Certified Information Privacy Professional/Europe (CIPP/E) (CIPP-E) practice questions

A bank uses a fully automated model to decide whether to grant unsecured personal loans, with no human involvement before the decision is communicated to the applicant. A rejected applicant asks to understand and contest the outcome. The bank relies on this automated process because it is necessary for entering into the loan contract the applicant requested. Which safeguard must the bank provide to comply with the rules on solely automated decisions producing legal or similarly significant effects?

• AIt must implement, at minimum, the right to obtain human intervention, to express the applicant's point of view, and to contest the decision.check_circle Correct
• BIt must obtain fresh explicit consent from the applicant before the automated decision can be relied upon, regardless of the contractual necessity.
• CIt must disclose the full source code and weights of the scoring model so the applicant can independently reproduce the decision.
• DIt must escalate every rejected application to the supervisory authority for prior review before the decision becomes final.

Why A is correct: Correct: for solely automated decisions with legal or similarly significant effects based on contractual necessity, the controller must put in place suitable measures including at least the right to human intervention, to express a point of view, and to contest the decision.

Why B is wrong: This is tempting because consent is one possible basis, but where the automated decision is necessary for entering into a contract the rules permit it without separate explicit consent, provided suitable safeguards are in place.

Why C is wrong: This overstates the transparency duty: the applicant is owed meaningful information about the logic involved, not the entire source code and weights, which would expose disproportionate detail and is not required.

Why D is wrong: This confuses safeguards with supervision: there is no requirement to send each rejection to the authority for prior review, and the duty is to provide internal safeguards such as human intervention and the right to contest.

A national supervisory authority is preparing to adopt a list of processing operations that require a data protection impact assessment in its territory. Before the list takes effect, the authority is required to engage a Union-level mechanism. Which body must it involve, and for what purpose?

• AThe European Commission, which must approve the list as an implementing measure before it can be applied nationally.
• BThe European Data Protection Board, which issues an opinion under the consistency mechanism to promote a harmonised approach across authorities.check_circle Correct
• CThe European Data Protection Supervisor, which reviews the list because DPIA obligations originate in the rules governing EU institutions.
• DThe Court of Justice of the European Union, which validates the list to ensure it complies with the Charter of Fundamental Rights.

Why A is wrong: Tempting because the Commission adopts implementing acts elsewhere in the GDPR, but DPIA lists are communicated to the EDPB for consistency, not submitted to the Commission for approval.

Why B is correct: Correct: lists of processing requiring a DPIA are subject to the consistency mechanism, so the authority communicates the list to the EDPB, which gives an opinion to keep such lists consistent across the Union.

Why C is wrong: Tempting because the EDPS works on data protection at Union level, but it supervises EU institutions and does not review national authorities' DPIA lists, which fall under the EDPB's consistency role.

Why D is wrong: Tempting because the Charter underpins data protection, but the CJEU does not pre-clear administrative lists; consistency review of DPIA lists is an EDPB function under the cooperation framework.

A retailer's laptop holding a spreadsheet of 4,000 customer email addresses and order totals is stolen from a parked car. The entire disk was protected with strong, state-of-the-art full-disk encryption, the key was not stored on or with the device, and no copy of the key was compromised. How does this encryption affect the retailer's GDPR obligation to communicate the breach to the affected customers?

• AIt removes the obligation to notify the supervisory authority, but the controller must still communicate the breach directly to every affected individual.
• BIt has no effect on the communication duty, because the theft of the device is itself a high-risk event regardless of the technical measures applied to the data.
• CIt removes the obligation to communicate to individuals, because robust encryption rendering the data unintelligible can mean the breach is unlikely to result in a high risk to them.check_circle Correct
• DIt has no effect, because Article 34 only allows the encryption exemption where the data subjects have separately consented to encrypted processing.

Why A is wrong: This inverts the rule: the supervisory-authority test in Article 33 turns on risk generally, while encryption most directly affects whether the data is intelligible and therefore whether the high-risk individual-communication duty under Article 34 is triggered.

Why B is wrong: This is tempting because device theft sounds inherently serious, but it is wrong: Article 34(3)(a) expressly lets appropriate technical measures such as encryption reduce the assessed risk so that individual communication is not required.

Why C is correct: Correct: Article 34(3)(a) exempts communication to individuals where the controller has applied protection measures, such as encryption, that render the data unintelligible to anyone not authorised to access it, so properly implemented encryption can defeat the high-risk threshold.

Why D is wrong: This invents a condition: Article 34(3)(a) does not require any consent to encrypted processing; it simply asks whether the implemented protective measures render the personal data unintelligible to unauthorised persons.