CertPrepNow
IAPPCIPP/EUpdated 2026-06-15

CIPP/E Study Guide

Everything you need to pass the IAPP Certified Information Privacy Professional/Europe exam. Structured study plans, key services, common traps, and practice questions.

You Can Pass This Exam For Free

The CIPP/E exam is passable with free resources alone if you study consistently for 4-8 weeks:

  • IAPP CIPP/E Body of Knowledge v1.3.3 (free PDF download from IAPP)
  • IAPP free CIPP/E study guide (request from iapp.org)
  • Full GDPR text with recitals (gdpr-info.eu or privasy.eu/gdpr)
  • EDPB guidelines and recommendations (edpb.europa.eu)
  • EU AI Act official text and summaries (artificialintelligenceact.eu)
  • 500+ free practice questions on this site

The GDPR text itself is freely available and is the single most important resource. Combined with the free Body of Knowledge and EDPB guidelines, you have coverage of the vast majority of exam topics. IAPP recommends at least 30 hours of preparation.

Choose Your Study Path

Limited or no experience with privacy law or GDPR. You need to build foundational knowledge of European data protection from scratch.

Week 1Download the CIPP/E Body of Knowledge and GDPR text. Read the GDPR preamble and recitals to understand the regulation's purpose. Learn key definitions in Article 4: personal data, processing, controller, processor, consent, data subject
Week 2Study Domain I (Introduction): history of European data protection from Convention 108 through Directive 95/46/EC to GDPR. Learn EU institutions (Commission, Parliament, Council, CJEU) and their roles in data protection
Week 3Study the ePrivacy Directive: cookie consent rules, electronic communications privacy, direct marketing opt-in requirements. Learn how it interacts with GDPR
Week 4Deep dive into Domain II (31% of exam): GDPR principles (Article 5), six lawful bases (Article 6), special categories of data (Article 9), data subject rights (Articles 15-22)
Week 5Continue Domain II: security obligations (Article 32), data breach notification (Articles 33-34), EDPB guidelines on controller/processor concepts and data breach examples
Week 6Study Domain III (Data Processing): transparency requirements, international data transfers (Chapter V), adequacy decisions, SCCs, BCRs, Article 49 derogations, Schrems II implications
Week 7Study Domains IV and V: territorial scope (Article 3), DPIAs (Article 35), DPO requirements (Articles 37-39), supervisory authorities, enforcement and penalties, employment privacy, surveillance, and direct marketing compliance
Week 8Review all 14 EDPB guidelines on the exam syllabus. Take a full practice exam and identify weak areas
Week 9Focus on weak domains. Re-read relevant GDPR articles. Practice scenario-based questions focusing on lawful bases and international transfers
Week 10Final review: take another full mock exam aiming for 70%+. Review confusable concepts, pay attention to qualifier words (most likely, best, primary, except)

Exam Overview

Format

90 multiple-choice questions (75 scored, 15 unscored pilot questions), 150 minutes with optional 15-minute break.

Scoring

Scaled score 100-500. Passing: 300. Psychometric weighting means the exact number of correct answers needed varies by exam form.

Domains & Weights

  • Introduction to European Data Protection13%
  • European Data Protection Law and Regulation31%
  • European Data Processing23%
  • European Data Protection: Scope and Accountability17%
  • Compliance with European Data Protection Law and Regulation16%

Registration

$550 USD. Available at Pearson VUE testing centers worldwide or online proctored via OnVUE. Exam fee is $550 USD. Available in English, French, and German.

Topic Priority Table

Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.

Tier 1: Must KnowYou must understand these concepts deeply, know the relevant GDPR articles, and be able to apply them in scenario-based questions. These appear across multiple questions.
Tier 2: Should KnowUnderstand these concepts and their key characteristics. May appear in 2-5 questions each.
Tier 3: Recognize OnlyKnow what these are at a high level. Rarely more than 1-2 questions each.
Domain 113% of exam

Introduction to European Data Protection

This domain covers the historical development of European data protection from its origins to the current regulatory landscape. You need to understand the evolution from Convention 108 through Directive 95/46/EC to the GDPR, key EU institutions, and related legislation including the ePrivacy Directive, NIS2 Directive, and EU AI Act.

Key Topics

Convention 108/108+Directive 95/46/ECGDPRePrivacy DirectiveNIS2 DirectiveEU AI ActEuropean Data Act

Must-Know Concepts

  • Evolution of data protection: Universal Declaration of Human Rights (Article 12), European Convention on Human Rights (Article 8), Convention 108 (1981), Directive 95/46/EC (1995), GDPR (2016/2018)
  • Key EU institutions and their roles: European Commission (proposes legislation), European Parliament and Council (co-legislators), Court of Justice of the EU (interprets EU law), European Data Protection Board (ensures consistent GDPR application)
  • ePrivacy Directive (2002/58/EC): cookie consent requirements, electronic direct marketing rules (opt-in with soft opt-in exception), confidentiality of communications, traffic and location data rules
  • Relationship between ePrivacy and GDPR: ePrivacy is lex specialis (takes precedence in its specific domain); GDPR fills gaps where ePrivacy is silent
  • NIS2 Directive basics: cybersecurity obligations for essential and important entities, intersection with GDPR security requirements
  • EU AI Act risk classification: unacceptable (banned), high (strict compliance), limited (transparency), minimal (no requirements). How GDPR principles apply to AI
  • Why GDPR replaced Directive 95/46/EC: directive required national transposition leading to inconsistent implementation; regulation is directly applicable in all member states

Common Exam Traps

Convention 108 is a COUNCIL OF EUROPE treaty, not an EU instrument. The Council of Europe and the EU Council are different bodies
The ePrivacy Directive is still in force. The proposed ePrivacy Regulation to replace it has not yet been adopted
GDPR entered into force in May 2016 but only became applicable in May 2018, giving organizations a two-year transition period
The NIS2 Directive is about cybersecurity, not data protection directly, but intersects with GDPR's security requirements under Article 32
Quick Check: Introduction to European Data Protection

Question 1 of 3

Which legal instrument first established binding data protection rules at the international level?

Domain 231% of exam

European Data Protection Law and Regulation

The heaviest domain at 31% with 18-28 scored questions. Covers the core GDPR provisions: key definitions, principles, lawful bases, data subject rights, security obligations, and breach notification. Master this domain or you will not pass. Focus on being able to apply these concepts in scenario-based questions, not just memorize definitions.

Key Topics

GDPR Article 4 (Definitions)Article 5 (Principles)Article 6 (Lawful Bases)Articles 15-22 (Data Subject Rights)Articles 32-34 (Security and Breach)Article 9 (Special Categories)

Must-Know Concepts

  • Key definitions (Article 4): personal data, processing, controller, processor, filing system, consent, personal data breach, special categories, pseudonymisation, profiling, cross-border processing
  • Seven GDPR principles (Article 5): lawfulness/fairness/transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality, accountability
  • Six lawful bases (Article 6): consent, contract, legal obligation, vital interests, public task, legitimate interests. Know when each applies and the conditions for validity
  • All eight data subject rights: access (Art 15), rectification (Art 16), erasure (Art 17), restriction (Art 18), notification regarding rectification/erasure/restriction (Art 19), portability (Art 20), objection (Art 21), automated decision-making (Art 22)
  • Conditions for valid consent (Article 7): freely given, specific, informed, unambiguous. Burden of proof on controller. Children's consent (Article 8): parental verification for under-16 (member states may lower to 13)
  • Special categories processing prohibition and exceptions (Article 9): explicit consent, employment, vital interests, not-for-profit, manifestly public, legal claims, substantial public interest, health/social care, public health, archiving/research
  • Security of processing (Article 32): appropriate technical and organizational measures considering state of the art, cost, nature/scope/context/purposes, and risk. Pseudonymisation and encryption as example measures
  • Breach notification to supervisory authority (Article 33): within 72 hours, unless unlikely to result in risk. Breach notification to data subjects (Article 34): without undue delay when high risk, unless encryption or other measures eliminate risk
  • EDPB guidelines on: controller/processor concepts, data breach notification examples, data subject rights exercise, and right of access

Common Exam Traps

Consent is NOT always the best lawful basis. In employment, there is a power imbalance that often makes consent invalid. Legitimate interest or legal obligation may be more appropriate
The right to erasure is NOT absolute. Exceptions include freedom of expression, legal obligations, public health, archiving, and legal claims
Pseudonymisation is NOT anonymisation. Pseudonymised data is still personal data under GDPR. Only truly anonymous data falls outside GDPR scope
The 72-hour breach notification deadline starts from when the controller BECOMES AWARE of the breach, not when the breach occurred
Data portability only applies to data PROVIDED by the data subject, processed by AUTOMATED means, based on CONSENT or CONTRACT. It does not apply to all data or all lawful bases
Quick Check: European Data Protection Law and Regulation

Question 1 of 4

An employer requires all employees to consent to the processing of their personal data for payroll purposes as a condition of employment. Is this consent valid under GDPR?

