Free IAPP CIPP-E Actual Exam Questions
Dumps Box (DumpsBox) offers up-to-date practice exam questions for CIPP-E certification exam which are developed and validated by IAPP subject domain experts certified in IAPP CIPP-E . These practice questions are update regularly as we keep an eye on any recent changes in CIPP-E syllabus, and when there is update our team quickly adjusts the questions. This commitment to providing the best quality exam prep material to certification aspirants is what makes DumpsBox.com the best certification exam prep website. On top of that, our strong, yet strictly moderated, community based feedback keeps the content clean and current. Each question has helpful community discussion that provides it extra perspective and introduces helpful resources for better exam preparation. This also saves students from other outdated practice questions or illicit exam dumps that can have adverse affects on career. Browse through our IAPP CIPP-E exam questions and pass your exam on first try.
valid consent for the use of cookies?
A, a settings button can be replaced by clear accept/reject options.
Option A, because a settings button isn't always required for valid consent.
Please use the following to answer the next question:
BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on
sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how
extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with
Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided
to share its existing customer information – name, location, and prior purchase history – with Natural
Insight. Natural Insight intends to use this information to train its algorithm to help determine the
price point at which BHealthy can sell its new sunscreens.
Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices
and concluded that the company has sufficient security measures to protect the contact information.
Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued
implementation of technical and organization measures. Also indicated in the contract are
restrictions on use of the data provided by BHealthy for any purpose beyond provision of the
services, which include use of the data for continued improvement of Natural Insight’s machine
learning algorithms.
Under the GDPR, what are Natural Insight’s security obligations with respect to the customer
information it received from BHealthy?
It’s A because GDPR demands continuous, appropriate security that matches industry practices, not just a one-time check or what feels reasonable to individuals. Security has to keep evolving with new threats.
It’s A. GDPR calls for ongoing appropriate security aligned with industry standards, not just what was agreed at the start or based on customer expectations alone. Natural Insight has to keep up with evolving risks.
principle found in the GDPR?
C imo, bulk collection totally clashes with GDPR’s data minimization rule.
It’s A. Breach notification is in GDPR but only when risk is high, so a blanket obligation like in 108+ doesn’t fully match GDPR’s more nuanced approach. That makes A less consistent than C.
Directive (2006/24/EC). Why is the Directive no longer part of EU law?
Maybe C, since the Court of Justice of the EU is the only body with authority to annul EU Directives, unlike the European Court of Human Rights or other regulations replacing it.
It’s C, the Court of Justice of the EU struck it down for breaching privacy laws.
“The right to compensation and liability under the GDPR…
Not buying D since GDPR doesn’t set a max payout; it’s open-ended. D
A/B? D seems wrong since GDPR doesn’t cap compensation like that. B is off because you can sue multiple parties, so A fits better with GDPR’s shared liability rules.
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The
company is headquartered in Montreal, and all of its employees are located there. The company
offers its services to
Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks
internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian
traffic). It also declines to process orders that request the DNA report to be sent outside of Canada,
and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the
company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current
Canadian customer base. The expansion will allow its Canadian customers to use the app while
traveling abroad. He suggests that the company use this app to gather location information. If the
plan shows promise, Bob proposes to use push notifications and text messages to encourage existing
customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once
the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the
company’s app, like storage and sharing of DNA information with other applications and medical
providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer
new services and market them to customers. It also says that customers agree not to withdraw direct
marketing consent. Paul, the marketing director, suggests that the company should fully exploit
these provisions, and that it can work around customers’ attempts to withdraw consent because the
contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process.
It is in the process of purchasing the naming rights for a building in Germany, which would come with
a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t
include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held
unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canad
a. The reports include customer name, birthdate, ethnicity, racial background, names of relatives,
gender, and occasionally health information.
If Who-R-U decides to track locations using its app, what must it do to comply with the GDPR?
It’s A, consent is usually needed for tracking location under GDPR.
D imo, the idea that location data is a special category needing a court order seems off. GDPR does treat location info as personal data that requires a lawful basis, but a court order isn’t typically required. It’s more about having the right legal grounds, like consent or legitimate interest, plus transparency. So D doesn’t really fit. A and B both make sense, but since the question asks what it must do, providing clear notice (B) is essential regardless of consent. Without transparency, even consent might not be valid under GDPR.
SCENARIO Please use the following to answer the next question: Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best. Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status. If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out. Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland. Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S. Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm. Ben’s collection of additional data from customers created several potential issues for the company, which would most likely require what?
Maybe D makes sense here because collecting sensitive data like political opinions and marital status often triggers the need for a dedicated data protection officer to oversee compliance, especially since this is a large company operating globally. While assessments and inventories are important, having someone responsible for data protection day-to-day is critical when handling special categories of data under GDPR. Plus, with all the cross-border transfers and new projects, a DPO would help ensure ongoing compliance rather than just a one-off assessment.
C imo, a data inventory seems crucial here first to understand what data is held and where before deciding on impact assessments or governance updates. You can’t fix what you don’t fully know.
SCENARIO Please use the following to answer the next question: Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best. Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status. If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out. Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland. Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S. Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm. As a result of Sam’s actions, the Gummy Bear Company potentially violated Articles 33 and 34 of the GDPR and will be required to do what?
Good point about timing affecting notification, but C still fits best here.
C/D? I think C is the safest since the company needs to figure out the scope of the breach before deciding who to notify, if anyone. They have to analyze the impact on all customers, not just Ireland, to comply properly. D feels too broad because not every EU customer may be affected or at risk. Plus, GDPR talks about notifying authorities first, then possibly customers if there’s high risk. So jumping straight to notifying all EU customers might be premature without the full evaluation. Better to do a thorough breach notification assessment first.
the company to the GDPR?
B/D? The website being in English and French and accessible in France (B) alone doesn’t trigger GDPR unless it’s clearly targeting EU residents. But placing cookies to monitor EU user behavior (D) involves processing personal data, which definitely falls under GDPR. So D seems more likely to bring GDPR into play, making B the odd one out. The cookies actively collect data, whereas just language options and access don’t necessarily do that by themselves.
Option B seems off because just having the site in French and English and accessible in France doesn’t by itself mean GDPR applies; there has to be a clear focus on EU customers or data processing.
is accessible to any user regardless of location, as the website operator does not block connections
from outside of the U.S. The website offers a pad subscription that requires the creation of a user
account; this subscription can only be paid in U.S. dollars.
Which of the following explains why the website operator, who is the responsible for all processing
related to account creation and subscriptions, is NOT required to comply with the GDPR?
D imo, the VPN point is kind of a red herring. Not blocking VPNs just means users can pretend to be in the US, but it doesn’t really affect GDPR applicability directly. B feels cleaner since there’s no EU establishment.
A imo, the payment currency seems irrelevant here, but not accepting euros might hint the site isn’t targeting EU users intentionally. That could be a solid reason GDPR doesn’t apply. Also, the fact they don’t block non-US IPs doesn't really affect jurisdiction. So, ruling out B because GDPR can still apply without an EU base if targeting EU users. C and D don’t make much sense either since language and VPN use don’t determine GDPR responsibility.
NOT follow from the principles relating to the processing of personal data under EU data protection
law?
A, since GDPR is about rights and responsibilities, not owning data.
A/D? A feels off since GDPR focuses on control, not ownership. D sounds like good practice but not a core
company notify first under GDPR requirements?
C, it’s the supervisory authority that GDPR specifically mandates notifying first.
Guessing C here as well, because the GDPR sets a strict 72-hour deadline to alert the supervisory authority first. Notifying customers or parents seems to come after the authority’s involvement.
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth
Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer
base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this
strategy has recently been complicated by Ruth's health condition, which has limited her working
hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources
department and Ruth's Chief of Staff now work together to manage her schedule and ensure that
she is able to make all her medical appointments The latter has become especially crucial after
Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi
Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with
her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the
doctors based on accommodate on requests Ruth made when she started a: ProStorage
In support of Ruth's strategic goals of hiring more sales representatives, the Human
Resources team is focused on improving its processes to ensure that new
employees are sourced, interviewed, hired, and onboarded efficiently. To help with
this, Mary identified two vendors, HRYourWay, a German based company, and
InstaHR, an Australian based company. She decided to have both vendors go
through ProStorage's vendor risk review process so she can work with Ruth to
make the final decision. As part of the review process, Jackie, who is responsible
for maintaining ProStorage's privacy program (including maintaining controller
BCRs and conducting vendor risk assessments), reviewed both vendors but
completed a transfer impact assessment only for InstaHR. After her review of both
vendors, she determined that InstaHR satisfied more of the requirements as it
boasted a more established privacy program and provided third-party attestations,
whereas HRYourWay was a small vendor with minimal data protection operations.
Thus, she recommended InstaHR.
ProStorage's marketing team also worked to meet the strategic goals of the
company by focusing on industries where it needed to grow its market share. To
help with this, the team selected as a partner UpFinance, a US based company
with deep connections to financial industry customers. During ProStorage's
diligence process, Jackie from the privacy team noted in the transfer impact
assessment that UpFinance implements several data protection measures
including end-to-end encryption, with encryption keys held by the customer.
Notably, UpFinance has not received any government requests in its 7 years of
business. Still, Jackie recommended that the contract require UpFinance to notify
ProStorage if it receives a government request for personal data UpFinance
processes on its behalf prior to disclosing such data.
What transfer mechanism should Jackie recommend for using InstaHR?
A/D? InstaHR is external and based in Australia, so adequacy (A) seems unlikely since Australia doesn’t have an EU adequacy decision. Binding corporate rules (B) only apply to internal groups, which InstaHR isn’t part of. Explicit consent (C) is usually not practical for ongoing processing. So standard contractual clauses (D) feel like the right fit legally and practically. Jackie’s recommendation aligns with this logic too.
D. Since InstaHR is an external vendor based in Australia, and Australia doesn’t have an EU adequacy decision, binding corporate rules (B) aren’t applicable because those are for internal group transfers. Consent (C) isn’t really a solid transfer mechanism here. So standard contractual clauses (D) make the most sense to ensure compliance with data protection requirements when transferring personal data outside the EU.
maintain the security of the processing, what would be the most important security measure to
apply to the health data transmission?
I agree that encryption is key here—C is the only one that actively safeguards the data while it’s moving between entities. The others don’t prevent interception directly, so C makes the most sense to me.
It’s B since having a data processing agreement legally binds the receiver to protect the data properly.
subjects when collecting personal dat
a. However, both articles specify an exemption for situations in which the data subject already has
the information.
Which other situation would also exempt the data controller from this obligation under Article 14?
Not C, because just being public domain doesn’t automatically exempt the controller from informing the data subject. The key is whether it’s too much effort or if other conditions apply.
B imo, since the GDPR does allow skipping info duties if it’s too much effort, especially when alternative measures like public notices are in place. The question might not say it, but that’s the usual reasoning.