DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Latest CIPP Practice Tests and Exam Dumps 2025, Certified International Purchasing Professional | SPOTO

Explore our latest offerings of CIPP Practice Tests and Exam Dumps for 2025 at SPOTO. Our comprehensive resources encompass a variety of exam preparation tools including practice tests, free tests, online exam questions, sample questions, and meticulously curated exam dumps. With our mock exams, you can simulate the test environment and assess your knowledge retention effectively. The Certified Information Privacy Professional/Europe (CIPP/E) certification demands a robust understanding of European privacy laws, regulations, and legal requirements concerning the transfer of sensitive personal data across borders. Our exam materials are tailored to equip you with the necessary expertise to excel in this certification. Trust SPOTO to provide you with the latest practice tests that will aid you in passing the certification exam successfully. Prepare with confidence and elevate your career as a Certified International Purchasing Professional with SPOTO's unparalleled exam resources.
Take other online exams
Question #1
Which type of personal data does the GDPR define as a “special category” of personal data?
A. Educational history
B. Trade-union membership
C. Closed Circuit Television (CCTV) footage
D. Financial information
View answer
Correct Answer: B

View The Updated CIPP Exam Questions

SPOTO Provides 100% Real CIPP Exam Questions for You to Pass Your CIPP Exam!

Get CIPP Practice Test
Question #2
Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?
A. The European Commission can adopt an adequacy decision for individual companies
B. The European Commission can adopt, repeal or amend an existing adequacy decision
C. EU member states are vested with the power to accept or reject a European Commission adequacy decision
D. To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation
View answer
Correct Answer: D
Question #3
An online company’s privacy practices vary due to the fact that it offers a wide variety of services. How could it best address the concern that explaining them all would make the policies incomprehensible?
A. Use a layered privacy notice on its website and in its email communications
B. Identify uses of data in a privacy notice mailed to the data subject
C. Provide only general information about its processing activities and offer a toll-free number for more information
D. Place a banner on its website stipulating that visitors agree to its privacy policy and terms of use by visiting the site
View answer
Correct Answer: B
Question #4
An organisation receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal data. Under what condition can the organisation charge the data subject for processing the request?
A. Only where the organisation can show that it is reasonable to do so because more than one request was made
B. Only to the extent this is allowed under the restrictions on data subjects’ rights introduced under Art 23 of GDPR
C. Only where the administrative costs of taking the action requested exceeds a certain threshold
D. Only if the organisation can demonstrate that the request is clearly excessive or misguided
View answer
Correct Answer: B
Question #5
SCENARIO Please use the following to answer the next question: You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular t
A. The company has offices in the EU
B. The company employs staff in the EU
C. The company’s data center is located in a country outside the EU
D. The company’s products are marketed directly to EU customers
View answer
Correct Answer: B
Question #6
What term BEST describes the European model for data protection?
A. Sectoral
B. Self-regulatory
C. Market-based
D. Comprehensive
View answer
Correct Answer: B
Question #7
The GDPR requires controllers to supply data subjects with detailed information about the processing of their data. Where a controller obtains data directly from data subjects, which of the following items of information does NOT legally have to be supplied?
A. The recipients or categories of recipients
B. The categories of personal data concerned
C. The rights of access, erasure, restriction, and portability
D. The right to lodge a complaint with a supervisory authority
View answer
Correct Answer: A
Question #8
In which case would a controller who has undertaken a DPIA most likely need to consult with a supervisory authority?
A. Where the DPIA identifies that personal data needs to be transferred to other countries outside of the EEA
B. Where the DPIA identifies high risks to individuals’ rights and freedoms that the controller can take steps to reduce
C. Where the DPIA identifies that the processing being proposed collects the sensitive data of EU citizens
D. Where the DPIA identifies risks that will require insurance for protecting its business interests
View answer
Correct Answer: B
Question #9
Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit organizations in a privacy group litigation or class action. These organizations are commonly known as?
A. Law firm organizations
B. Civil society organizations
C. Human rights organizations
D. Constitutional rights organizations
View answer
Correct Answer: C
Question #10
If a multi-national company wanted to conduct background checks on all current and potential employees, including those based in Europe, what key provision would the company have to follow?
A. Background checks on employees could be performed only under prior notice to all employees
B. Background checks are only authorized with prior notice and express consent from all employees including those based in Europe
C. Background checks on European employees will stem from data protection and employment law, which can vary between member states
D. Background checks may not be allowed on European employees, but the company can create lists based on its legitimate interests, identifying individuals who are ineligible for employment
View answer
Correct Answer: B
Question #11
Which of the following is the weakest lawful basis for processing employee personal data?
A. Processing based on fulfilling an employment contract
B. Processing based on employee consent
C. Processing based on legitimate interests
D. Processing based on legal obligation
View answer
Correct Answer: B
Question #12
An employee of company ABCD has just noticed a memory stick containing records of client data, including their names, addresses and full contact details has disappeared. The data on the stick is unencrypted and in clear text. It is uncertain what has happened to the stick at this stage, but it likely was lost during the travel of an employee. What should the company do?
A. Notify as soon as possible the data protection supervisory authority that a data breach may have taken place
B. Launch an investigation and if nothing is found within one month, notify the data protection supervisory authority
C. Invoke the “disproportionate effort” exception under Article 33 to postpone notifying data subjects until more information can be gathered
D. Immediately notify all the customers of the company that their information has been accessed by an unauthorized person
View answer
Correct Answer: D
Question #13
SCENARIO Please use the following to answer the next question: The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron’s marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotr
A. Age restrictions are more stringent when health data is involved
B. Users are only required to be aged 13 or over to be considered adults
C. Organizations must make reasonable efforts to verify parental consent
D. Organizations that tie a service to marketing must seek consent for each purpose
View answer
Correct Answer: D
Question #14
Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric data. Which of the following is NOT one of these exceptions?
A. The processing is done by a non-profit organization and the results are disclosed outside the organization
B. The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent
C. The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a judicial capacity
D. The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State law to lift the prohibition
View answer
Correct Answer: D
Question #15
When may browser settings be relied upon for the lawful application of cookies?
A. When a user rejects cookies that are strictly necessary
B. When users are aware of the ability to adjust their settings
C. When users are provided with information about which cookies have been set
D. When it is impossible to bypass the choices made by users in their browser settings
View answer
Correct Answer: B
Question #16
How is the GDPR’s position on consent MOST likely to affect future app design and implementation?
A. App developers will expand the amount of data necessary to collect for an app’s functionality
B. Users will be given granular types of consent for particular types of processing
C. App developers’ responsibilities as data controllers will increase
D. Users will see fewer advertisements when using apps
View answer
Correct Answer: A
Question #17
A multinational company is appointing a mandatory data protection officer. In addition to considering the rules set out in Article 37 (1) of the GDPR, which of the following actions must the company also undertake to ensure compliance in all EU jurisdictions in which it operates?
A. Consult national derogations to evaluate if there are additional cases to be considered in relation to the matter
B. Conduct a Data Protection Privacy Assessment on the processing operations of the company in all the countries it operates
C. Assess whether the company has more than 250 employees in each of the EU member-states in which it is established
D. Revise the data processing activities of the company that affect more than one jurisdiction to evaluate whether they comply with the principles of privacy by design and by default
View answer
Correct Answer: B
Question #18
When assessing the level of risk created by a data breach, which of the following would NOT have to be taken into consideration?
A. The ease of identification of individuals
B. The size of any data processor involved
C. The special characteristics of the data controller
D. The nature, sensitivity and volume of personal data
View answer
Correct Answer: B
Question #19
As a result of the European Court of Justice’s ruling in the case of Google v. Spain, search engines outside the EEA are also likely to be subject to the Regulation’s right to be forgotten. This holds true if the activities of an EU subsidiary and its U.S. parent are what?
A. Supervised by the same Data Protection Officer
B. Consistent with Privacy Shield requirements
C. Bound by a standard contractual clause
D. Inextricably linked in their businesses
View answer
Correct Answer: A
Question #20
What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?
A. The requirements affected individuals without exception
B. The requirements were financially burdensome to EU businesses
C. The requirements specified that data must be held within the EU
D. The requirements had limitations on how national authorities could use data
View answer
Correct Answer: B
Question #21
Which of the following is NOT a role of works councils?
A. Determining the monetary fines to be levied against employers for data breach violations of employee data
B. Determining whether to approve or reject certain decisions of the employer that affect employees
C. Determining whether employees’ personal data can be processed or not
D. Determining what changes will affect employee working conditions
View answer
Correct Answer: D
Question #22
SCENARIO Please use the following to answer the next question: Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick ente
A. It determines how long to retain the personal data collected
B. It has been provided access to personal data in the MarketIQ database
C. It uses personal data to improve its products and services for its client-base through machine learning
D. It makes decisions regarding the technical and organizational measures necessary to protect the personal data
View answer
Correct Answer: A
Question #23
With respect to international transfers of personal data, the European Data Protection Board (EDPB) confirmed that derogations may be relied upon under what condition?
A. If the data controller has received preapproval from a Data Protection Authority (DPA), after submitting the appropriate documents
B. When it has been determined that adequate protection can be performed
C. Only if the Data Protection Impact Assessment (DPIA) shows low risk
D. Only as a last resort and when interpreted restrictively
View answer
Correct Answer: A
Question #24
Article 58 of the GDPR describes the power of supervisory authorities. Which of the following is NOT among those granted?
A. Legislative powers
B. Corrective powers
C. Investigatory powers
D. Authorization and advisory powers
View answer
Correct Answer: C
Question #25
Pursuant to Article 4(5) of the GDPR, data is considered “pseudonymized” if?
A. It cannot be attributed to a data subject without the use of additional information
B. It cannot be attributed to a person under any circumstances
C. It can only be attributed to a person by the controller
D. It can only be attributed to a person by a third party
View answer
Correct Answer: A
Question #26
What are the obligations of a processor that engages a sub-processor?
A. The processor must give the controller prior written notice and perform a preliminary audit of the sub- processor
B. The processor must obtain the controller’s specific written authorization and provide annual reports on the sub-processor’s performance
C. The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned
D. The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor
View answer
Correct Answer: B
Question #27
According to Article 14 of the GDPR, how long does a controller have to provide a data subject with necessary privacy information, if that subject’s personal data has been obtained from other sources?
A. As soon as possible after obtaining the personal data
B. As soon as possible after the first communication with the data subject
C. Within a reasonable period after obtaining the personal data, but no later than one month
D. Within a reasonable period after obtaining the personal data, but no later than eight weeks
View answer
Correct Answer: D

View The Updated IAPP Exam Questions

SPOTO Provides 100% Real IAPP Exam Questions for You to Pass Your IAPP Exam!

Get IAPP Practice Test

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number:


Copyright © 2024. Designer by SPOTO Official Website. All Rights Reserved.