Domain 323% of exam

European Data Processing

This domain covers the legal requirements for processing personal data in Europe, including transparency obligations, international data transfer mechanisms, and the conditions for lawful cross-border data flows. It heavily emphasizes practical scenarios involving transfer mechanisms, Schrems II compliance, and the EU-US Data Privacy Framework.

Key Topics

Transparency (Articles 12-14)International Transfers (Chapter V)Adequacy DecisionsSCCsBCRsArticle 49 DerogationsEU-US Data Privacy Framework

Must-Know Concepts

  • Transparency requirements (Articles 12-14): information to be provided when data is collected directly (Art 13) vs obtained from third parties (Art 14). Must be concise, transparent, intelligible, easily accessible, in clear and plain language
  • International data transfer hierarchy: (1) adequacy decision, (2) appropriate safeguards (SCCs, BCRs, codes of conduct, certification), (3) derogations under Article 49
  • Adequacy decisions: Commission assesses third country's data protection level. Current adequacy countries include Japan, South Korea, UK, Canada (commercial), and the US under the EU-US Data Privacy Framework
  • Standard Contractual Clauses: four modules (C2C, C2P, P2P, P2C). After Schrems II, require Transfer Impact Assessment (TIA) to evaluate recipient country laws. Supplementary measures may be needed
  • Binding Corporate Rules: for multinational intra-group transfers. Require supervisory authority approval. Cover both controller and processor BCRs
  • Article 49 derogations: explicit consent, contract performance, important public interest, legal claims, vital interests, public register. These are exceptions, not regular transfer mechanisms
  • Schrems II impact: invalidated Privacy Shield, requires case-by-case assessment of third country laws when using SCCs. Must evaluate whether government surveillance powers undermine protection
  • EU-US Data Privacy Framework (2023): adequacy decision for US organizations self-certified under the DPF. Addresses Schrems II concerns through executive order limiting US intelligence access
  • Onward transfers: when data is transferred from the initial recipient to a further third country, additional safeguards are required

Common Exam Traps

Article 49 derogations are for OCCASIONAL transfers only (except for important reasons of public interest). They cannot be the primary mechanism for systematic, large-scale transfers
SCCs are not a magic bullet after Schrems II. You MUST conduct a Transfer Impact Assessment even with SCCs in place. If the recipient country's laws undermine protection, supplementary measures are required
The EU-US DPF only covers US organizations that SELF-CERTIFY under the framework. Not all US companies are covered by the adequacy decision
Transparency requirements differ depending on whether data is collected directly from the data subject (Article 13) or obtained from a third party (Article 14). The information and timing requirements are different
BCRs only work for INTRA-GROUP transfers within a corporate group. They cannot be used for transfers between unrelated organizations
Quick Check: European Data Processing

Question 1 of 3

A European company wants to transfer employee data to its subsidiary in a country without an adequacy decision on a regular, ongoing basis. Which transfer mechanism is MOST appropriate?

Domain 417% of exam

European Data Protection: Scope and Accountability

This domain covers the territorial scope of GDPR, accountability obligations, enforcement mechanisms, and organizational requirements. Key areas include when GDPR applies to non-EU organizations, DPIA requirements, DPO obligations, the one-stop-shop mechanism, and penalties. Understanding the enforcement landscape and organizational accountability measures is critical.

Key Topics

Territorial Scope (Article 3)DPIA (Article 35)DPO (Articles 37-39)Enforcement (Articles 77-84)One-Stop-Shop MechanismRepresentatives (Article 27)

Must-Know Concepts

  • Territorial scope (Article 3): applies to (1) organizations established in the EU, (2) non-EU organizations offering goods/services to EU data subjects, (3) non-EU organizations monitoring behavior of EU data subjects
  • Establishment criterion: processing in the context of activities of an establishment in the EU. Does not require the processing itself to occur in the EU
  • Targeting criterion: offering goods/services to EU data subjects (free or paid). Indicators include EU languages, currencies, .eu domains, or mentioning EU customers
  • Monitoring criterion: tracking or profiling behavior of individuals in the EU, including cookie tracking, geo-location, behavioral advertising
  • Representative requirement (Article 27): non-EU controllers/processors subject to GDPR must designate a representative in the EU (with limited exceptions)
  • DPIA requirements (Article 35): mandatory for high-risk processing including systematic monitoring, large-scale special category processing, automated decision-making with legal effects. Must consult supervisory authority if residual risk is high (Article 36)
  • DPO requirements (Articles 37-39): mandatory for public authorities, large-scale systematic monitoring, and large-scale special category processing. Must be independent, have direct access to management, and cannot be penalized for performing duties
  • Administrative fines (Article 83): up to 10 million EUR / 2% of global turnover for procedural violations; up to 20 million EUR / 4% of global turnover for violations of principles, rights, and transfer rules
  • One-stop-shop mechanism: organizations with cross-border processing deal primarily with one lead supervisory authority based on their main establishment. Cooperation and consistency mechanism ensures uniform enforcement
  • Right to an effective judicial remedy (Article 78-79): data subjects can seek judicial remedy against supervisory authority decisions and against controllers/processors

Common Exam Traps

GDPR can apply to a non-EU company with NO physical presence in the EU if it targets EU data subjects or monitors their behavior. Physical establishment is not the only trigger
The DPO must be INDEPENDENT and cannot receive instructions regarding the exercise of their tasks. A DPO who is also the head of IT may have a conflict of interest
The 4% of global turnover fine is based on WORLDWIDE annual turnover of the entire corporate group, not just the EU subsidiary's revenue
A DPIA is required BEFORE processing begins, not after. If you start processing and then discover it needs a DPIA, you have already violated Article 35
The one-stop-shop mechanism only applies to CROSS-BORDER processing. Purely local processing is handled by the local supervisory authority
Quick Check: European Data Protection: Scope and Accountability

Question 1 of 3

A US-based e-commerce company with no EU offices sells products in English and USD but ships to EU countries and accepts payments from EU customers. Does GDPR apply?

Domain 516% of exam

Compliance with European Data Protection Law and Regulation

This domain covers how GDPR and related laws apply in specific practical contexts: employment data processing, video surveillance, direct marketing, internet technologies, and emerging areas like AI. Expect scenario-based questions testing your ability to apply general GDPR principles to specific compliance situations.

Key Topics

Employment Data ProcessingVideo Surveillance (CCTV)Direct MarketingCookies and Online TrackingAI and Automated ProcessingDeceptive Design Patterns

Must-Know Concepts

  • Employment context: consent is problematic due to power imbalance. Processing typically based on contract, legal obligation, or legitimate interest. Employee monitoring must be proportionate with clear policies
  • Video surveillance (CCTV): requires lawful basis (usually legitimate interest), DPIA for systematic monitoring of public areas, signage and transparency requirements, retention limits, EDPB guidelines on video devices
  • Direct marketing: ePrivacy Directive requires opt-in for electronic marketing (email, SMS, automated calls). Soft opt-in exception for existing customers (similar products/services, with opt-out). GDPR right to object to direct marketing is absolute under Article 21(2)
  • Cookie compliance: strictly necessary cookies do not need consent. All other cookies (analytics, marketing, preference) require informed, specific consent before placement. Pre-ticked boxes do not constitute valid consent (Planet49 ruling)
  • Deceptive design patterns (dark patterns): EDPB guidelines identify manipulative interface designs that push users toward privacy-unfriendly choices. Examples: overloading, skipping, stirring, obstructing, fickle, left in the dark
  • AI and GDPR: automated decision-making rights under Article 22, transparency about automated processing, DPIA requirements for AI profiling, data minimisation in training data, EU AI Act intersection
  • Social media targeting: EDPB guidelines on targeting mechanisms, roles of advertisers and platform providers, lawful bases for targeted advertising, transparency obligations
  • Whistleblowing: EU Whistleblower Directive requirements intersecting with GDPR data protection obligations for reporting channels and investigation data

Common Exam Traps

The right to object to DIRECT MARKETING is ABSOLUTE under Article 21(2). Unlike the general right to object under Article 21(1), the controller cannot override it with compelling legitimate grounds
The soft opt-in exception for marketing ONLY applies to existing customers, ONLY for similar products/services, and ONLY if an opt-out was provided at the time of original collection
Pre-ticked consent boxes are NOT valid consent. The CJEU Planet49 ruling confirmed that consent must be an active, affirmative action by the data subject
Employee monitoring must satisfy the proportionality principle. Blanket monitoring of all employee communications without justification violates GDPR, even with employee consent
Facial recognition technology in public spaces is generally considered high-risk and may be prohibited under the EU AI Act for certain uses like real-time biometric identification by law enforcement
Quick Check: Compliance with European Data Protection Law and Regulation

Question 1 of 3

An online retailer sends promotional emails to existing customers about similar products without obtaining explicit consent. The retailer included an unsubscribe link in every email. Is this lawful?

Concepts You Must Not Confuse

These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.

Consent vs Legitimate Interest

Use Consent when…

Data subject has given clear, affirmative agreement to processing for specific purposes. Must be freely given, specific, informed, and unambiguous. Can be withdrawn at any time.

Use Legitimate Interest when…

Controller or third party has a legitimate interest that is not overridden by the data subject's rights and freedoms. Requires a documented balancing test. Data subject has the right to object.

Exam trap

Consent is NOT always the best lawful basis. If you can rely on legitimate interest (with a passed balancing test), it may be more appropriate. The exam tests scenarios where consent appears obvious but legitimate interest is actually the better choice, especially in B2B contexts.

Controller vs Processor

Use Controller when…

Determines the purposes (why) and means (how) of processing personal data. Bears primary responsibility for GDPR compliance, including lawful basis, data subject rights, and breach notification.

Use Processor when…

Processes personal data on behalf of and under instructions from the controller. Must have a written processing agreement (Article 28). Cannot engage sub-processors without controller authorization.

Exam trap

A cloud provider hosting data is typically a processor, but if it determines its own purposes for the data (e.g., analytics), it becomes a controller for that processing. The exam uses complex multi-party scenarios to test whether you can correctly identify roles.

Right to Erasure vs Right to Restriction

Use Right to Erasure when…

Data subject can request deletion of personal data when it is no longer necessary, consent is withdrawn, or processing is unlawful. Controller must also inform other recipients.

Use Right to Restriction when…

Data subject can request that processing be restricted (data stored but not used) while contesting accuracy, objecting to processing, or when processing is unlawful but deletion is not wanted.

Exam trap

Restriction does NOT mean deletion. Data is stored but not actively processed. The exam tests scenarios where the data subject wants to keep data available (e.g., for legal claims) but stop its active use. Know the four grounds for restriction under Article 18.

Adequacy Decision vs Standard Contractual Clauses

Use Adequacy Decision when…

European Commission determines a third country provides essentially equivalent data protection. Transfers can proceed without additional safeguards. Examples: Japan, South Korea, UK, EU-US DPF.

Use Standard Contractual Clauses when…

Pre-approved contractual terms between data exporter and importer. Require a Transfer Impact Assessment after Schrems II. Supplementary measures may be needed if the recipient country's laws undermine SCC protections.

Exam trap

Adequacy decisions are the EASIEST transfer mechanism but only available for specific countries. SCCs are the MOST COMMON mechanism in practice. After Schrems II, SCCs alone may not be sufficient; you must assess the recipient country's legal framework.

Data Protection Impact Assessment (DPIA) vs Legitimate Interest Assessment (LIA)

Use Data Protection Impact Assessment (DPIA) when…

Mandatory risk assessment before processing likely to result in high risk to data subjects. Required for systematic monitoring, large-scale special category processing, and automated decision-making.

Use Legitimate Interest Assessment (LIA) when…

Assessment to determine whether legitimate interest can serve as a lawful basis. Balances the controller's interest against the data subject's rights. Not explicitly required by GDPR but considered best practice.

Exam trap

A DPIA assesses RISK TO DATA SUBJECTS from a processing activity. An LIA assesses WHETHER LEGITIMATE INTEREST is a valid lawful basis. They serve different purposes and may both be required for the same processing activity.

Data Breach to Supervisory Authority (Art. 33) vs Data Breach to Data Subject (Art. 34)

Use Data Breach to Supervisory Authority (Art. 33) when…

Controller must notify the supervisory authority within 72 hours of becoming aware of a breach likely to result in a RISK to rights and freedoms. Includes breach details, likely consequences, and measures taken.

Use Data Breach to Data Subject (Art. 34) when…

Controller must notify data subjects without undue delay when the breach is likely to result in HIGH RISK to rights and freedoms. Not required if data was encrypted or measures eliminate the high risk.

Exam trap

Article 33 threshold is RISK. Article 34 threshold is HIGH RISK. Not every breach notified to the authority requires data subject notification. The exam tests whether you can distinguish between the two thresholds and know the exceptions to data subject notification.

ePrivacy Directive vs GDPR

Use ePrivacy Directive when…

Lex specialis for electronic communications privacy. Governs cookies, direct marketing, traffic data, and communication confidentiality. Requires member state transposition. Applies to electronic communications services.

Use GDPR when…

General data protection regulation applying to all personal data processing. Directly applicable in all EU member states. Provides the overarching framework for data protection principles, rights, and obligations.

Exam trap

The ePrivacy Directive is lex specialis: it takes precedence over GDPR in its specific areas (cookies, e-marketing). However, where ePrivacy is silent, GDPR applies as the general law. The exam tests which regulation governs in specific scenarios involving electronic communications.

Data Portability (Article 20) vs Right of Access (Article 15)

Use Data Portability (Article 20) when…

Right to receive personal data in a structured, commonly used, machine-readable format and transmit it to another controller. Only applies to data provided by the data subject, processed by automated means, based on consent or contract.

Use Right of Access (Article 15) when…

Right to obtain confirmation of processing and access to personal data, along with information about purposes, categories, recipients, retention periods, and source of data. Applies to ALL processing, regardless of lawful basis.

Exam trap

Data portability has NARROW conditions: only data provided by the data subject, only automated processing, only consent or contract basis. Right of access is BROAD: applies to all personal data regardless of how obtained or which lawful basis. The exam tests scenarios where only one right applies.

Top Mistakes to Avoid

Confusing consent with legitimate interest as the default lawful basis. Consent is not always the best option; in employment and B2B contexts, legitimate interest or contract is often more appropriate
Thinking the right to erasure is absolute. It has important exceptions including legal obligations, public health, freedom of expression, and legal claims defense
Confusing pseudonymisation with anonymisation. Pseudonymised data is STILL personal data under GDPR; only truly anonymous data falls outside GDPR scope entirely
Believing that Standard Contractual Clauses alone guarantee adequate protection for international transfers. After Schrems II, a Transfer Impact Assessment and possibly supplementary measures are also required
Not knowing the two different breach notification thresholds: Article 33 (supervisory authority) requires any risk, while Article 34 (data subjects) requires HIGH risk
Mixing up Article 13 (direct collection transparency) and Article 14 (third-party collection transparency). Different information requirements and different timing obligations
Treating Article 49 derogations as regular transfer mechanisms. They are for occasional transfers only and cannot replace systematic transfer safeguards like SCCs or BCRs
Forgetting that the right to object to direct marketing under Article 21(2) is absolute, unlike the general right to object which allows the controller to demonstrate compelling legitimate grounds
Assuming GDPR only applies to EU-based organizations. Article 3 extends GDPR's reach to any organization offering goods/services to EU data subjects or monitoring their behavior
Confusing the ePrivacy Directive (still in force) with the proposed ePrivacy Regulation (not yet adopted). Cookie consent rules come from the ePrivacy Directive, not GDPR directly
Not understanding that a DPIA must be conducted BEFORE processing begins, not after discovering high risk during processing
Conflating the Council of Europe (which produced Convention 108) with the European Council or Council of the EU

Exam-Ready Checklist

Can explain all 5 exam domains and their relative weights (13%, 31%, 23%, 17%, 16%)
Know all six lawful bases under Article 6 and can apply them in scenario questions, especially distinguishing consent from legitimate interest
Can list and explain all eight data subject rights (Articles 15-22) and know the exceptions to each
Understand the international data transfer hierarchy: adequacy, SCCs/BCRs, derogations — and the Schrems II Transfer Impact Assessment requirement
Can distinguish between controller, processor, and joint controller in complex multi-party scenarios
Know the breach notification rules: 72-hour deadline (Article 33), risk vs high risk thresholds, and exceptions to data subject notification (Article 34)
Understand DPIA requirements: when mandatory, what it must contain, and when to consult the supervisory authority
Can explain the territorial scope of GDPR (Article 3) including establishment, targeting, and monitoring criteria
Know the DPO requirements: when mandatory, independence requirements, and conflict of interest rules
Understand the ePrivacy Directive: cookie consent rules, soft opt-in marketing exception, and its relationship to GDPR as lex specialis
Can explain the administrative fine tiers: 10M/2% for procedural violations vs 20M/4% for principles, rights, and transfer violations
Know all 14+ EDPB guidelines on the exam syllabus and their key positions
Scored 65%+ on at least two full practice exams (300/500 passing score)
Reviewed all incorrect answers with emphasis on Domain II which carries the heaviest weight (31%)

Recommended Resources

Free & Official Resources

Paid Courses & Practice Exams

These are recommended if you prefer a structured learning path. They can save time but are not required to pass.

Frequently Asked Questions