Objectives in this domain

Understand what constitutes establishment and non-establishment in the EU and know the GDPR's scope of processing and the exemptions it allows, including EDPB guidelines on territorial scope.
Section 4.1medium
Understand the accountability requirements of controllers, joint controllers, and processors including data protection by design and by default, documentation requirements, and cooperation with regulators.
Section 4.2hard
Understand the role of data protection impact assessments (DPIAs), know the criteria for when they are mandatory, and understand the requirement for mandatory data protection officers (DPOs).
Section 4.3medium
Understand the roles and powers of the EDPB, EDPS, national supervisory authorities, and the concept of lead supervisory authority in cross-border cases.
Section 4.4medium
Know the procedures related to GDPR violations, the tiers of fines that may be imposed, and understand the conditions for class actions and data subject compensation.
Section 4.5medium

Sample question from this domain

Free sampleEuropean Data Protection: Scope and Accountabilitymedium

A national supervisory authority is preparing to adopt a list of processing operations that require a data protection impact assessment in its territory. Before the list takes effect, the authority is required to engage a Union-level mechanism. Which body must it involve, and for what purpose?

AThe European Commission, which must approve the list as an implementing measure before it can be applied nationally.
BThe European Data Protection Board, which issues an opinion under the consistency mechanism to promote a harmonised approach across authorities. Correct
CThe European Data Protection Supervisor, which reviews the list because DPIA obligations originate in the rules governing EU institutions.
DThe Court of Justice of the European Union, which validates the list to ensure it complies with the Charter of Fundamental Rights.

Recognise that national DPIA lists go to the EDPB for a consistency opinion to harmonise practice across supervisory authorities. The consistency mechanism requires national authorities to communicate certain measures, including lists of processing requiring a DPIA, to the EDPB. The Board issues an opinion so that comparable processing is treated consistently across Member States, reflecting the EDPB's harmonising mandate rather than approval by the Commission or a court.

Why A is wrong: Tempting because the Commission adopts implementing acts elsewhere in the GDPR, but DPIA lists are communicated to the EDPB for consistency, not submitted to the Commission for approval.

Why B is correct: Correct: lists of processing requiring a DPIA are subject to the consistency mechanism, so the authority communicates the list to the EDPB, which gives an opinion to keep such lists consistent across the Union.

Why C is wrong: Tempting because the EDPS works on data protection at Union level, but it supervises EU institutions and does not review national authorities' DPIA lists, which fall under the EDPB's consistency role.

Why D is wrong: Tempting because the Charter underpins data protection, but the CJEU does not pre-clear administrative lists; consistency review of DPIA lists is an EDPB function under the cooperation framework.

Other domains in this exam

Introduction to European Data Protection13% of the exam
European Data Protection Law and Regulation31% of the exam
European Data Processing23% of the exam
Compliance with European Data Protection Law and Regulation16% of the exam

See also the CIPP-E cert hub, the study guide, and the cheat sheet.