DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Best CIPP Practice Exams and Real Exam Simulations, Certified International Purchasing Professional | SPOTO

Explore our comprehensive range of resources at {Best CIPP Practice Exams and Real Exam Simulations, Certified International Purchasing Professional | SPOTO}. From free tests to meticulously crafted exam practice materials, we offer a wealth of online exam questions, sample questions, exam dumps, and exam questions and answers. Our mock exams provide invaluable insights into the format and structure of the actual certification exam. With our latest practice tests, you can confidently navigate the Certified Information Privacy Professional/Europe (CIPP/E) certification journey. Designed to reinforce your understanding of European privacy laws and regulations, our exam materials cover the legal requirements for the responsible transfer of sensitive personal data across borders. Let SPOTO be your trusted partner in achieving success. Whether you're preparing for your initial certification or seeking recertification, our resources are tailored to empower you to pass with flying colors.
Take other online exams

Question #1
SCENARIO Please use the following to answer the next question: Outliers Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Jonathan, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company ZenFiTech, hoping that they can design a new, cutting-edge website for Outliers Inc.’s foundering business. During negotiations, a ZenFiTech representat
A. The resulting obligation to notify data subjects would involve disproportionate effort
B. The incident resulted from the actions of a third-party that were beyond their control
C. The destruction of the stolen data makes any risk to the affected data subjects unlikely
D. The sensitivity of the categories of data involved in the incident was not substantial enough
View answer
Correct Answer: A

View The Updated CIPP Exam Questions

SPOTO Provides 100% Real CIPP Exam Questions for You to Pass Your CIPP Exam!

