You Can Pass This Exam For Free
Choose Your Study Path
Limited or no experience with privacy law or GDPR. You need to build foundational knowledge of European data protection from scratch.
Exam Overview
Format
90 multiple-choice questions (75 scored, 15 unscored pilot questions), 150 minutes with optional 15-minute break.
Scoring
Scaled score 100-500. Passing: 300. Psychometric weighting means the exact number of correct answers needed varies by exam form.
Domains & Weights
- Introduction to European Data Protection13%
- European Data Protection Law and Regulation31%
- European Data Processing23%
- European Data Protection: Scope and Accountability17%
- Compliance with European Data Protection Law and Regulation16%
Registration
$550 USD. Available at Pearson VUE testing centers worldwide or online proctored via OnVUE. Exam fee is $550 USD. Available in English, French, and German.
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
Introduction to European Data Protection
This domain covers the historical development of European data protection from its origins to the current regulatory landscape. You need to understand the evolution from Convention 108 through Directive 95/46/EC to the GDPR, key EU institutions, and related legislation including the ePrivacy Directive, NIS2 Directive, and EU AI Act.
Key Topics
Must-Know Concepts
- Evolution of data protection: Universal Declaration of Human Rights (Article 12), European Convention on Human Rights (Article 8), Convention 108 (1981), Directive 95/46/EC (1995), GDPR (2016/2018)
- Key EU institutions and their roles: European Commission (proposes legislation), European Parliament and Council (co-legislators), Court of Justice of the EU (interprets EU law), European Data Protection Board (ensures consistent GDPR application)
- ePrivacy Directive (2002/58/EC): cookie consent requirements, electronic direct marketing rules (opt-in with soft opt-in exception), confidentiality of communications, traffic and location data rules
- Relationship between ePrivacy and GDPR: ePrivacy is lex specialis (takes precedence in its specific domain); GDPR fills gaps where ePrivacy is silent
- NIS2 Directive basics: cybersecurity obligations for essential and important entities, intersection with GDPR security requirements
- EU AI Act risk classification: unacceptable (banned), high (strict compliance), limited (transparency), minimal (no requirements). How GDPR principles apply to AI
- Why GDPR replaced Directive 95/46/EC: directive required national transposition leading to inconsistent implementation; regulation is directly applicable in all member states
Common Exam Traps
European Data Protection Law and Regulation
The heaviest domain at 31% with 18-28 scored questions. Covers the core GDPR provisions: key definitions, principles, lawful bases, data subject rights, security obligations, and breach notification. Master this domain or you will not pass. Focus on being able to apply these concepts in scenario-based questions, not just memorize definitions.
Key Topics
Must-Know Concepts
- Key definitions (Article 4): personal data, processing, controller, processor, filing system, consent, personal data breach, special categories, pseudonymisation, profiling, cross-border processing
- Seven GDPR principles (Article 5): lawfulness/fairness/transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality, accountability
- Six lawful bases (Article 6): consent, contract, legal obligation, vital interests, public task, legitimate interests. Know when each applies and the conditions for validity
- All eight data subject rights: access (Art 15), rectification (Art 16), erasure (Art 17), restriction (Art 18), notification regarding rectification/erasure/restriction (Art 19), portability (Art 20), objection (Art 21), automated decision-making (Art 22)
- Conditions for valid consent (Article 7): freely given, specific, informed, unambiguous. Burden of proof on controller. Children's consent (Article 8): parental verification for under-16 (member states may lower to 13)
- Special categories processing prohibition and exceptions (Article 9): explicit consent, employment, vital interests, not-for-profit, manifestly public, legal claims, substantial public interest, health/social care, public health, archiving/research
- Security of processing (Article 32): appropriate technical and organizational measures considering state of the art, cost, nature/scope/context/purposes, and risk. Pseudonymisation and encryption as example measures
- Breach notification to supervisory authority (Article 33): within 72 hours, unless unlikely to result in risk. Breach notification to data subjects (Article 34): without undue delay when high risk, unless encryption or other measures eliminate risk
- EDPB guidelines on: controller/processor concepts, data breach notification examples, data subject rights exercise, and right of access
Common Exam Traps
European Data Processing
This domain covers the legal requirements for processing personal data in Europe, including transparency obligations, international data transfer mechanisms, and the conditions for lawful cross-border data flows. It heavily emphasizes practical scenarios involving transfer mechanisms, Schrems II compliance, and the EU-US Data Privacy Framework.
Key Topics
Must-Know Concepts
- Transparency requirements (Articles 12-14): information to be provided when data is collected directly (Art 13) vs obtained from third parties (Art 14). Must be concise, transparent, intelligible, easily accessible, in clear and plain language
- International data transfer hierarchy: (1) adequacy decision, (2) appropriate safeguards (SCCs, BCRs, codes of conduct, certification), (3) derogations under Article 49
- Adequacy decisions: Commission assesses third country's data protection level. Current adequacy countries include Japan, South Korea, UK, Canada (commercial), and the US under the EU-US Data Privacy Framework
- Standard Contractual Clauses: four modules (C2C, C2P, P2P, P2C). After Schrems II, require Transfer Impact Assessment (TIA) to evaluate recipient country laws. Supplementary measures may be needed
- Binding Corporate Rules: for multinational intra-group transfers. Require supervisory authority approval. Cover both controller and processor BCRs
- Article 49 derogations: explicit consent, contract performance, important public interest, legal claims, vital interests, public register. These are exceptions, not regular transfer mechanisms
- Schrems II impact: invalidated Privacy Shield, requires case-by-case assessment of third country laws when using SCCs. Must evaluate whether government surveillance powers undermine protection
- EU-US Data Privacy Framework (2023): adequacy decision for US organizations self-certified under the DPF. Addresses Schrems II concerns through executive order limiting US intelligence access
- Onward transfers: when data is transferred from the initial recipient to a further third country, additional safeguards are required
Common Exam Traps
European Data Protection: Scope and Accountability
This domain covers the territorial scope of GDPR, accountability obligations, enforcement mechanisms, and organizational requirements. Key areas include when GDPR applies to non-EU organizations, DPIA requirements, DPO obligations, the one-stop-shop mechanism, and penalties. Understanding the enforcement landscape and organizational accountability measures is critical.
Key Topics
Must-Know Concepts
- Territorial scope (Article 3): applies to (1) organizations established in the EU, (2) non-EU organizations offering goods/services to EU data subjects, (3) non-EU organizations monitoring behavior of EU data subjects
- Establishment criterion: processing in the context of activities of an establishment in the EU. Does not require the processing itself to occur in the EU
- Targeting criterion: offering goods/services to EU data subjects (free or paid). Indicators include EU languages, currencies, .eu domains, or mentioning EU customers
- Monitoring criterion: tracking or profiling behavior of individuals in the EU, including cookie tracking, geo-location, behavioral advertising
- Representative requirement (Article 27): non-EU controllers/processors subject to GDPR must designate a representative in the EU (with limited exceptions)
- DPIA requirements (Article 35): mandatory for high-risk processing including systematic monitoring, large-scale special category processing, automated decision-making with legal effects. Must consult supervisory authority if residual risk is high (Article 36)
- DPO requirements (Articles 37-39): mandatory for public authorities, large-scale systematic monitoring, and large-scale special category processing. Must be independent, have direct access to management, and cannot be penalized for performing duties
- Administrative fines (Article 83): up to 10 million EUR / 2% of global turnover for procedural violations; up to 20 million EUR / 4% of global turnover for violations of principles, rights, and transfer rules
- One-stop-shop mechanism: organizations with cross-border processing deal primarily with one lead supervisory authority based on their main establishment. Cooperation and consistency mechanism ensures uniform enforcement
- Right to an effective judicial remedy (Article 78-79): data subjects can seek judicial remedy against supervisory authority decisions and against controllers/processors
Common Exam Traps
Compliance with European Data Protection Law and Regulation
This domain covers how GDPR and related laws apply in specific practical contexts: employment data processing, video surveillance, direct marketing, internet technologies, and emerging areas like AI. Expect scenario-based questions testing your ability to apply general GDPR principles to specific compliance situations.
Key Topics
Must-Know Concepts
- Employment context: consent is problematic due to power imbalance. Processing typically based on contract, legal obligation, or legitimate interest. Employee monitoring must be proportionate with clear policies
- Video surveillance (CCTV): requires lawful basis (usually legitimate interest), DPIA for systematic monitoring of public areas, signage and transparency requirements, retention limits, EDPB guidelines on video devices
- Direct marketing: ePrivacy Directive requires opt-in for electronic marketing (email, SMS, automated calls). Soft opt-in exception for existing customers (similar products/services, with opt-out). GDPR right to object to direct marketing is absolute under Article 21(2)
- Cookie compliance: strictly necessary cookies do not need consent. All other cookies (analytics, marketing, preference) require informed, specific consent before placement. Pre-ticked boxes do not constitute valid consent (Planet49 ruling)
- Deceptive design patterns (dark patterns): EDPB guidelines identify manipulative interface designs that push users toward privacy-unfriendly choices. Examples: overloading, skipping, stirring, obstructing, fickle, left in the dark
- AI and GDPR: automated decision-making rights under Article 22, transparency about automated processing, DPIA requirements for AI profiling, data minimisation in training data, EU AI Act intersection
- Social media targeting: EDPB guidelines on targeting mechanisms, roles of advertisers and platform providers, lawful bases for targeted advertising, transparency obligations
- Whistleblowing: EU Whistleblower Directive requirements intersecting with GDPR data protection obligations for reporting channels and investigation data
Common Exam Traps
Concepts You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Exam-Ready Checklist
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.