Free Preparation Discussions
MENU
IAPP CIPP-E Exam Questions
- Topic 1: Introduction to the U.S. Privacy Environment: This section of the exam measures the skills of Privacy Program Managers and covers the foundational structure of U.S. privacy law, including the roles of different government branches, legal sources, and the authorities that regulate privacy. It explains how privacy is enforced through both civil and criminal liability and outlines key concepts like data inventory, privacy program development, and incident response. The section also touches on international compliance, including GDPR and APEC, and the challenges of cross-border data governance for multinational organisations.
- Topic 2: Limits on Private-Sector Collection and Use of Data: This section of the exam measures the skills of Compliance Analysts and explores sector-specific laws that limit how private entities collect and use data. It includes the FTC’s role in privacy enforcement, particularly through the FTC Act and COPPA. It also addresses industry-specific regulations for healthcare (HIPAA, HITECH), finance (GLBA, FCRA), education (FERPA), and telecommunications. The section highlights the evolving nature of privacy compliance across various sectors.
- Topic 3: Government and Court Access to Private-Sector Information: This section of the exam measures the skills of Legal Counsel and focuses on the mechanisms by which government agencies and courts access private-sector data. It reviews how law enforcement agencies obtain financial and communication records, national security tools like FISA and the USA Patriot Act, and legal procedures involving civil litigation and electronic discovery. The emphasis is on understanding the balance between government interests and individual privacy rights: Workplace Privacy: This section of the exam measures the skills of Human Resources Compliance Officers and reviews how privacy is managed in employment contexts. It explains workplace privacy regulations, the responsibilities of federal agencies, and key anti-discrimination laws. It also outlines privacy considerations throughout the employee lifecycle, such as hiring, background checks, monitoring, misconduct investigations, and post-employment data handling, including working with third-party services.
- Topic 4: State Privacy Laws: This section of the exam measures skills of State-Level Privacy Officers and examines the dynamic relationship between federal and state privacy laws. It explores the growing influence of state regulators like the California Privacy Protection Agency (CPPA) and covers key state-level privacy and security laws, including those related to consent, data retention, and AI regulations. It also looks at differences in data breach notification laws across states and highlights emerging legislation in biometric and facial recognition technologies.
Free IAPP CIPP-E Exam Actual Questions
Note: Premium Questions for CIPP-E were last updated On Jul. 06, 2025 (see below)
A dynamic Internet Protocol (IP) address is considered persona! data when it is combined with what?
Start-up company MagicAI is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT Team decides to collect data about users' ethnic origin, nationality, and gender.
Which would be the most appropriate legal basis for this processing under the GDPR, Article 9 (Processing of special categories of personal data)?
Article 9 of the GDPR outlines strict conditions for processing special categories of personal data, which includes data revealing racial or ethnic origin. While options B, C, and D might seem relevant, they don't fully align with the core purpose of MagicAI's data collection.
Here's why option A is the most appropriate:
Scientific Research: MagicAI aims to improve the accuracy and fairness of its AI system by understanding how it performs across different ethnicities, nationalities, and genders. This directly ties into scientific research aimed at improving healthcare and reducing bias in medical technology.
It's important to note that even with 'scientific research' as the legal basis, MagicAI must still adhere to strict safeguards, such as:
Data Minimization: Collecting only the data absolutely necessary for the research.
Purpose Limitation: Using the data solely for the defined scientific purpose.
Appropriate Security Measures: Protecting the data against unauthorized access or disclosure.
Ethical Review: Ideally, obtaining ethical approval for the research project.
GDPR Article 9 - Processing of special categories of personal data
GDPR Recital 159 - Conditions for processing special categories of data for scientific research purposes
IAPP CIPP/E textbook, Chapter 2: Key Data Protection Principles (specifically, sections on special categories of data)
SCENARIO
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company's outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.'s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories -- age, income, ethnicity -- that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website's traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website's effectiveness. Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.'s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva's system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company's system of access control must be reconsidered.
If TripBliss Inc. decides not to report the incident to the supervisory authority, what would be their BEST defense?
According to the GDPR, data controllers must report personal data breaches to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it (Art 33 of GDPR). However, the notification is not required if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Art 33(1) of GDPR). In this case, TripBliss Inc. could argue that the stolen data was securely erased by Leon before it could be disclosed to anyone else, and therefore the risk of harm to the data subjects was minimal. TripBliss Inc. would have to provide evidence of the secure deletion of the data and the absence of any copies or backups. Alternatively, TripBliss Inc. could also invoke the exception of disproportionate effort to avoid notifying the data subjects directly, but only if they have made a public communication or similar measure to inform them in an equally effective manner (Art 34(3)(b) of GDPR). The other options are not valid defenses, as they do not affect the likelihood of risk to the data subjects. The incident was not caused by a third-party, but by an employee of Techiva, who was acting as a data processor on behalf of TripBliss Inc. As the data controller, TripBliss Inc. is responsible for ensuring that the data processor provides sufficient guarantees to implement appropriate technical and organisational measures to comply with the GDPR (Art 28 of GDPR). The sensitivity of the data categories is not relevant for the notification obligation, as any personal data breach could pose a risk to the data subjects, depending on the circumstances. The GDPR does not provide a threshold for the sensitivity of the data, but rather requires a case-by-case assessment of the potential impact of the breach.Reference:
Free CIPP/E Study Guide, p. 15
European Data Protection Law & Practice, p. 123-124
Personal data breach notification under the GDPR
SCENARIO
Please use the following to answer the next question:
Gentle Hedgehog Inc. is a privately owned website design agency incorporated in
Italy. The company has numerous remote workers in different EU countries. Recently,
the management of Gentle Hedgehog noticed a decrease in productivity of their sales
team, especially among remote workers. As a result, the company plans to implement
a robust but privacy-friendly remote surveillance system to prevent absenteeism,
reward top performers, and ensure the best quality of customer service when sales
people are interacting with customers.
Gentle Hedgehog eventually hires Sauron Eye Inc., a Chinese vendor of employee
surveillance software whose European headquarters is in Germany. Sauron Eye's
software provides powerful remote-monitoring capabilities, including 24/7 access to
computer cameras and microphones, screen captures, emails, website history, and
keystrokes. Any device can be remotely monitored from a central server that is
securely installed at Gentle Hedgehog headquarters. The monitoring is invisible by
default; however, a so-called Transparent Mode, which regularly and conspicuously
notifies all users about the monitoring and its precise scope, also exists. Additionally,
the monitored employees are required to use a built-in verification technology
involving facial recognition each time they log in.
All monitoring data, including the facial recognition data, is securely stored in Microsoft Azure cloud servers operated by Sauron Eye, which are physically located in France.
What monitoring may be lawfully performed within the scope of Gentle Hedgehog's
business?
The General Data Protection Regulation (GDPR) does not prohibit surveillance of employees in the workplace. Still, it requires employers to follow special rules to ensure that the rights and freedoms of employees are protected when processing their personal data. The GDPR applies to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU.
The GDPR requires that any processing of personal data must be lawful, fair and transparent, and based on one of the six legal grounds specified in the regulation. The most relevant legal grounds for employee surveillance are the legitimate interests of the employer, the performance of a contract with the employee, or the compliance with a legal obligation. The GDPR also requires that any processing of personal data must be limited to what is necessary for the purposes for which they are processed, and that the data subjects must be informed of the purposes and the legal basis of the processing, as well as their rights and the safeguards in place to protect their data.
The GDPR also imposes specific obligations and restrictions on the processing of special categories of personal data, such as biometric data, which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or which are processed for the purpose of uniquely identifying a natural person. The processing of such data is prohibited, unless one of the ten exceptions listed in the regulation applies. The most relevant exceptions for employee surveillance are the explicit consent of the data subject, the necessity for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, or the necessity for reasons of substantial public interest.
The GDPR also sets out the rules and requirements for the transfer of personal data to third countries or international organisations, which do not ensure an adequate level of data protection. The transfer of such data is only allowed if the controller or processor has provided appropriate safeguards, such as binding corporate rules, standard contractual clauses, codes of conduct or certification mechanisms, and if the data subjects have enforceable rights and effective legal remedies.
Based on the scenario, the only monitoring that may be lawfully performed within the scope of Gentle Hedgehog's business is the monitoring of emails, website browsing history and camera for internal video calls that are expressly marked as monitored. This option is the most consistent with the GDPR's principles and requirements, as it:
Is based on the legitimate interests of the employer to ensure the productivity, quality and security of the work performed by the employees, as well as the performance of a contract with the employees and the compliance with a legal obligation to prevent fraud and protect confidential information.
Is limited to what is necessary for the purposes of the monitoring, as it only covers the work-related activities and communications of the employees, and excludes the private or personal ones.
Is transparent to the employees, as it informs them of the monitoring and its precise scope, and gives them the opportunity to object or opt out of the monitoring.
Does not involve the processing of special categories of personal data, such as biometric data or data revealing political opinions or trade union membership, which are not necessary or proportionate for the purposes of the monitoring.
Does not involve the transfer of personal data to a third country, such as China, which does not provide an adequate level of data protection, and which may pose additional risks for the rights and freedoms of the employees.
The other options listed in the question are not lawful monitoring within the scope of Gentle Hedgehog's business, as they:
Are not based on a valid legal ground for the processing of personal data, as they either rely on the consent of the employees, which is not freely given, informed and specific, or on the legitimate interests of the employer, which are not balanced with the rights and freedoms of the employees.
Are not limited to what is necessary for the purposes of the monitoring, as they involve the collection and processing of excessive and irrelevant personal data, such as camera and microphone monitoring, screen captures, keystrokes, and facial recognition data, which go beyond the scope of the work performed by the employees, and intrude into their private or personal sphere.
Are not transparent to the employees, as they do not inform them of the monitoring and its precise scope, and do not give them the opportunity to object or opt out of the monitoring.
Involve the processing of special categories of personal data, such as biometric data or data revealing political opinions or trade union membership, which are not necessary or proportionate for the purposes of the monitoring, and which do not fall under any of the exceptions listed in the regulation.
Involve the transfer of personal data to a third country, such as China, which does not provide an adequate level of data protection, and which may pose additional risks for the rights and freedoms of the employees.
GDPR, Articles 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 44, 45, 46, 47, 48, and 49.
EDPB Guidelines 3/2019 on processing of personal data through video devices, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, and 14.
EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, pages 19, 20, 21, 22, 23, 24, 25, 26, 27, and 28.
EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, and 28.
EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, pages 4, 5, 6, 7, 8, 9, 10, 11, and 12.
Data protection: GDPR and employee surveilance | Feature | Law Gazette, paragraphs 1, 2, 3, 4, 5, 6, 7, and 8.
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Jade
14 days agoDesiree
27 days agoVeda
2 months agoShawna
2 months agoLatrice
3 months agoKristian
3 months agoShawna
4 months agoTherese
4 months agoGwenn
4 months agoTerry
5 months agoRikki
5 months agoCatalina
5 months agoRemona
6 months agoGilberto
6 months agoTesha
6 months agoGolda
6 months agoCatarina
7 months agoRuthann
7 months agoLouisa
7 months agoEsteban
7 months agoAhmad
7 months agoFernanda
8 months agoClarence
8 months agoMerissa
8 months agoPhil
8 months agoLinsey
8 months agoAlida
9 months agoWillodean
9 months agoJosephine
9 months agoErinn
9 months agoVeronique
9 months agoWayne
10 months agoJill
10 months agoHector
10 months agoFlorencia
11 months agoRaelene
12 months agoJoesph
1 years agoFidelia
1 years agoHyun
1 years agoMireya
1 years ago