Examworthyexamworthy.comCertified Information Privacy Professional/Europe (CIPP/E) cheat sheet
IAPP
Free to share. Examworthy is not affiliated with or endorsed by IAPP; CIPP-E and related marks belong to their respective owners.
At a glance
Format: Multiple choice, online proctored (Pearson VUE) or in-person test centre
Domain weight map
Heaviest first - spend your time hereHow this exam thinks
CIPP/E tests whether you can apply the GDPR to real situations, not recite it: scenarios reward the lawful, proportionate response.
Spot the trap
Tempting wrong answers, and why they failTempting but wrong
A solely automated decision needed for a contract still requires fresh explicit consent before the controller can rely on it.
Why it fails
Tempting because consent is one possible basis for solely automated decisions. But where the decision is necessary for entering into a contract, the rules permit it without separate explicit consent, provided suitable safeguards such as human intervention and the right to contest are in place.
European Data Protection Law and Regulation
Tempting but wrong
Collecting unused survey fields breaches purpose limitation, because the responses are processed for an undisclosed secondary purpose.
Why it fails
Purpose limitation is plausible because excessive collection can hint at hidden uses, but nothing here shows a second purpose. The fields are simply collected and ignored, which is a minimisation failure.
European Data Processing
Tempting but wrong
A DPO who also chairs IT procurement threatens the data minimisation principle, so the fix is to reduce the volume of patient data the DPO can access.
Why it fails
Data minimisation concerns limiting collected data to what is necessary and is unrelated to the DPO's organisational position. This misdiagnoses the issue as a data-volume problem rather than the conflict of interest it actually is.
European Data Protection: Scope and Accountability
Tempting but wrong
A photograph only becomes special category data once it is published, so Article 6 alone governs facial recognition at boarding gates.
Why it fails
This conflates a plain photograph with biometric processing. Publication is irrelevant; once an image is processed through specific technical means for unique identification it becomes biometric special category data, so Article 6 alone is insufficient and an Article 9 condition is also required.
Compliance with European Data Protection Law and Regulation
Tempting but wrong
The Court of Justice of the European Union is the body that adjudicates complaints brought directly under the European Convention on Human Rights.
Why it fails
Tempting because the CJEU handles fundamental rights within Union law, but it does not adjudicate complaints brought directly under the Convention. The ECtHR is the Council of Europe court designed for that role.
Introduction to European Data Protection
Tempting but wrong
Theft of a device is itself a high-risk event, so encryption of the data has no effect on the duty to communicate the breach to individuals.
Why it fails
Tempting because device theft sounds inherently serious. But Article 34(3)(a) expressly lets appropriate technical measures such as encryption reduce the assessed risk, so that individual communication is not required when the data is rendered unintelligible.
European Data Protection Law and Regulation
Tempting but wrong
Schrems II removed Standard Contractual Clauses as a valid transfer mechanism, so the exporter must switch immediately to consent.
Why it fails
This overstates the ruling. The Court invalidated the Privacy Shield but upheld SCCs as valid, so the controller need not abandon them in favour of consent; it must instead assess the destination and add supplementary measures.
European Data Processing
Tempting but wrong
The GDPR applies to the non-EU hotel group because operating any website that EU residents can reach satisfies the establishment test in Article 3(1).
Why it fails
Tempting because the GDPR does apply here, but the basis is Article 3(2) targeting, not Article 3(1) establishment, since a reachable website is not a stable EU establishment.
European Data Protection: Scope and Accountability
Key terms
Exam-day rules
- Read the actual question in the last line first. It tells you whether you are being asked for the lawful basis, the responsible party, or the correct action, so you can read the scenario looking for that.
- Choose the most correct option, not merely a defensible one. Several answers are often partly right; the exam wants the one that fits all the facts given.
- Watch for consent as a distractor. When contractual necessity or legitimate interests clearly fits, consent is usually the wrong lawful basis, especially in the employment context.
- Pin down controller or processor before answering responsibility questions. Who carries an obligation almost always turns on that role, and the scenario gives you the clues.
- Be wary of absolutes such as always, never, and any. Most GDPR rules carry conditions and exceptions, so a sweeping option is often the trap.
Revision schedule
- Day 1Map the blueprint and set a date
- Week 1Build the legal map (Domain 1)
- Weeks 2-3Master the core GDPR machinery (Domain 2)
- Weeks 3-4Work through lawful processing and transfers (Domain 3)
- Week 5Cover scope, accountability, and compliance contexts (Domains 4 and 5)