article 36 before processing starts. Conducting a DPIA after launch is too late and itself a GDPR violation.
TrapThinking the one-stop-shop mechanism applies to ALL processing
RealityThe one-stop-shop only applies to CROSS-BORDER processing (processing in multiple member states or that substantially affects data subjects in multiple member states). Purely local processing is handled by the local supervisory authority only.
TrapAssuming small organisations with fewer than 250 employees never need a ROPA
RealityThe Article 30(5) exemption for <250 employees is swallowed by its own exceptions: if processing poses ANY risk, is not occasional, or involves special categories or criminal data, a ROPA is still required. In practice, almost every real-world organisation processes HR data (employment contracts = not occasional) or health data, so the exemption rarely applies. Exam questions use this to test whether candidates understand the exception has exceptions.

Confusing Pairs

ControllerProcessor

Controller = decides WHY (purposes) and HOW (means) data is processed. Processor = follows controller's instructions. Key test: if an entity decides its own purposes for using the data, it is a controller for that use. A cloud provider hosting data is a processor; if it mines data for its own analytics, it becomes a controller for that activity.

ControllerJoint Controller

Controller = single entity determines purposes and means alone. Joint controllers = two or more TOGETHER determine purposes and means — not necessarily the same decisions, but they must be jointly involved in the determination. Must have Article 26 arrangement. The arrangement must be available to data subjects, though they can exercise rights against any joint controller.

DPIA (Article 35)Prior Consultation (Article 36)

DPIA = mandatory privacy risk assessment before high-risk processing. Must be done by the controller. Article 36 = prior consultation with the supervisory authority is MANDATORY only when the DPIA reveals that RESIDUAL risks cannot be mitigated. Not every DPIA triggers Article 36 — only those with unresolvable high residual risk.

Mandatory DPOVoluntary DPO

Mandatory DPO (Article 37): public authorities, large-scale systematic monitoring, large-scale special category/criminal data processing. Voluntary DPO: any other organization may appoint one. Key distinction: once appointed (mandatory or voluntary), ALL DPO requirements apply equally — the organization cannot pick and choose which rules to follow for a voluntary DPO.

Scenario Tips

If the question asks about:

A US-based app collects location and behavioral data from users worldwide. The app is in English only and prices are in USD. But it has 2 million users in France and Germany. Does GDPR apply?

Answer:

Yes. Under Article 3(2)(b), monitoring the behavior of EU data subjects (through location and behavioral tracking) triggers GDPR regardless of establishment or the language/currency used. The existence of 2 million EU users and behavioral tracking is the determining factor.

Distractor to avoid:

Choosing 'no, because the app is in English and USD only' is wrong. Language and currency are indicators of targeting but are not required for GDPR to apply. Behavioral monitoring is a separate, independent trigger.

If the question asks about:

An organization appoints its Legal Director as DPO. The Legal Director also advises on GDPR compliance strategies and signs data processing agreements on behalf of the company. Is there a problem?

Answer:

Yes — conflict of interest. The Legal Director participates in determining how personal data is processed (controller functions: advising on compliance strategies, signing processing agreements). The DPO must be able to independently oversee these very activities. Article 38(6) prohibits the DPO from holding positions that result in a conflict of interest.

Distractor to avoid:

Selecting 'no conflict because the Legal Director has legal expertise' is wrong. GDPR expertise is a qualification for the DPO role, but it does not eliminate the conflict created by simultaneously acting as controller.

If the question asks about:

A company launches a new AI-powered hiring tool that automatically ranks job applicants based on CV analysis and video interview sentiment scoring. Before launching, what must the company do?

Answer:

Conduct a DPIA before launching. This processing: involves automated decision-making with significant (employment-related) effects, large-scale processing, and likely biometric/health-adjacent data from sentiment analysis. It meets multiple DPIA triggers. The DPIA must be completed BEFORE processing begins, and if residual risk is high, consult the supervisory authority first.

Distractor to avoid:

Choosing 'obtain consent from job applicants before processing' is incomplete. Consent alone does not substitute for a DPIA, and employment consent may be invalid due to power imbalance.

Last-Minute Facts

1Article 3 triggers: (1) establishment in EU, (2) offering goods/services to EU data subjects, (3) monitoring behavior of EU data subjects.
2Article 27 representative: required for most non-EU controllers/processors subject to GDPR via Article 3(2). Must be in writing.
3DPO conflicts of interest: DPO cannot also be DPO where they set purposes and means of processing. CIO, CISO, HR Director, Legal Director roles commonly create conflicts.
4Fine tiers: 10M/2% = procedural (Articles 8, 11, 25-39, 42-43). 20M/4% = substantive (principles, rights, transfers).
5EDPB Opinion 04/2024: main establishment requires FUNCTIONAL criteria (where decisions on purposes and means are actually taken), not just formal registered address.
6One-stop-shop: lead supervisory authority = supervisory authority of the main establishment. Cross-border cases only.
7DPIA required for: (1) profiling with legal/significant effects, (2) large-scale special category processing, (3) systematic public area monitoring. These are the three GDPR-mandatory triggers — national authorities may add more.
8ROPA (Article 30): controllers AND processors each maintain their own records. Exception for <250 employees exists but is almost always overridden because most processing is 'not occasional' or involves risk. ROPA violation = lower-tier fine (10M EUR / 2%).
Domain 516% of exam

Compliance with European Data Protection Law and Regulation

Must-Know Facts

  • Employment data: consent is almost always inappropriate due to power imbalance. Lawful bases for employment processing: Article 6(1)(b) (contract), Article 6(1)(c) (legal obligation), Article 6(1)(f) (legitimate interests with documented balancing test). Employee monitoring must be proportionate, transparent (employees informed), and limited to what is necessary.
  • Video surveillance (CCTV): requires lawful basis (usually legitimate interests), must provide transparent notice (signage visible before entering monitored area), DPIA required for systematic monitoring of public spaces, retention periods must be justified (typically days/weeks, not months). EDPB Guidelines 3/2019 on video surveillance.
  • ePrivacy Directive direct marketing rules: OPT-IN required for electronic direct marketing (email, SMS, automated calls). Exception — SOFT OPT-IN for existing customers: same company, similar products/services, customer given opt-out opportunity at collection and in every subsequent message.
  • Cookies: strictly necessary cookies (session management, user-requested features) do NOT require consent. All other cookies (analytics, advertising, preference, social media tracking) require PRIOR informed consent. Cookie walls that deny access unless users consent may be invalid depending on whether alternatives exist.
  • Article 21(2) — right to object to direct marketing: ABSOLUTE right. Controller must cease processing for direct marketing purposes without delay. Cannot override with compelling legitimate grounds (unlike Article 21(1) general objection). Must honor even before consent is required (opt-out).
  • Dark patterns (EDPB Guidelines 3/2022 on deceptive design patterns in social media): six types — Overloading (excessive information/requests), Skipping (ignoring privacy settings), Stirring (emotional manipulation), Obstructing (making privacy choices difficult), Fickle (inconsistent interface), Left in the dark (insufficient information). These violate transparency and fairness principles.
  • Article 22 automated decisions in employment/AI contexts: employers cannot make SOLELY automated hiring, firing, or performance management decisions with legal/significant effects without offering human review, human override capability, and an explanation of the logic involved.
  • Facial recognition in public spaces: under EU AI Act, real-time biometric identification of natural persons in publicly accessible spaces by law enforcement is classified as UNACCEPTABLE RISK AI (banned) with very narrow exceptions. Non-law-enforcement uses are typically high-risk AI requiring DPIA under GDPR.
  • Whistleblowing: EU Whistleblower Directive (2019/1937) requires internal reporting channels. These channels process personal data of both the whistleblower and the reported individual — both data subjects have GDPR rights, but controllers can restrict rights (e.g., access by reported person) under Article 23 to protect the reporting process.
  • EDPB social media targeting guidelines: advertisers are typically controllers for the targeting criteria they set; platforms are controllers for their own targeting tools. This creates joint controller relationships requiring Article 26 arrangements.

Common Traps

TrapThinking the soft opt-in exception allows marketing to former customers or for different products
RealityThe soft opt-in exception under the ePrivacy Directive has THREE conditions that must ALL be met: (1) existing customer (not former customer), (2) similar products or services (not unrelated offers), (3) opt-out offered at time of original collection AND in every subsequent message. Fail any condition and the exception does not apply.
TrapBelieving pre-ticked cookie consent boxes are valid if the user proceeds without unchecking
RealityPre-ticked boxes are INVALID consent. The CJEU Planet49 ruling (2019) confirmed that consent must be an affirmative, active action. Proceeding without unchecking a pre-ticked box is not an unambiguous indication of agreement. This applies to cookie consent and any other GDPR consent scenario.
TrapAssuming employee monitoring is permissible as long as the employer has a security interest
RealityEven with a legitimate interest (security, productivity), employee monitoring must be: necessary (least privacy-invasive means), proportionate (not blanket monitoring of all communications), transparent (employees informed in advance in a policy), and subject to a balancing test. Blanket keylogging without notice violates transparency at minimum.
TrapTreating all cookie consent as a GDPR matter
RealityCookie consent requirements come from the ePrivacy Directive as lex specialis, not GDPR. GDPR provides the QUALITY standard for that consent (freely given, specific, informed, unambiguous). The obligation to obtain consent in the first place comes from ePrivacy. The distinction is tested.
TrapConfusing the general right to object with the absolute right to object to direct marketing
RealityArticle 21(1) general objection: applies to processing based on legitimate interests or public task; controller CAN override if it demonstrates compelling legitimate grounds. Article 21(2) direct marketing objection: ABSOLUTE, no override possible, no balancing test, must stop without delay. Two completely different standards.

Confusing Pairs

Opt-in (ePrivacy Directive)Soft Opt-in (ePrivacy Directive)

Opt-in = explicit prior consent required for electronic marketing (default rule for all recipients). Soft opt-in = exception allowing marketing to existing customers without prior consent, provided: same organization, similar products/services, and opt-out provided at collection and in every message. Soft opt-in is the EXCEPTION; opt-in is the DEFAULT.

CCTV (Public Areas)CCTV (Workplace)

Public area CCTV: DPIA usually required (systematic monitoring of public spaces), lawful basis typically legitimate interests, mandatory signage. Workplace CCTV: also usually legitimate interests, but employment power imbalance makes proportionality scrutiny higher, blanket monitoring without specific purpose is disproportionate, employees must be informed of monitoring scope.

Right to Object (Article 21(1))Right to Object to Direct Marketing (Article 21(2))

Article 21(1) — grounds: legitimate interests or public task processing. Controller can override by demonstrating compelling legitimate grounds that outweigh data subject interests. Article 21(2) — grounds: any direct marketing processing. Absolute right. No override. Controller must stop immediately. This distinction is one of the most commonly tested traps.

Dark Patterns (EDPB)Deceptive Design Patterns (EU AI Act context)

EDPB Guidelines 3/2022 classify dark patterns as privacy-unfriendly interface design that manipulates users against their privacy interests — this is a GDPR compliance violation (transparency, fairness). The EU AI Act separately addresses algorithmic manipulation. For CIPP/E, focus on the EDPB dark pattern taxonomy (overloading, skipping, stirring, obstructing, fickle, left in the dark).

Scenario Tips

If the question asks about:

An online retailer sends promotional emails to past customers about new product categories. The original purchase was for electronics; the new emails are about clothing. The emails include an unsubscribe link. Is this lawful under ePrivacy?

Answer:

No. The soft opt-in exception requires 'similar products or services.' Electronics and clothing are not similar products. Without a valid opt-in consent, these emails violate the ePrivacy Directive's electronic marketing rules. The unsubscribe link is a necessary condition for the exception but does not validate it when the products are dissimilar.

Distractor to avoid:

Choosing 'yes, because an unsubscribe link is included' ignores the similar-product condition. The soft opt-in has three requirements; the unsubscribe link satisfies only one of them.

If the question asks about:

An employer installs software that captures screenshots of employees' screens every 5 minutes and logs all keystrokes, citing productivity monitoring as the purpose. Employees were not informed.

Answer:

This violates Article 5(1)(a) transparency most directly. Secondary violations include data minimisation (keylogging captures everything, not just productivity-relevant data) and likely the necessity/proportionality requirements for employee monitoring. The lack of employee notice is the foundational violation.

Distractor to avoid:

Choosing 'storage limitation' or 'purpose limitation' as the primary violation is technically arguable but wrong in the exam context. The MOST DIRECT violation is transparency: employees were not informed. Identifying the primary principle matters.

If the question asks about:

A data subject opts out of all direct marketing by email but the company continues to send marketing messages, citing a compelling legitimate interest in maintaining customer relationships

Answer:

This is unlawful. Article 21(2) creates an absolute right to object to direct marketing. Once exercised, the controller MUST stop. Legitimate interest cannot override Article 21(2) objections to direct marketing. This is the absolute right exception to the general balancing test.

Distractor to avoid:

Selecting 'the company may continue with documented legitimate interest' is the classic Article 21(2) trap. General Article 21(1) allows compelling ground override; Article 21(2) does not.

If the question asks about:

A company's cookie banner has all tracking cookies pre-selected by default with a large 'Accept' button and a small, grey 'Manage preferences' link. A user clicks 'Accept'. Is this valid consent?

Answer:

No. The design violates valid consent requirements under GDPR/ePrivacy: (1) pre-selected tracking cookies are not freely given (the Planet49 ruling), (2) the asymmetric design (large Accept vs tiny Manage preferences) constitutes a dark pattern (EDPB Guidelines 3/2022 — 'obstructing' and 'stirring'), making consent not freely given or specific.

Distractor to avoid:

Choosing 'yes, because the user clicked Accept' is wrong. Clicking Accept on a pre-selected design is not an unambiguous, affirmative action and is classified as a dark pattern that invalidates consent.

Last-Minute Facts

1Planet49 CJEU ruling: pre-ticked cookie consent boxes are INVALID. Date: 2019.
2Soft opt-in requires ALL THREE: existing customer + similar products/services + opt-out at collection and in each message.
3Article 21(2) right to object to direct marketing: ABSOLUTE. No override. No balancing. Controller must stop without delay.
4EDPB dark pattern taxonomy: Overloading, Skipping, Stirring, Obstructing, Fickle, Left in the dark.
5EDPB Guidelines 3/2019: video surveillance processing under GDPR.
6EDPB Guidelines 8/2020: targeting of social media users — advertisers are typically controllers for targeting criteria they set.
7Employment context: consent is almost always invalid. Use contract (6(1)(b)), legal obligation (6(1)(c)), or legitimate interests (6(1)(f)) with documented balancing test.
8EU AI Act: real-time biometric identification in public spaces by law enforcement = unacceptable risk (banned with narrow exceptions). Post-processing biometric identification = high risk AI.

Feeling confident?

Put your knowledge to the test with a timed CIPP/E mock exam.