DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

2024 Updated CIPP Exam Questions & Practice Tests, Certified International Purchasing Professional | SPOTO

Sharpen your skills and boost your confidence with SPOTO's comprehensive CIPP/E exam prep materials. We offer a wealth of resources including practice tests, free tests, exam practice tools, and a vast bank of online exam questions. These include exam questions, sample questions, and even mock exams that mimic the real exam format. Unlike unreliable "exam dumps," SPOTO provides high-quality exam questions and answers that are aligned with the latest exam blueprint. With SPOTO's practice tests and exam materials, you'll gain the knowledge and edge you need to pass your CIPP/E exam on the first try.
Take other online exams

Question #1
A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a global data transfer solution. Which of the following statements would help the company make an effective decision?
A. Binding Corporate Rules are especially recommended for small and medium companies
B. The data exporter does not need to be located in the EU for the standard Contractual Clauses
C. Binding Corporate Rules provide a global solution for all the entities of a company that are bound by the intra-group agreement
D. The company will need the prior authorization of all EU data protection authorities for concluding Standard Contractual Clauses
View answer
Correct Answer: C
Question #2
If a multi-national company wanted to conduct background checks on all current and potential employees, including those based in Europe, what key provision would the company have to follow?
A. Background checks on employees could be performed only under prior notice to all employees
B. Background checks are only authorized with prior notice and express consent from all employees including those based in Europe
C. Background checks on European employees will stem from data protection and employment law, which can vary between member states
D. Background checks may not be allowed on European employees, but the company can create lists based on its legitimate interests, identifying individuals who are ineligible for employment
View answer
Correct Answer: B
Question #3
SCENARIO Please use the following to answer the next question: Ben is a member of the fitness club STAYFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Ben lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Ben was photographed while working out at a branch of STAYFIT in Frankfurt, Germany. At the time, Ben gave his cons
A. He will have to sue the STAYFIT’s head office in France, where STAYFIT has its main establishment
B. He will be able to sue any one of the relevant STAYFIT branches, as each one may be held liable for the entire damage
C. He will have to sue each STAYFIT branch so that each branch provides proportionate compensation commensurate with its contribution to the damage or distress suffered by Ben
D. He will be able to apply to the European Data Protection Board in order to determine which particular STAYFIT branch is liable for damages, based on the decision that was made by the board
View answer
Correct Answer: C
Question #4
Read the following steps: Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices Monitor and analyze the apps and devices for compliance Manage application life cycles Monitor data sharing An organization should perform these steps to do which of the following?
A. Pursue a GDPR-compliant Privacy by Design process
B. Institute a GDPR-compliant employee monitoring process
C. Maintain a secure Bring Your Own Device (BYOD) program
D. Ensure cloud vendors are complying with internal data use policies
View answer
Correct Answer: A
Question #5
SCENARIO Please use the following to answer the next question: Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures
A. Information about what is specified in the employment contract
B. Information about who employees should contact with any queries
C. Information about how providing consent could affect them as employees
D. Information about how the measures are in the best interests of the company
View answer
Correct Answer: B
Question #6
Which sentence best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?
A. Employees must sign an ad hoc contractual agreement each time personal data is exported
B. All employees are subject to the rules in their entirety, regardless of where the work is taking place
C. All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established
D. Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement
View answer
Correct Answer: C
Question #7
What permissions are required for a marketer to send an email marketing message to a consumer in the EU?
A. A prior opt-in consent for consumers unless they are already customers
B. A pre-checked box stating that the consumer agrees to receive email marketing
C. A notice that the consumer’s email address will be used for marketing purposes
D. No prior permission required, but an opt-out requirement on all emails sent to consumers
View answer
Correct Answer: D
Question #8
In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?
A. When creating an untargeted pop-up ad on a website
B. When calling a potential customer to notify her of an upcoming product sale
C. When emailing a customer to announce that his recent order should arrive earlier than expected
D. When paying a search engine company to give prominence to certain products and services within specific search results
View answer
Correct Answer: A
Question #9
SCENARIO Please use the following to answer the next question: Ben is a member of the fitness club STAYFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Ben lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Ben was photographed while working out at a branch of STAYFIT in Frankfurt, Germany. At the time, Ben gave his cons
A. Submit a draft decision to other supervisory authorities for their opinion
B. Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration
C. Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism
D. Request that members of the seconding supervisory authority and the host supervisory authority co-draft a decision
View answer
Correct Answer: C
Question #10
Which change was introduced by the 2009 amendments to the e-Privacy Directive 2002/58/EC?
A. A voluntary notification for personal data breaches applicable to all data controllers
B. A voluntary notification for personal data breaches applicable to electronic communication providers
C. A mandatory notification for personal data breaches applicable to all data controllers
D. A mandatory notification for personal data breaches applicable to electronic communication providers
View answer
Correct Answer: D
Question #11
A company is located in a country NOT considered by the European Union (EU) to have an adequate level of data protection. Which of the following is an obligation of the company if it imports personal data from another organization in the European Economic Area (EEA) under standard contractual clauses?
A. Submit the contract to its own government authority
B. Ensure that notice is given to and consent is obtained from data subjects
C. Supply any information requested by a data protection authority (DPA) within 30 days
D. Ensure that local laws do not impede the company from meeting its contractual obligations
View answer
Correct Answer: B
Question #12
As per the GDPR, which legal basis would be the most appropriate for an online shop that wishes to process personal data for the purpose of fraud prevention?
A. Protection of the interests of the data subjects
B. Performance of a contact
C. Legitimate interest
D. Consent
View answer
Correct Answer: B
Question #13
In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met?
A. Approved data controllers
B. The Council of the European Union
C. National data protection authorities
D. The European Data Protection Supervisor
View answer
Correct Answer: D
Question #14
What should a controller do after a data subject opts out of a direct marketing activity?
A. Without exception, securely delete all personal data relating to the data subject
B. Without undue delay, provide information to the data subject on the action that will be taken
C. Refrain from processing personal data relating to the data subject for the relevant type of communication
D. Take reasonable steps to inform third-party recipients that the data subject’s personal data should be deleted and no longer processed
View answer
Correct Answer: A
Question #15
SCENARIO Please use the following to answer the next question: Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation. The company offers both male and female clothing lines across all age demographics, including childr
A. Information about DPIAs found in Articles 38 through 40 of the GDPR
B. Data breach documentation that data controllers are required to maintain
C. Existing DPIA guides published by local supervisory authorities
D. Records of processing activities that data controllers are required to maintain
View answer
Correct Answer: D
Question #16
Under Article 58 of the GDPR, which of the following describes a power of supervisory authorities in European Union (EU) member states?
A. The ability to enact new laws by executive order
B. The right to access data for investigative purposes
C. The discretion to carry out goals of elected officials within the member state
D. The authority to select penalties when a controller is found guilty in a court of law
View answer
Correct Answer: A
Question #17
If a company is planning to use closed-circuit television (CCTV) on its premises and is concerned with GDPR compliance, it should first do all of the following EXCEPT?
A. Notify the appropriate data protection authority
B. Perform a data protection impact assessment (DPIA)
C. Create an information retention policy for those who operate the system
D. Ensure that safeguards are in place to prevent unauthorized access to the footage
View answer
Correct Answer: D
Question #18
SCENARIO Please use the following to answer the next question: Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation. The company offers both male and female clothing lines across all age demographics, including childr
A. An evaluation of the complexity of the intended processing
B. An explanation of the purposes and means of the intended processing
C. Records showing that customers have explicitly consented to the intended profiling activities
D. Certificates that prove Martin’s professional qualities and expert knowledge of data protection law
View answer
Correct Answer: C
Question #19
Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country?
A. The European Parliament
B. The European Commission
C. The Article 29 Working Party
D. The European Council
View answer
Correct Answer: D
Question #20
SCENARIO Please use the following to answer the next question: Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures
A. Since the GDPR does not apply to this situation, the company would be entitled to apply any disciplinary measure authorized under Italian labor law
B. Since the employee was the cause of a serious risk for the server performance and their data, the company would be entitled to apply disciplinary measures to this employee, including fair dismissal
C. Since the employee was not informed that the security measures would be used for other purposes such as monitoring, the company could face difficulties in applying any disciplinary measures to this employee
D. Since this was a serious infringement, but the employee was not appropriately informed about the consequences the new security measures, the company would be entitled to apply some disciplinary measures, but not dismissal
View answer
Correct Answer: A
Question #21
SCENARIO Please use the following to answer the next question: Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures
A. Assessed potential privacy risks by conducting a data protection impact assessment
B. Consulted with the relevant data protection authority about potential privacy violations
C. Distributed a more comprehensive notice to employees and received their express consent
D. Consulted with the Information Security team to weigh security measures against possible server impacts
View answer
Correct Answer: C
Question #22
The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?
A. Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing
B. Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default
C. Failure to process personal information in a manner compatible with its original purpose
D. Failure to provide the means for a data subject to rectify inaccuracies in personal data
View answer
Correct Answer: A
Question #23
Based on GDPR Article 35, which of the following situations would trigger the need to complete a DPIA?
A. A company wants to combine location data with other data in order to offer more personalized service for the customer
B. A company wants to use location data to infer information on a person’s clothes purchasing habits
C. A company wants to build a dating app that creates candidate profiles based on location data and data from third-party sources
D. A company wants to use location data to track delivery trucks in order to make the routes more efficient
View answer
Correct Answer: B
Question #24
Which of the following entities would most likely be exempt from complying with the GDPR?
A. A South American company that regularly collects European customers’ personal data
B. A company that stores all customer data in Australia and is headquartered in a European Union (EU) member state
C. A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers
D. A North American company servicing customers in South Africa that uses a cloud storage system made by a European company
View answer
Correct Answer: C
Question #25
SCENARIO Please use the following to answer the next question: Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to j
A. Send out consent forms to all of its employees
B. Minimize the amount of data collected for the lawsuit
C. Inform all of its employees about the lawsuit
D. Encrypt the data from all of its employees
View answer
Correct Answer: A
Question #26
Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?
A. The European Commission can adopt an adequacy decision for individual companies
B. The European Commission can adopt, repeal or amend an existing adequacy decision
C. EU member states are vested with the power to accept or reject a European Commission adequacy decision
D. To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation
View answer
Correct Answer: B
Question #27
Which of the following countries will continue to enjoy adequacy status under the GDPR, pending any future European Commission decision to the contrary?
A. Greece
B. Norway
C. Australia
D. Switzerland
View answer
Correct Answer: B
Question #28
After leaving the EU under the terms of Brexit, the United Kingdom will seek an adequacy determination. What is the reason for this?
A. The Insurance Commissioner determined that an adequacy determination is required by the Data Protection Act
B. Adequacy determinations automatically lapse when a Member State leaves the EU
C. The UK is now a third country because it’s no longer subject to the GDPR
D. The UK is less trustworthy now that its not part of the Union
View answer
Correct Answer: B
Question #29
What is the MAIN reason GDPR Article 4(22) establishes the concept of the “concerned supervisory authority”?
A. To encourage the consistency of local data processing activity
B. To give corporations a choice about who their supervisory authority will be
C. To ensure the GDPR covers controllers that do not have an establishment in the EU but have a representative in a member state
D. To ensure that the interests of individuals residing outside the lead authority’s jurisdiction are represented
View answer
Correct Answer: A
Question #30
What type of data lies beyond the scope of the General Data Protection Regulation?
A. Pseudonymized
B. Anonymized
C. Encrypted
D. Masked
View answer
Correct Answer: B

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: