Objectives in this domain

Know the concepts of personal data, sensitive personal data, and special categories of personal data, and understand the concepts of pseudonymous and anonymous data and the differences between them.
Section 2.1medium
Know the key principles of lawful processing and understand the concepts of controller and processor, including EDPB guidelines and opinions on those roles.
Section 2.2medium
Understand what appropriate technical and organisational measures are, including encryption and access controls, and know the requirements for breach notification under the GDPR and EDPB guidelines.
Section 2.3medium
Understand the principles of effective and responsible vendor management and know the key requirements for sharing personal data with third parties.
Section 2.4medium
Understand the full suite of data subject rights under the GDPR: access, rectification, erasure/right to be forgotten, restriction, objection, data portability, and rights related to automated decision-making including profiling.
Section 2.5hard
Understand the concept of consent under the GDPR including the conditions for valid consent, the right of withdrawal, and restrictions on data subject rights.
Section 2.6medium

Sample question from this domain

Free sampleEuropean Data Protection Law and Regulationhard

A bank uses a fully automated model to decide whether to grant unsecured personal loans, with no human involvement before the decision is communicated to the applicant. A rejected applicant asks to understand and contest the outcome. The bank relies on this automated process because it is necessary for entering into the loan contract the applicant requested. Which safeguard must the bank provide to comply with the rules on solely automated decisions producing legal or similarly significant effects?

AIt must implement, at minimum, the right to obtain human intervention, to express the applicant's point of view, and to contest the decision. Correct
BIt must obtain fresh explicit consent from the applicant before the automated decision can be relied upon, regardless of the contractual necessity.
CIt must disclose the full source code and weights of the scoring model so the applicant can independently reproduce the decision.
DIt must escalate every rejected application to the supervisory authority for prior review before the decision becomes final.

Solely automated decisions with significant effects taken on contractual necessity require safeguards of human intervention, expression of view, and the right to contest. Where a solely automated decision with legal or similarly significant effects is permitted because it is necessary for a contract, the controller must implement suitable safeguards, expressly including the data subject's right to obtain human intervention, to express their point of view, and to contest the decision, rather than fresh consent or authority pre-approval.

Why A is correct: Correct: for solely automated decisions with legal or similarly significant effects based on contractual necessity, the controller must put in place suitable measures including at least the right to human intervention, to express a point of view, and to contest the decision.

Why B is wrong: This is tempting because consent is one possible basis, but where the automated decision is necessary for entering into a contract the rules permit it without separate explicit consent, provided suitable safeguards are in place.

Why C is wrong: This overstates the transparency duty: the applicant is owed meaningful information about the logic involved, not the entire source code and weights, which would expose disproportionate detail and is not required.

Why D is wrong: This confuses safeguards with supervision: there is no requirement to send each rejection to the authority for prior review, and the duty is to provide internal safeguards such as human intervention and the right to contest.

Other domains in this exam

Introduction to European Data Protection13% of the exam
European Data Processing23% of the exam
European Data Protection: Scope and Accountability17% of the exam
Compliance with European Data Protection Law and Regulation16% of the exam

See also the CIPP-E cert hub, the study guide, and the cheat sheet.