Question #2
A Spanish electricity customer calls her local supplier with questions about the company’s upcoming merger. Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information?
A. Verify that the request is applicable to the data collected before the GDPR entered into force
B. Verify that the purpose of the request from the customer is in line with the GDPR
C. Verify that the personal data has not already been sent to the customer
D. Verify that the identity of the customer can be proven by other means
View answer
Correct Answer: B
Question #3
When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach?
A. Documenting due diligence steps taken in the pre-contractual stage
B. Conducting a risk assessment to analyze possible outsourcing threats
C. Requiring that the processor directly notify the appropriate supervisory authority
D. Maintaining evidence that the processor was the best possible market choice available
View answer
Correct Answer: C
Question #4
What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?
A. The controller will be liable to pay an administrative fine
B. The processor will be liable to pay compensation to affected data subjects
C. The processor will be considered to be a controller in respect of the processing concerned
D. The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved
View answer
Correct Answer: D
Question #5
Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and disclosure of a data subject’s sensitive medical information without the data subject’s knowledge or consent?
A. A member of the judiciary involved in adjudicating a legal dispute involving the data subject and concerning the health of the data subject
B. A public authority responsible for public health, where the sharing of such information is considered necessary for the protection of the general populace
C. A health professional involved in the medical care for the data subject, where the data subject’s life hinges on the timely dissemination of such information
D. A journalist writing an article relating to the medical condition in question, who believes that the publication of such information is in the public interest
View answer
Correct Answer: B
Question #6
According to the E-Commerce Directive 2000/31/EC, where is the place of “establishment” for a company providing services via an Internet website confirmed by the GDPR?
A. Where the technology supporting the website is located
B. Where the website is accessed
C. Where the decisions about processing are made
D. Where the customer’s Internet service provider is located
View answer
Correct Answer: D
Question #7
WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’ provides examples of ways to communicate data breaches transparently. Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?
A. A postal notification
B. A direct electronic message
C. A notice on a corporate blog
D. A prominent advertisement in print media
View answer
Correct Answer: C
Question #8
Which of the following describes a mandatory requirement for a group of undertakings that wants to appoint a single data protection officer?
A. The group of undertakings must obtain approval from a supervisory authority
B. The group of undertakings must be comprised of organizations of similar sizes and functions
C. The data protection officer must be located in the country where the data controller has its main establishment
D. The data protection officer must be easily accessible from each establishment where the undertakings are located
View answer
Correct Answer: A
Question #9
In 2016’s Guidance, the United Kingdom’s Information Commissioner’s Office (ICO) reaffirmed the importance of using a “layered notice” to provide data subjects with what?
A. A privacy notice containing brief information whilst offering access to further detail
B. A privacy notice explaining the consequences for opting out of the use of cookies on a website
C. An explanation of the security measures used when personal data is transferred to a third party
D. An efficient means of providing written consent in member states where they are required to do so
View answer
Correct Answer: A
Question #10
Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?
A. The data subject already has information regarding how his data will be used
B. The provision of such information to the data subject would be too problematic
C. Third-party data would be disclosed by providing such information to the data subject
D. The processing of the data subject’s data is protected by appropriate technical measures
View answer
Correct Answer: A
Question #11
SCENARIO Please use the following to answer the next question: Jason, a long-time customer of ABC insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Jason has been plagued by texts and calls from a company called Erbium Insurance offering to help him recover compensation for personal injury. Jason has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Erbium must have gotten his information from ABC. Jason has also been
A. If Erbium is entitled to use of the data as an affiliate of ABC
B. If Erbium also uses the data to conduct public health research
D. If the accuracy of the data is not an aspect that Jason is disputing
View answer
Correct Answer: A
Question #12
An employee of company ABCD has just noticed a memory stick containing records of client data, including their names, addresses and full contact details has disappeared. The data on the stick is unencrypted and in clear text. It is uncertain what has happened to the stick at this stage, but it likely was lost during the travel of an employee. What should the company do?
A. Notify as soon as possible the data protection supervisory authority that a data breach may have taken place
B. Launch an investigation and if nothing is found within one month, notify the data protection supervisory authority
C. Invoke the “disproportionate effort” exception under Article 33 to postpone notifying data subjects until more information can be gathered
D. Immediately notify all the customers of the company that their information has been accessed by an unauthorized person
View answer
Correct Answer: C
Question #13
SCENARIO Please use the following to answer the next question: Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick ente
A. It determines how long to retain the personal data collected
B. It has been provided access to personal data in the MarketIQ database
C. It uses personal data to improve its products and services for its client-base through machine learning
D. It makes decisions regarding the technical and organizational measures necessary to protect the personal data
View answer
Correct Answer: C
Question #14
SCENARIO Please use the following to answer the next question: Jason, a long-time customer of ABC insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Jason has been plagued by texts and calls from a company called Erbium Insurance offering to help him recover compensation for personal injury. Jason has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Erbium must have gotten his information from ABC. Jason has also been
A. ABC does not have a duty to transfer Jason’s data to Xentron if doing so is legitimately not technically feasible
B. ABC does not have to transfer Jason’s data to Xentron because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest
C. ABC has failed to comply with the duty to transfer Jason’s data to Xentron because the duty applies wherever personal data are processed by automated means and necessary for the performance of a contract with the customer
D. ABC has failed to comply with the duty to transfer Jason’s data to Xentron because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers onrequest
View answer
Correct Answer: B
Question #15
Which sentence BEST summarizes the concepts of “fairness,” “lawfulness” and “transparency”, as expressly required by Article 5 of the GDPR?
A. Fairness and transparency refer to the communication of key information before collecting data; lawfulness refers to compliance with government regulations
B. Fairness refers to limiting the amount of data collected from individuals; lawfulness refers to the approval of company guidelines by the state; transparency solely relates to communication of key information before collecting data
C. Fairness refers to the security of personal data; lawfulness and transparency refers to the analysis of ordinances to ensure they are uniformly enforced
D. Fairness refers to the collection of data from diverse subjects; lawfulness refers to the need for legal rules to be uniform; transparency refers to giving individuals access to their data
View answer
Correct Answer: A
Question #16
Under which of the following conditions does the General Data Protection Regulation NOT apply to the processing of personal data?
A. When the personal data is processed only in non-electronic form
B. When the personal data is collected and then pseudonymised by the controller
C. When the personal data is held by the controller but not processed for further purposes
D. When the personal data is processed by an individual only for their household activities
View answer
Correct Answer: A
Question #17
What obligation does a data controller or processor have after appointing a data protection officer?
A. To ensure that the data protection officer receives sufficient instructions regarding the exercise of his or her defined tasks
B. To provide resources necessary to carry out the defined tasks of the data protection officer and to maintain his or her expert knowledge
C. To ensure that the data protection officer acts as the sole point of contact for individuals’ questions about their personal data
D. To submit for approval to the data protection officer a code of conduct to govern organizational practices and demonstrate compliance with data protection principles
View answer
Correct Answer: D
Question #18
SCENARIO Please use the following to answer the next question: You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular t
A. The child, as the user of the action figure, can provide consent himself, as long as no information is shared for marketing purposes
B. Written authorization attesting to the responsible use of children’s data would need to be obtained from the supervisory authority
C. Consent for data collection is implied through the parent’s purchase of the action figure for the child
D. Parental consent for a child’s use of the action figures would have to be obtained before any data could be collected
View answer
Correct Answer: D
Question #19
Article 5(1)(b) of the GDPR states that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.” Based on Article 5(1)(b), what is the impact of a member state’s interpretation of the word “incompatible”?
A. It dictates the level of security a processor must follow when using and storing personal data for two different purposes
B. It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of personal data
C. It sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data
D. It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original intended purpose
View answer
Correct Answer: B
Question #20
How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?
A. The ePrivacy Directive allows individual EU member states to engage in such data retention
B. The ePrivacy Directive harmonizes EU member states’ rules concerning such data retention
C. The Data Retention Directive’s annulment makes such data retention now permissible
D. The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only
View answer
Correct Answer: D
Question #21
SCENARIO Please use the following to answer the next question: You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular t
A. The company has offices in the EU
B. The company employs staff in the EU
C. The company’s data center is located in a country outside the EU
D. The company’s products are marketed directly to EU customers
View answer
Correct Answer: D
Question #22
SCENARIO Please use the following to answer the next question: Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company
B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry
A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn’t sure whether or not this is required
B. This database will be stored in a test environment hosted on Company C’s U
A. Hiring companies whose measures are consistent with recommendations of accrediting bodies
B. Requesting advice and technical support from Company A’s IT team
C. Avoiding the use of another company’s data to improve their own services
D. Vetting companies’ measures with the appropriate supervisory authority
View answer
Correct Answer: C
Question #23
SCENARIO Please use the following to answer the next question: You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular t
A. Encrypt the data in transit over the wireless Bluetooth connection
B. Include dual-factor authentication before each use by a child in order to ensure a minimum amount of security
C. Include three-factor authentication before each use by a child in order to ensure the best level of security possible
D. Insert contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union
View answer
Correct Answer: D
Question #24
SCENARIO Please use the following to answer the next question: Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company
B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry
A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn’t sure whether or not this is required
B. This database will be stored in a test environment hosted on Company C’s U
A. Their omission of data protection provisions in their contract with Company C
