General Exam Tips
- 1.Read ALL four answer options before choosing. IAPP questions often have two plausible-looking answers; the difference is usually one precise word or condition.
- 2.Watch for qualifier words: 'most likely,' 'best,' 'primary,' and 'except' change the entire question. Underline them mentally before reading options.
- 3.Read scenario questions by scanning the QUESTION FIRST, then the scenario. This tells you exactly what detail to look for and prevents information overload.
- 4.Flag tricky questions and bank easy points first. Return to flagged items with remaining time rather than stalling mid-exam.
- 5.When two answers seem equally correct, go with your first instinct. Do not talk yourself into an answer by inventing context not given in the question.
- 6.Of 90 questions, only 75 are scored. Pilot questions are indistinguishable, so treat every question as scored.
- 7.Aim for 65-70% correct on practice exams before sitting. The passing scaled score of 300/500 corresponds to roughly 62-65% correct on scored questions, but the psychometric weighting varies.
- 8.Avoid non-IAPP practice question banks. Unofficial questions frequently contain wrong answers that create false confidence and wrong mental models.
- 9.Time budget: 150 minutes / 90 questions = 100 seconds per question. Scenarios with longer text deserve more time; budget accordingly.
- 10.On questions about 'which lawful basis applies,' eliminate those that clearly don't fit, then distinguish between the two most plausible by asking: does the data subject have genuine free choice, and is there a documented balancing test?
Quick Navigation
Introduction to European Data Protection
Must-Know Facts
- The chronological chain of instruments: UDHR Article 12 (1948, universal privacy right) → ECHR Article 8 (1950, binding European privacy right) → Convention 108 (1981, first binding data protection treaty) → OECD Guidelines (1980, non-binding) → Directive 95/46/EC (1995, EU-level, required national transposition) → GDPR (2016 entry into force, May 2018 applicable)
- Convention 108 is a COUNCIL OF EUROPE instrument. The Council of Europe is a separate international body distinct from EU institutions. 54 countries have ratified it, well beyond EU membership.
- Convention 108+ (2018 modernization) extended the original treaty to cover new technologies and government data processing.
- GDPR replaced Directive 95/46/EC because directives require national transposition, producing 28 divergent national implementations. A regulation applies directly in all member states without transposition.
- ePrivacy Directive (2002/58/EC) is lex specialis for electronic communications: governs cookies, direct marketing via electronic means, confidentiality of communications, traffic and location data. The proposed ePrivacy Regulation to replace it has NOT been adopted.
- NIS2 Directive: cybersecurity obligations for essential and important entities (energy, transport, banking, health, digital infrastructure). It intersects with but does not replace GDPR security obligations under Article 32.
- EU AI Act risk tiers: Unacceptable (banned — social scoring, real-time biometric ID in public by law enforcement with narrow exceptions), High (strict compliance — hiring, credit, critical infrastructure), Limited (transparency obligations), Minimal (no requirements). GDPR principles of data minimisation, transparency, and accountability apply to all AI processing.
- EU Data Act: focuses on non-personal data sharing and user rights to data generated by connected devices. Where it involves personal data, GDPR applies simultaneously.
- EU institutions for exam purposes: European Commission (proposes legislation, issues adequacy decisions, adopts SCCs), European Parliament + Council of the EU (co-legislators), CJEU (interprets EU law — issued Schrems I and II rulings), EDPB (consistency and guidance body, replaces WP29).
Common Traps
Confusing Pairs
Scenario Tips
A question asks which legal instrument was the FIRST binding international treaty specifically on data protection
Convention 108 (1981). The ECHR (1950) established a privacy right but not a data protection framework. OECD Guidelines (1980) were non-binding. Convention 108 was the first binding data protection treaty.
ECHR Article 8 (1950) is tempting because it came first and is binding, but it is a human rights treaty with a general privacy right, not a specific data protection instrument.
A question asks which framework governs consent for placing analytics cookies on EU users' browsers
The ePrivacy Directive as lex specialis. Although the quality of consent is judged by GDPR standards, the requirement to obtain consent for non-essential cookies comes from the ePrivacy Directive, not GDPR directly.
GDPR Article 6(1)(a) is often chosen, but this conflates the source of the cookie consent obligation (ePrivacy Directive) with the quality standard of consent (GDPR). The exam specifically tests this distinction.
Last-Minute Facts
European Data Protection Law and Regulation
Must-Know Facts
- Seven GDPR principles (Article 5, memorize in order): (1) Lawfulness/fairness/transparency, (2) Purpose limitation, (3) Data minimisation, (4) Accuracy, (5) Storage limitation, (6) Integrity and confidentiality, (7) Accountability.
- Six lawful bases (Article 6): (a) Consent, (b) Contract, (c) Legal obligation, (d) Vital interests, (e) Public task, (f) Legitimate interests. Know which are available to public authorities and which to private actors — public authorities generally cannot use legitimate interests.
- All eight data subject rights: Article 15 (access), Article 16 (rectification), Article 17 (erasure/right to be forgotten), Article 18 (restriction of processing), Article 19 (notification obligation), Article 20 (data portability), Article 21 (right to object), Article 22 (automated decision-making and profiling).
- Consent validity conditions (Article 7): freely given, specific, informed, unambiguous. Must be as easy to withdraw as to give. Cannot be bundled with a contract where processing is not necessary. Cannot use pre-ticked boxes (CJEU Planet49 ruling).
- Children's consent (Article 8): age threshold is 16 (member states may lower to 13). Below threshold requires verifiable parental/guardian consent.
- Special categories (Article 9): racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data used for identification, health data, sex life/sexual orientation. Financial data, criminal convictions (covered by Article 10), and IP addresses are NOT Article 9 special categories.
- Ten Article 9(2) exceptions: explicit consent, employment/social security, vital interests, legitimate activities of not-for-profit bodies, manifestly public data, legal claims, substantial public interest, health/social care, public health, archiving/research/statistics.
- Breach notification to supervisory authority (Article 33): within 72 hours of becoming AWARE, unless breach is unlikely to result in RISK to rights and freedoms. Notification can be phased.
- Breach notification to data subjects (Article 34): without undue delay when breach is likely to result in HIGH RISK. Not required if: data was encrypted/pseudonymised, controller has taken subsequent measures eliminating high risk, or it would involve disproportionate effort (public communication instead).
- Security of processing (Article 32): 'appropriate' technical and organisational measures — the standard is risk-based, not absolute. Pseudonymisation, encryption, confidentiality, integrity, availability, and resilience are explicitly mentioned measures.
- Article 22: right not to be subject to SOLELY automated decisions that produce LEGAL or SIMILARLY SIGNIFICANT effects. Exceptions: contract, legal authorisation, explicit consent. Even when automated decision-making is permitted under exceptions, the data subject has the right to human review and to contest the decision.
- EDPB Guidelines 1/2024 (Legitimate Interests): three-part test — (1) identify a specific, real, and present legitimate interest; (2) demonstrate processing is strictly necessary (not merely useful); (3) balance interests against data subject's rights, considering context, nature of data, and reasonable expectations.
- 2025 Body of Knowledge update added: EDPB Opinion 22/2024 (controller-processor chains and sub-processor liability), EDPB Opinion 04/2024 (main establishment criteria for one-stop-shop eligibility), Guidelines 1/2024 (legitimate interests), AI governance under GDPR.
Common Traps
Confusing Pairs
Scenario Tips
An employer makes all new hires sign a consent form for payroll data processing as a condition of starting work
The consent is invalid. Employment creates a power imbalance: the employee cannot freely refuse without losing their job. The correct lawful basis for payroll is Article 6(1)(b) (contract performance) or Article 6(1)(c) (legal obligation). EDPB has explicitly stated employment consent is rarely freely given.
Option 'A — consent is valid because the employee signed' is wrong. The fact of signing is irrelevant if consent was not freely given.
A company uses behavioral advertising, collects browsing data, and wants to rely on legitimate interests. The question asks whether this is valid.
For behavioral advertising specifically, legitimate interest CANNOT be used because the ePrivacy Directive requires prior consent for placing tracking cookies. Even if legitimate interest passes the three-part test under GDPR, the ePrivacy Directive as lex specialis overrides and requires consent.
Candidates often select legitimate interest as valid because it passes the three-part test in isolation, without applying the ePrivacy overlay.
A data subject requests deletion of their medical records. The healthcare provider has a statutory obligation to retain records for 10 years.
The provider can refuse under Article 17(3)(b) — processing is necessary for compliance with a legal obligation. The right to erasure does not override statutory retention requirements.
Some candidates choose 'legitimate interest' as the basis for refusal. Wrong — the exception is LEGAL OBLIGATION under Article 17(3)(b), not a reliance on legitimate interest.
A company discovers a ransomware attack on Monday. Investigation reveals the scope only on Wednesday. When does the 72-hour clock start?
Monday, when the controller first became aware with reasonable certainty that a breach occurred. The investigation timeline does not reset the clock. The controller can submit an initial notification on Monday and supplement it later as details emerge.
Choosing Wednesday (when full scope is known) is the common wrong answer. Article 33 says 'upon becoming aware' — initial awareness starts the clock.
A data subject asks for their data in portable format. The company holds: (1) name and email they provided during registration, (2) purchase history (inferred from transactions), (3) preference profile inferred from browsing behavior.
Only the name and email provided during registration are portable. Purchase history and inferred preference profiles are not 'provided by the data subject' and fail the portability criteria. Portability requires the data subject to have actively provided the data.
Choosing all three items is wrong. The distinction between 'provided by the data subject' and 'observed/inferred' data is precisely what the exam tests.
A question presents a data subject exercising their right to object to direct marketing and asks what the controller must do
Stop processing for direct marketing purposes immediately. The right to object to direct marketing under Article 21(2) is absolute — no balancing test, no overriding grounds. 'Without delay' means immediately upon receipt of the objection.
Choosing 'the controller can continue if they have a compelling legitimate interest' is wrong. The absolute nature of Article 21(2) is a favorite exam trap.
Last-Minute Facts
European Data Processing
Must-Know Facts
- Transparency information split by source: Article 13 applies when data is collected DIRECTLY from the data subject (provide information AT TIME of collection). Article 14 applies when data is collected FROM THIRD PARTIES (provide within reasonable period, max one month; or at first communication; or before first disclosure to another recipient).
- International transfer mechanism hierarchy: (1) Adequacy decision by European Commission → no additional safeguards needed. (2) Appropriate safeguards (SCCs, BCRs, approved codes of conduct, certification mechanisms) → may require Transfer Impact Assessment. (3) Article 49 derogations → last resort for occasional transfers only.
- Current adequacy countries (2026): Japan, South Korea, UK, Canada (commercial sector), Israel, New Zealand, Switzerland, and the US under the EU-US Data Privacy Framework (DPF). The EU-US DPF only covers US organizations that SELF-CERTIFY.
- SCCs (Standard Contractual Clauses): 2021 modular SCCs have four modules — C2C (controller-to-controller), C2P (controller-to-processor), P2C (processor-to-controller), P2P (processor-to-processor). Must be used without modification.
- Schrems II (CJEU 2020): invalidated Privacy Shield, required TIAs for SCCs. Even with SCCs, you must assess whether the recipient country's laws (especially government surveillance) undermine contractual protections. If they do, supplementary measures are required.
- Transfer Impact Assessment (TIA): mandatory assessment after Schrems II when using SCCs or other Article 46 mechanisms. Evaluates the legal framework of the recipient country, specifically whether government surveillance powers compromise GDPR-level protection.
- Binding Corporate Rules (BCRs): for INTRA-GROUP transfers within a multinational corporate group. Require supervisory authority approval. Cover both controller BCRs and processor BCRs. Not available for transfers between unrelated organizations.
- Article 49 derogations (use sparingly): explicit consent for occasional transfers, necessity for contract with data subject, necessity for important public interest reasons, vital interests, establishment or defence of legal claims, data from public register. Cannot be used as systematic transfer mechanism.
- Transparency requirements under Article 12: information must be concise, transparent, intelligible, easily accessible, clear and plain language, and where possible supported visually. Free of charge. Provide within one month of request (can extend by two months for complex/numerous requests).
Common Traps
Confusing Pairs
Scenario Tips
A multinational company regularly transfers employee data from its EU subsidiary to its US parent company for HR management purposes. No adequacy decision covers this transfer type. What mechanism should it use?
Binding Corporate Rules (BCRs) are ideal for regular, systematic intra-group transfers. SCCs would also work but BCRs provide more operational flexibility for a corporate group. Article 49 derogation (employee consent) is wrong because the employment power imbalance makes consent non-freely-given, and derogations cannot serve as the systematic mechanism for regular transfers.
Consent derogation under Article 49 appears plausible because there are named employees, but it is wrong for two reasons: employment consent is not freely given, and Article 49 is for occasional transfers only.
After Schrems II, a company implements SCCs for its transfer to a US vendor. Is anything else needed?
Yes. The company must conduct a Transfer Impact Assessment (TIA) to evaluate US surveillance law (FISA Section 702, Executive Order 12333) and determine whether it undermines SCC protections. If the TIA reveals risks, supplementary measures (encryption with keys held in the EU, pseudonymisation, data minimisation, contractual prohibitions on disclosure) must be implemented.
Selecting 'SCCs alone are sufficient' is the classic Schrems II trap. SCCs do not automatically ensure adequate protection — they must be backed by a TIA.
A company acquires personal data about EU residents from a data broker and wants to use it for marketing. When must it provide transparency information to data subjects?
Article 14 applies (data not collected directly). Information must be provided within a reasonable period and no later than one month after obtaining the data, or at first communication with the data subject, or before first disclosure to another party — whichever comes first.
Selecting Article 13 (at time of collection) is wrong because Article 13 only applies when the data subject directly provides data to the controller.
Last-Minute Facts
European Data Protection: Scope and Accountability
Must-Know Facts
- Territorial scope (Article 3): three triggers — (1) ESTABLISHMENT: any processing in the context of activities of an EU establishment, regardless of where processing occurs. (2) TARGETING: non-EU organization offering goods or services to EU data subjects (free or paid). (3) MONITORING: non-EU organization monitoring behavior of EU data subjects.
- Indicators of 'targeting' per EDPB: use of EU country languages (not just English), EU currencies, delivery options to EU countries, mention of EU users in marketing, .eu domains or local EU domains.
- Article 27 Representative: non-EU controllers and processors subject to GDPR via Article 3(2) must designate an EU representative IN WRITING. Exceptions: occasional processing not on large scale, no high risk, public authority.
- Controller vs. Processor distinction (Articles 4, 26, 28): Controller = determines purposes AND means. Processor = processes on behalf of and under instructions of the controller. Joint controllers = two or more jointly determining purposes and means, must have a joint controller arrangement (Article 26).
- DPIA triggers (Article 35, GDPR + EDPB guidance): (1) Systematic and extensive profiling with legal/significant effects, (2) Large-scale processing of special categories or criminal conviction data, (3) Systematic monitoring of publicly accessible areas. EDPB and national authorities publish positive lists of additional triggers.
- DPIA content requirements: description of processing and purposes, assessment of necessity and proportionality, assessment of risks to data subjects, measures envisaged to address the risks. Must be done BEFORE processing begins.
- Mandatory DPO appointment (Articles 37-39): public authorities (except courts in judicial capacity), organizations carrying out large-scale systematic monitoring, organizations processing special categories or criminal data on a large scale. DPO can be internal or external, shared among a group, but must be an expert in data protection law and practices.
- DPO independence requirements: cannot receive instructions on how to perform their tasks, cannot be dismissed for performing their duties, must report directly to highest management level, must not have conflicts of interest from other responsibilities.
- Administrative fines tiers (Article 83): Lower tier — up to 10M EUR or 2% of total worldwide annual turnover for Articles 8, 11, 25-39, 42-43 violations (procedural, DPO, DPIA, Records of Processing). Higher tier — up to 20M EUR or 4% for Articles 5-7, 9, 12-22, 44-49, and supervisory authority orders.
- One-stop-shop mechanism: organizations with cross-border processing are regulated primarily by the supervisory authority of their MAIN ESTABLISHMENT (where central administration is, or where decisions on purposes/means are taken). Under EDPB Opinion 04/2024, proof of main establishment requires governance documentation, decision-making logs, and organizational charts.
- Records of Processing Activities (ROPA, Article 30): controllers must maintain written records documenting controller identity, purposes, categories of data and data subjects, recipients, international transfers, retention periods, and security measures. Processors maintain their own separate ROPA. Exception: organisations with fewer than 250 employees are EXEMPT unless processing poses a risk, is not occasional, or involves special categories or criminal data — in practice most organisations must maintain a ROPA regardless.
Common Traps
Confusing Pairs
Scenario Tips
A US-based app collects location and behavioral data from users worldwide. The app is in English only and prices are in USD. But it has 2 million users in France and Germany. Does GDPR apply?
Yes. Under Article 3(2)(b), monitoring the behavior of EU data subjects (through location and behavioral tracking) triggers GDPR regardless of establishment or the language/currency used. The existence of 2 million EU users and behavioral tracking is the determining factor.
Choosing 'no, because the app is in English and USD only' is wrong. Language and currency are indicators of targeting but are not required for GDPR to apply. Behavioral monitoring is a separate, independent trigger.
An organization appoints its Legal Director as DPO. The Legal Director also advises on GDPR compliance strategies and signs data processing agreements on behalf of the company. Is there a problem?
Yes — conflict of interest. The Legal Director participates in determining how personal data is processed (controller functions: advising on compliance strategies, signing processing agreements). The DPO must be able to independently oversee these very activities. Article 38(6) prohibits the DPO from holding positions that result in a conflict of interest.
Selecting 'no conflict because the Legal Director has legal expertise' is wrong. GDPR expertise is a qualification for the DPO role, but it does not eliminate the conflict created by simultaneously acting as controller.
A company launches a new AI-powered hiring tool that automatically ranks job applicants based on CV analysis and video interview sentiment scoring. Before launching, what must the company do?
Conduct a DPIA before launching. This processing: involves automated decision-making with significant (employment-related) effects, large-scale processing, and likely biometric/health-adjacent data from sentiment analysis. It meets multiple DPIA triggers. The DPIA must be completed BEFORE processing begins, and if residual risk is high, consult the supervisory authority first.
Choosing 'obtain consent from job applicants before processing' is incomplete. Consent alone does not substitute for a DPIA, and employment consent may be invalid due to power imbalance.
Last-Minute Facts
Compliance with European Data Protection Law and Regulation
Must-Know Facts
- Employment data: consent is almost always inappropriate due to power imbalance. Lawful bases for employment processing: Article 6(1)(b) (contract), Article 6(1)(c) (legal obligation), Article 6(1)(f) (legitimate interests with documented balancing test). Employee monitoring must be proportionate, transparent (employees informed), and limited to what is necessary.
- Video surveillance (CCTV): requires lawful basis (usually legitimate interests), must provide transparent notice (signage visible before entering monitored area), DPIA required for systematic monitoring of public spaces, retention periods must be justified (typically days/weeks, not months). EDPB Guidelines 3/2019 on video surveillance.
- ePrivacy Directive direct marketing rules: OPT-IN required for electronic direct marketing (email, SMS, automated calls). Exception — SOFT OPT-IN for existing customers: same company, similar products/services, customer given opt-out opportunity at collection and in every subsequent message.
- Cookies: strictly necessary cookies (session management, user-requested features) do NOT require consent. All other cookies (analytics, advertising, preference, social media tracking) require PRIOR informed consent. Cookie walls that deny access unless users consent may be invalid depending on whether alternatives exist.
- Article 21(2) — right to object to direct marketing: ABSOLUTE right. Controller must cease processing for direct marketing purposes without delay. Cannot override with compelling legitimate grounds (unlike Article 21(1) general objection). Must honor even before consent is required (opt-out).
- Dark patterns (EDPB Guidelines 3/2022 on deceptive design patterns in social media): six types — Overloading (excessive information/requests), Skipping (ignoring privacy settings), Stirring (emotional manipulation), Obstructing (making privacy choices difficult), Fickle (inconsistent interface), Left in the dark (insufficient information). These violate transparency and fairness principles.
- Article 22 automated decisions in employment/AI contexts: employers cannot make SOLELY automated hiring, firing, or performance management decisions with legal/significant effects without offering human review, human override capability, and an explanation of the logic involved.
- Facial recognition in public spaces: under EU AI Act, real-time biometric identification of natural persons in publicly accessible spaces by law enforcement is classified as UNACCEPTABLE RISK AI (banned) with very narrow exceptions. Non-law-enforcement uses are typically high-risk AI requiring DPIA under GDPR.
- Whistleblowing: EU Whistleblower Directive (2019/1937) requires internal reporting channels. These channels process personal data of both the whistleblower and the reported individual — both data subjects have GDPR rights, but controllers can restrict rights (e.g., access by reported person) under Article 23 to protect the reporting process.
- EDPB social media targeting guidelines: advertisers are typically controllers for the targeting criteria they set; platforms are controllers for their own targeting tools. This creates joint controller relationships requiring Article 26 arrangements.
Common Traps
Confusing Pairs
Scenario Tips
An online retailer sends promotional emails to past customers about new product categories. The original purchase was for electronics; the new emails are about clothing. The emails include an unsubscribe link. Is this lawful under ePrivacy?
No. The soft opt-in exception requires 'similar products or services.' Electronics and clothing are not similar products. Without a valid opt-in consent, these emails violate the ePrivacy Directive's electronic marketing rules. The unsubscribe link is a necessary condition for the exception but does not validate it when the products are dissimilar.
Choosing 'yes, because an unsubscribe link is included' ignores the similar-product condition. The soft opt-in has three requirements; the unsubscribe link satisfies only one of them.
An employer installs software that captures screenshots of employees' screens every 5 minutes and logs all keystrokes, citing productivity monitoring as the purpose. Employees were not informed.
This violates Article 5(1)(a) transparency most directly. Secondary violations include data minimisation (keylogging captures everything, not just productivity-relevant data) and likely the necessity/proportionality requirements for employee monitoring. The lack of employee notice is the foundational violation.
Choosing 'storage limitation' or 'purpose limitation' as the primary violation is technically arguable but wrong in the exam context. The MOST DIRECT violation is transparency: employees were not informed. Identifying the primary principle matters.
A data subject opts out of all direct marketing by email but the company continues to send marketing messages, citing a compelling legitimate interest in maintaining customer relationships
This is unlawful. Article 21(2) creates an absolute right to object to direct marketing. Once exercised, the controller MUST stop. Legitimate interest cannot override Article 21(2) objections to direct marketing. This is the absolute right exception to the general balancing test.
Selecting 'the company may continue with documented legitimate interest' is the classic Article 21(2) trap. General Article 21(1) allows compelling ground override; Article 21(2) does not.
A company's cookie banner has all tracking cookies pre-selected by default with a large 'Accept' button and a small, grey 'Manage preferences' link. A user clicks 'Accept'. Is this valid consent?
No. The design violates valid consent requirements under GDPR/ePrivacy: (1) pre-selected tracking cookies are not freely given (the Planet49 ruling), (2) the asymmetric design (large Accept vs tiny Manage preferences) constitutes a dark pattern (EDPB Guidelines 3/2022 — 'obstructing' and 'stirring'), making consent not freely given or specific.
Choosing 'yes, because the user clicked Accept' is wrong. Clicking Accept on a pre-selected design is not an unambiguous, affirmative action and is classified as a dark pattern that invalidates consent.