Objectives in this domain

Know the legal bases for processing employee data, understand issues related to storing personnel records and workplace monitoring, and know the role of EU Works Councils and whistleblowing systems.
Section 5.1medium
Understand the compliance issues related to surveillance by public authorities, interception of communications, CCTV, geolocation, and biometrics/facial recognition, including EDPB guidelines.
Section 5.2hard
Understand the compliance requirements for processing personal data for marketing activities and the rules for online behavioural targeting, including EDPB guidelines.
Section 5.3medium
Understand the compliance issues related to cloud computing, web cookies, social media dark patterns, search engine marketing, and the ethical and compliance issues related to artificial intelligence and machine learning.
Section 5.4hard

Sample question from this domain

Free sampleCompliance with European Data Protection Law and Regulationhard

An airport operator wants to let passengers pass through boarding gates using live facial recognition matched against a template created at check-in. Legal asks whether the GDPR treats the facial templates as a special category of data and, if so, what that means for the lawful basis. Which statement best reflects the GDPR position on this processing?

AThe templates are ordinary personal data because a photograph only becomes special category data once it is published, so Article 6 alone governs the boarding gates.
BBecause boarding is a contractual necessity, Article 9 is automatically satisfied and no separate special category condition needs to be identified.
CFacial recognition for access control falls under the general prohibition on automated decision-making, so the only requirement is offering passengers human review of any non-match.
DThe templates are biometric data processed for unique identification and therefore special category data, so an Article 9 exception, typically explicit consent, must apply on top of an Article 6 basis. Correct

Identify that biometric data processed for unique identification is special category data requiring both an Article 6 basis and an Article 9 condition. Article 9(1) classifies biometric data processed for the purpose of uniquely identifying a natural person as special category data, which is prohibited unless an Article 9(2) exception applies; the controller must therefore layer a special category condition such as explicit consent over an ordinary lawful basis.

Why A is wrong: This conflates a plain photograph with biometric processing; publication is irrelevant, and once the image is processed through specific technical means for unique identification it becomes biometric special category data, so Article 6 alone is insufficient.

Why B is wrong: Contractual necessity is an Article 6 basis only; Article 9 contains its own exhaustive list of conditions, and necessity for a contract is not among them, so a separate Article 9 condition is still required.

Why C is wrong: Automated decision rights may be engaged, but they do not displace the Article 9 special category analysis; the question of whether a valid exception authorises the biometric processing remains, so this answer misidentifies the core issue.

Why D is correct: Biometric data processed for the purpose of uniquely identifying a person is special category data under Article 9(1), so the controller needs an Article 9 condition such as explicit consent in addition to an Article 6 lawful basis.

Other domains in this exam

Introduction to European Data Protection13% of the exam
European Data Protection Law and Regulation31% of the exam
European Data Processing23% of the exam
European Data Protection: Scope and Accountability17% of the exam

See also the CIPP-E cert hub, the study guide, and the cheat sheet.