B. Their failure to provide sufficient security safeguards to Company A’s data
C. Their engagement of Company C to improve their payroll service
D. Their decision to operate without a data protection officer
View answer
Correct Answer: B
Question #25
A well-known video production company, based in Spain but specializing in documentaries filmed worldwide, has just finished recording several hours of footage featuring senior citizens in the streets of Madrid. Under what condition would the company NOT be required to obtain the consent of everyone whose image they use for their documentary?
A. If obtaining consent is deemed to involve disproportionate effort
B. If obtaining consent is deemed voluntary by local legislation
C. If the company limits the footage to data subjects solely of legal age
D. If the company’s status as a documentary provider allows it to claim legitimate interest
View answer
Correct Answer: D
Question #26
Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?
A. Name and contact details of each controller on behalf of which the processor is acting
B. Categories of processing carried out on behalf of each controller for which the processor is acting
C. Details of transfers of personal data to a third country carried out on behalf of each controller for which the processor is acting
D. Details of any data protection impact assessment conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting
View answer
Correct Answer: D
Question #27
Under Article 21 of the GDPR, a controller must stop profiling when requested by a data subject, unless it can demonstrate compelling legitimate grounds that override the interests of the individual. In the Guidelines on Automated individual decision-making and Profiling, the WP 29 says the controller needs to do all of the following to demonstrate that it has such legitimate grounds EXCEPT?
A. Carry out an exercise that weighs the interests of the controller and the basis for the data subject’s objection
B. Consider the impact of the profiling on the data subject’s interest, rights and freedoms
C. Demonstrate that the profiling is for the purposes of direct marketing
D. Consider the importance of the profiling to their particular objective
View answer
Correct Answer: C
Question #28
SCENARIO Please use the following to answer the next question: Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick ente
A. Liem is a controller and EcoMick is a processor because Liem provides specific instructions regarding how the marketing campaigns should be rolled out
B. EcoMick and JaphSoft are is a controller and Liem is a processor because EcoMick is sharing its marketing data with Liem for contacts in Europe
C. JaphSoft is the sole processor because it processes personal data on behalf of its clients
D. Liem and EcoMick are joint controllers because they carry out joint marketing activities
View answer
Correct Answer: C
Question #29
SCENARIO Please use the following to answer the next question: Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records: Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information. Staff records, including auto
A. More information about Frank’s data protection training
B. More information about the extent of the information loss
C. More information about the algorithm Frank used to mask student numbers
D. More information about what students have been told and how the research will be used
View answer
Correct Answer: D
Question #30
When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves?
A. Inform the subjects about the collection
B. Provide a public notice regarding the data
C. Upgrade security to match that of the source
D. Update the data within a reasonable timeframe
View answer
Correct Answer: A
Question #31
Under what circumstances would the GDPR apply to personal data that exists in physical form, such as information contained in notebooks or hard copy files?
A. Only where the personal data is produced as a physical output of specific automated processing activities, such as printing, labelling, or stamping
B. Only where the personal data is to be subjected to specific computerized processing, such as image scanning or optical character recognition
C. Only where the personal data is treated by automated means in some way, such as computerized distribution or filing
D. Only where the personal data is handled in a sufficiently structured manner so as to form part of a filing system
View answer
Correct Answer: D
Question #32
SCENARIO Please use the following to answer the next question: Outliers Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Jonathan, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company ZenFiTech, hoping that they can design a new, cutting-edge website for Outliers Inc.’s foundering business. During negotiations, a ZenFiTech representat
A. Because not all of the cookies are strictly necessary to enable the use of a service requested from Outliers Inc
B. Because of the categories of data involved, explicit consent for the use of cookies must be obtained separately from customers
C. Because ZenFiTech will receive only aggregate statistics of data collected from the cookies, no additional consent is necessary
D. Because the use of cookies involves the potential for location tracking, explicit consent must be obtained from customers
View answer
Correct Answer: C
Question #33
Company X has entrusted the processing of their payroll data to Provider Y. Provider Y stores this encrypted data in its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify?
A. The public
B. Company X
C. Law enforcement
D. The supervisory authority
View answer
Correct Answer: A
Question #34
SCENARIO Please use the following to answer the next question: You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular t
A. The NFC portal can read any data stored in the action figures
B. The information about the data processing involved has not been specified
C. The cloud service provider is in a country that has not been deemed adequate
D. The RFID tag in the action figures has the potential for misuse because of the toy’s evolving capabilities
View answer
Correct Answer: B
Question #35
Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?
A. The authority by which the controller is collecting the data and the third parties to whom the data will be sent
B. The name/s of relevant government agencies involved and the steps needed for revising the data
C. The identity and contact details of the controller and the reasons the data is being collected
D. The contact information of the controller and a description of the retention policy
View answer
Correct Answer: C

View The Updated IAPP Exam Questions

SPOTO Provides 100% Real IAPP Exam Questions for You to Pass Your IAPP Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: