How to pass Certified Information Privacy Professional/Europe (CIPP/E) (CIPP-E)
21 min read5 domains coveredFree practice, no sign-up
The IAPP Certified Information Privacy Professional/Europe (CIPP/E) tests whether you understand European data protection law, above all the General Data Protection Regulation, well enough to apply it to real situations. It is a knowledge exam, not a practical one: there is no drafting, no console, and no code. Most questions are short scenarios that hand you a set of facts and ask which rule applies, who is responsible, or what the lawful course of action is. The skill being measured is legal reasoning under the GDPR, not the recall of article numbers in isolation.
It suits privacy officers, data protection officers, in-house counsel, compliance and risk staff, and anyone whose work touches personal data of people in the European Union. You do not need to be a lawyer. You do need to be comfortable reading a rule, holding several conditions in your head at once, and choosing the answer that fits all of them rather than the one that sounds reassuring. People coming from a non-legal background usually find the volume of named instruments and defined terms the hardest part, and that part is closable with disciplined study because the blueprint is finite and well published.
The exam rewards precision. Many options are partly true, or true in a different scenario, so the test is choosing the most correct answer for the facts in front of you. A lawful basis that works for one purpose does not transfer to another; consent that is not freely given is not consent. Practise on scenario questions with a worked explanation for every option so you learn why the near-miss answers fail, which is where the marks are decided.
CIPP/E tests whether you can apply the GDPR to real situations, not recite it: scenarios reward the lawful, proportionate response.
Difficulty
Intermediate
Best for
Privacy, legal, compliance, and data protection staff who need to apply European data protection law in practice.
Prerequisites
None. Exposure to the GDPR at work helps but is not required.
90
Questions
150 min
Time allowed
300 / 500
Pass mark
$550
Exam cost (USD)
296
Practice questions
How this exam thinks
The CIPP/E reasons like a regulator, and three habits separate a pass from a fail, none of which is reciting article numbers.
First, the exam is GDPR-first and lawful-basis-first. Before any processing can be lawful you must have a basis under Article 6, and the exam tests this constantly by handing you a scenario where the comfortable answer is consent and the correct answer is contractual necessity or legitimate interests. Read the scenario for the actual purpose and the actual relationship between the parties, then pick the basis that genuinely fits, not the one that sounds safest. Consent is the named wrong answer in a great many employment and service-delivery questions precisely because it is rarely freely given when there is an imbalance of power. Where it sharpens the answer, the exam expects you to reach for the exact provision: Article 6 for lawful bases, Article 9 for special categories, Article 28 for processors, Article 35 for impact assessments.
Second, the exam thinks in roles and responsibility. Almost every duty in the GDPR attaches to either the controller or the processor, and the supervisory authority decides who answers for what. Before you choose who must notify a breach, respond to an access request, or carry out an impact assessment, settle the controller-versus-processor question first, because the rest of the answer hangs on it. The facts in the scenario give you the clues: who decides the purposes and means is the controller, full stop.
Third, the exam wants the proportionate, conditional answer over the absolute one. GDPR rights and obligations almost all carry limits and exceptions, so options phrased as always, never, or in all cases are usually the trap. The right answer is the one a measured data protection officer would defend to the regulator: it addresses the actual risk, follows the principle (purpose limitation, data minimisation, accountability), and respects the data subject's rights without overreaching. When two options look defensible, pick the one that fits every fact in the scenario, not the one that is merely true in general.
What each domain tests and how to study it
The CIPP-E blueprint is split across 5 domains. Weights are the official share of the exam; see the official exam guide for the authoritative breakdown.
What you must be able to do. Place each European institution and instrument on the map - what it is, when it arrived, and why it matters - and tell the Council of Europe bodies apart from the EU ones.
In one sentenceThe legal and historical scaffolding the rest of the exam assumes: where data protection came from, the instruments before the GDPR, and the institutions that make and interpret the law.
Recall check: answer these from memory first
Name the instrument that predates the EU and remains the only binding international data protection treaty, and say which body produced it.
Which court interprets EU law, and which separate court rules on the European Convention on Human Rights? Name the body behind each.
Did the 1995 Data Protection Directive or the GDPR achieve direct, harmonised effect across member states, and why does that distinction matter?
What it tests. The legal and historical scaffolding around the GDPR: the human-rights origins of data protection, early instruments such as Convention 108 and the OECD Guidelines, the move from the 1995 Data Protection Directive to a harmonised regulation, and the roles of the European institutions including the Court of Justice of the European Union, the European Commission, and the Council of Europe. It also covers the wider legislative landscape the GDPR sits in, such as the NIS 2 Directive, the ePrivacy Directive, and the EU Artificial Intelligence Act, and the implications of Brexit.
How to study it. Treat this as the map you will navigate for the rest of the exam, so get the names and what each body actually does straight before moving on. Build a one-line note for each institution and each instrument: what it is, when it came in, and why it matters. Do not confuse the Council of Europe and the European Court of Human Rights with the EU institutions, because the exam exploits that confusion. This domain is lower weight, so secure it with focused recall practice rather than long reading.
Easy to confuse
Council of Europe versus European Union institutions. The Council of Europe is a separate, wider body that produced Convention 108 and runs the European Court of Human Rights; the EU produced the GDPR and runs the CJEU. The exam deliberately offers a Council of Europe body as a distractor in EU-law questions, and the other way round.
Directive versus Regulation. A directive (the 1995 Data Protection Directive, the ePrivacy Directive) sets goals each member state must transpose into national law, so rules vary; a regulation (the GDPR) applies directly and uniformly. That is why the GDPR harmonised the law where the old directive fragmented it.
CJEU versus European Court of Human Rights. The Court of Justice of the European Union interprets EU law, including the GDPR; the European Court of Human Rights, a Council of Europe court, rules on the European Convention on Human Rights. Schrems came from the CJEU, not the ECHR.
Worked example from the CIPP-E bank
lock_openFree sampleIntroduction to European Data Protectionmedium
A Berlin-based SaaS company processes employee and customer personal data and is mapping which EU instruments govern its activities. Its compliance lead notes that one instrument sets out the general, cross-sector rules for processing personal data, while the others address narrower fields such as electronic communications confidentiality and the cybersecurity of essential services. Which instrument provides the general legal framework for the processing of personal data across all sectors in the EU?
AThe ePrivacy Directive 2002/58/EC, which sets the baseline rules for processing personal data across sectors
BThe NIS 2 Directive, which sets the baseline rules for processing personal data across sectors
CThe EU Artificial Intelligence Act, which sets the baseline rules for processing personal data across sectors
DRegulation (EU) 2016/679, the General Data Protection Regulation, which sets the baseline rules for processing personal data across sectorscheck_circle Correct
Identify the GDPR as the general cross-sector framework for processing personal data, distinct from sector-specific EU instruments. The GDPR is a directly applicable regulation that establishes the general rules for processing personal data in every sector, while ePrivacy, NIS 2, and the AI Act each address a narrower subject area and supplement the GDPR rather than displace it.
Why A is wrong: The ePrivacy Directive is tempting because it does protect personal data, but it is sector-specific to electronic communications and confidentiality of communications, not the general framework.
Why B is wrong: NIS 2 is tempting because it imposes broad obligations on many entities, but it governs cybersecurity risk management and incident reporting, not the general rules for processing personal data.
Why C is wrong: The AI Act is tempting because it is a recent EU-wide regulation, but it regulates the placing on the market and use of AI systems by risk tier, not personal data processing generally.
Why D is correct: The GDPR is the general, directly applicable instrument governing the processing of personal data across all sectors in the EU, and the other instruments supplement rather than replace it.
What you must be able to do. State each data subject right with its trigger and limits, settle the controller-versus-processor question from the facts, and apply the conditions for valid consent as a checklist.
In one sentenceThe core machinery of the GDPR and the single largest part of the exam: what personal data is, who the controller and processor are, the data subject rights, security and breach duties, and valid consent.
Recall check: answer these from memory first
List the four conditions for valid consent under Article 4(11), and say why employee consent usually fails the first one.
Distinguish the controller from the processor in one line each, and name who must notify the supervisory authority of a breach.
Name the data subject right that lets a person receive their data in a structured, machine-readable format, and state the one that is narrower than people assume because of its exceptions.
What it tests. The core machinery of the GDPR and the single largest part of the exam: what counts as personal data, special categories, pseudonymous, and anonymous data; the controller and processor roles; the key principles of lawful processing; security obligations and breach notification; vendor management and the rules for sharing data with third parties; the full suite of data subject rights; and the conditions for valid consent and its withdrawal.
How to study it. Spend the most time here because it carries the most marks and feeds every other domain. Be able to state each data subject right, what triggers it, and its limits, since these are heavily tested and easy to half-learn. Get the controller versus processor distinction automatic, because responsibility for an obligation usually hangs on it. Learn the conditions for valid consent as a checklist, freely given, specific, informed, and unambiguous, and remember consent can be withdrawn as easily as it was given.
Easy to confuse
Controller versus processor. The controller decides the purposes and means of processing; the processor only acts on the controller's documented instructions. Most direct GDPR obligations (lawful basis, responding to data subjects, breach notification to the authority) sit with the controller, which is why settling the role decides the answer.
Pseudonymous versus anonymous data. Pseudonymous data can still be linked back to a person with the key held separately, so it is personal data and the GDPR applies; truly anonymous data cannot be re-identified, so the GDPR does not apply to it at all. The exam tests this by calling reversible data anonymous.
Right to erasure versus right to restriction. Erasure (the right to be forgotten) deletes the data; restriction freezes it so it is stored but not otherwise processed. Restriction is the answer when accuracy or the lawfulness of processing is contested and the data must be kept while that is resolved.
Worked example from the CIPP-E bank
lock_openFree sampleEuropean Data Protection Law and Regulationhard
A bank uses a fully automated model to decide whether to grant unsecured personal loans, with no human involvement before the decision is communicated to the applicant. A rejected applicant asks to understand and contest the outcome. The bank relies on this automated process because it is necessary for entering into the loan contract the applicant requested. Which safeguard must the bank provide to comply with the rules on solely automated decisions producing legal or similarly significant effects?
AIt must implement, at minimum, the right to obtain human intervention, to express the applicant's point of view, and to contest the decision.check_circle Correct
BIt must obtain fresh explicit consent from the applicant before the automated decision can be relied upon, regardless of the contractual necessity.
CIt must disclose the full source code and weights of the scoring model so the applicant can independently reproduce the decision.
DIt must escalate every rejected application to the supervisory authority for prior review before the decision becomes final.
Solely automated decisions with significant effects taken on contractual necessity require safeguards of human intervention, expression of view, and the right to contest. Where a solely automated decision with legal or similarly significant effects is permitted because it is necessary for a contract, the controller must implement suitable safeguards, expressly including the data subject's right to obtain human intervention, to express their point of view, and to contest the decision, rather than fresh consent or authority pre-approval.
Why A is correct: Correct: for solely automated decisions with legal or similarly significant effects based on contractual necessity, the controller must put in place suitable measures including at least the right to human intervention, to express a point of view, and to contest the decision.
Why B is wrong: This is tempting because consent is one possible basis, but where the automated decision is necessary for entering into a contract the rules permit it without separate explicit consent, provided suitable safeguards are in place.
Why C is wrong: This overstates the transparency duty: the applicant is owed meaningful information about the logic involved, not the entire source code and weights, which would expose disproportionate detail and is not required.
Why D is wrong: This confuses safeguards with supervision: there is no requirement to send each rejection to the authority for prior review, and the duty is to provide internal safeguards such as human intervention and the right to contest.
What you must be able to do. Pick the correct lawful basis for the facts, treat the Article 9 special-category conditions as exceptions to a prohibition, and walk the international-transfer toolkit in order.
In one sentenceHow processing is made lawful in practice: the Article 5 principles, the six lawful bases under Article 6, the stricter Article 9 conditions, transparency, and the rules for moving data outside the EU.
Recall check: answer these from memory first
Name the six lawful bases under Article 6, and give the one most often misapplied as consent in an employment scenario.
Why does Article 9 start from a prohibition on processing special-category data, and what is the strictest condition that lifts it?
Put the international-transfer mechanisms in the order you would consider them: adequacy, appropriate safeguards, derogations - and say what a transfer impact assessment adds after Schrems II.
What it tests. How processing must be carried out lawfully: the processing principles in Article 5 such as purpose limitation, data minimisation, and storage limitation; the lawful bases in Article 6 including legitimate interests and contractual necessity; the stricter conditions for special-category data under Article 9; transparency and the content of privacy notices; and the rules on international data transfers, covering adequacy, Standard Contractual Clauses, Binding Corporate Rules, the EU-US Data Privacy Framework, and transfer impact assessments after Schrems II.
How to study it. Make the six lawful bases second nature and practise picking the right one for a scenario, because consent is often the wrong choice when contractual necessity or legitimate interests fits better. Learn the special-category conditions as the exceptions to a prohibition, not as a menu. For transfers, understand why they are restricted at all, then the toolkit in order: adequacy first, then appropriate safeguards such as Standard Contractual Clauses or Binding Corporate Rules, with a transfer impact assessment where needed. This is a heavily weighted, conceptually hard domain, so do not skim it.
Easy to confuse
Consent versus legitimate interests versus contractual necessity. Consent must be freely given and is withdrawable, so it is fragile where there is an imbalance of power; contractual necessity covers processing genuinely needed to perform a contract with the data subject; legitimate interests covers processing you can justify after a balancing test against the person's rights. The exam offers consent as the trap when one of the other two fits the facts better.
Adequacy decision versus Standard Contractual Clauses. An adequacy decision is the Commission ruling that a country's protection is essentially equivalent, so no extra safeguard is needed; Standard Contractual Clauses are the contractual fallback when there is no adequacy decision. You only reach the SCCs after confirming adequacy does not cover the destination.
Purpose limitation versus storage limitation. Purpose limitation restricts what you may use the data for (only the purposes you specified at collection); storage limitation restricts how long you may keep it (no longer than necessary for those purposes). One governs use, the other governs retention.
Worked example from the CIPP-E bank
lock_openFree sampleEuropean Data Processinghard
An employer wants to rely on the consent condition in Article 9(2)(a) to process the trade union membership of staff for an internal diversity programme. A data protection officer warns that this consent route carries a heightened standard compared with ordinary Article 6(1)(a) consent. What is the key additional requirement that makes Article 9(2)(a) consent harder to satisfy?
AThe consent must be obtained in writing on a physical document, because electronic consent is insufficient for any special category of personal data.
BThe consent must be explicit, meaning expressed through a clear affirmative statement rather than inferred from conduct or a pre-ticked arrangement.check_circle Correct
CThe consent must be renewed by the data subject every six months, because special category consent automatically expires under the storage limitation principle.
DThe consent must be approved in advance by the competent supervisory authority before the trade union data can be processed.
Article 9(2)(a) requires explicit consent, a higher standard than ordinary Article 6 consent, demanding an express affirmative statement. Explicit consent under Article 9(2)(a) means the data subject gives an express statement of agreement to the specific special category processing. It cannot be inferred from conduct or a pre-ticked box, which raises the bar above ordinary consent.
Why A is wrong: A signed paper form feels rigorous, but the GDPR does not mandate a particular medium; electronic consent is valid, so form of recording is not the distinguishing requirement.
Why B is correct: Correct: Article 9(2)(a) requires explicit consent, a higher bar than ordinary consent, demanding an express statement of agreement rather than consent inferred from action, which distinguishes it from Article 6(1)(a).
Why C is wrong: Periodic renewal sounds prudent given storage limitation, but the GDPR sets no fixed expiry for consent; validity depends on it remaining freely given and informed, not on a mandatory interval.
Why D is wrong: Prior authorisation is plausible because some high-risk activities involve the supervisory authority, but Article 9(2)(a) consent requires no regulator sign-off; prior consultation under Article 36 is a separate, narrow mechanism.
What you must be able to do. Decide whether the GDPR applies via establishment or targeting, identify when a DPIA or a DPO is mandatory, and place a breach in the correct fine tier.
In one sentenceWhere the GDPR reaches and who must answer for it: territorial scope under Article 3, accountability and privacy by design, the DPIA and DPO triggers, the supervisory structure, and the fine tiers.
Recall check: answer these from memory first
State the two routes by which the GDPR reaches a non-EU company under Article 3, and give a one-line example of the targeting criterion.
Name two of the three circumstances that make appointing a DPO mandatory under Article 37.
Which breaches fall in the higher fine tier (up to 4 percent of global turnover) versus the lower tier (up to 2 percent), and give one example of each?
What it tests. Where the GDPR applies and who must answer for compliance: the territorial and material scope under Article 3, including establishment, non-establishment, and the targeting criterion; the accountability obligations on controllers, joint controllers, and processors, including data protection by design and by default; data protection impact assessments and when they are mandatory; the mandatory data protection officer; the supervisory structure including the EDPB, the EDPS, national authorities, and the lead supervisory authority and one-stop-shop mechanism; and the consequences of breaching the GDPR, including the tiers of administrative fines and the routes to compensation and class actions.
How to study it. Learn scope as a decision tree: is there an EU establishment, or is the controller targeting people in the EU. Get the triggers for a mandatory DPIA and a mandatory DPO exactly right, because these are common questions with clear-cut answers once you know the criteria. Understand the two fine tiers and which kinds of breach fall into each, and keep the one-stop-shop and lead supervisory authority concepts distinct from the general powers of a single authority. Accountability runs through the whole exam, so this domain repays solid study.
Easy to confuse
Establishment versus targeting (territorial scope). The establishment limb applies the GDPR to processing in the context of an EU establishment regardless of where the processing happens; the targeting limb catches a non-EU controller that offers goods or services to, or monitors, people in the EU. A US-only company with no EU office can still be caught by targeting.
Lead supervisory authority versus one-stop-shop. The lead supervisory authority is the single authority (of the main establishment) that takes the lead in a cross-border case; the one-stop-shop is the mechanism that lets it coordinate with the other concerned authorities so a controller deals with one lead rather than twenty-seven. One is the actor, the other is the procedure.
Higher fine tier versus lower fine tier. The higher tier (up to 20 million euros or 4 percent of global annual turnover) covers breaches of the core principles, lawful bases, data subject rights, and transfer rules; the lower tier (up to 10 million euros or 2 percent) covers the more administrative duties such as failing to keep records, appoint a DPO, or notify a breach. The exam asks you to sort a given breach into the right tier.
Worked example from the CIPP-E bank
lock_openFree sampleEuropean Data Protection: Scope and Accountabilitymedium
A national supervisory authority is preparing to adopt a list of processing operations that require a data protection impact assessment in its territory. Before the list takes effect, the authority is required to engage a Union-level mechanism. Which body must it involve, and for what purpose?
AThe European Commission, which must approve the list as an implementing measure before it can be applied nationally.
BThe European Data Protection Board, which issues an opinion under the consistency mechanism to promote a harmonised approach across authorities.check_circle Correct
CThe European Data Protection Supervisor, which reviews the list because DPIA obligations originate in the rules governing EU institutions.
DThe Court of Justice of the European Union, which validates the list to ensure it complies with the Charter of Fundamental Rights.
Recognise that national DPIA lists go to the EDPB for a consistency opinion to harmonise practice across supervisory authorities. The consistency mechanism requires national authorities to communicate certain measures, including lists of processing requiring a DPIA, to the EDPB. The Board issues an opinion so that comparable processing is treated consistently across Member States, reflecting the EDPB's harmonising mandate rather than approval by the Commission or a court.
Why A is wrong: Tempting because the Commission adopts implementing acts elsewhere in the GDPR, but DPIA lists are communicated to the EDPB for consistency, not submitted to the Commission for approval.
Why B is correct: Correct: lists of processing requiring a DPIA are subject to the consistency mechanism, so the authority communicates the list to the EDPB, which gives an opinion to keep such lists consistent across the Union.
Why C is wrong: Tempting because the EDPS works on data protection at Union level, but it supervises EU institutions and does not review national authorities' DPIA lists, which fall under the EDPB's consistency role.
Why D is wrong: Tempting because the Charter underpins data protection, but the CJEU does not pre-clear administrative lists; consistency review of DPIA lists is an EDPB function under the cooperation framework.
What you must be able to do. Apply the principles and lawful bases from the earlier domains to concrete contexts - employment, surveillance, marketing, cookies - and bring in the ePrivacy Directive where it governs.
In one sentenceWhere the abstract rules meet concrete contexts: employee data and monitoring, surveillance and biometrics, direct marketing and behavioural targeting, and cloud, cookies, and AI.
Recall check: answer these from memory first
Why is consent usually the wrong lawful basis for processing employee data, and what grounds workplace monitoring instead?
Which instrument governs the use of cookies and unsolicited marketing messages alongside the GDPR, and what consent standard does it require?
Name two safeguards that make CCTV or biometric surveillance defensible under the GDPR.
What it tests. Applying the law to specific high-risk contexts: processing employee data, workplace monitoring, and the roles of EU Works Councils and whistleblowing systems; surveillance by public authorities, interception, CCTV, geolocation, and biometrics including facial recognition; the rules for direct marketing and online behavioural targeting, including the ePrivacy Directive; and the compliance issues around cloud computing, cookies, social-media dark patterns, search engine marketing, and the ethics of artificial intelligence and machine learning.
How to study it. Tie each context back to the principles and lawful bases from the earlier domains rather than treating it as a fresh topic, because the questions reward applying the same framework to new facts. Know that marketing and cookies bring the ePrivacy Directive into play alongside the GDPR, and that consent rules differ from a plain GDPR lawful basis. Keep workplace monitoring grounded in proportionality and the lawful basis question, since employee consent is rarely freely given. At 16% it is one of the smaller domains, but it is where the abstract rules turn into concrete exam scenarios, so practise it rather than skim it.
Easy to confuse
ePrivacy Directive versus GDPR (cookies and marketing). The ePrivacy Directive governs cookies and electronic marketing specifically and generally demands prior opt-in consent; the GDPR governs the resulting personal data and offers six lawful bases. For setting a non-essential cookie the ePrivacy consent rule applies, so legitimate interests is not a substitute there.
Employee consent versus another lawful basis. Because of the employer-employee power imbalance, consent is rarely freely given at work, so it is usually invalid; legitimate interests, legal obligation, or contractual necessity, applied proportionately, are the defensible bases. The exam offers employee consent as the trap.
Workplace monitoring versus public-authority surveillance. Workplace monitoring is an employer processing staff data, judged on proportionality, transparency, and a lawful basis other than consent; public-authority surveillance and interception engage law-enforcement and national-security regimes with their own legal bases and safeguards. The acceptable controls and the governing rules differ.
Worked example from the CIPP-E bank
lock_openFree sampleCompliance with European Data Protection Law and Regulationhard
An airport operator wants to let passengers pass through boarding gates using live facial recognition matched against a template created at check-in. Legal asks whether the GDPR treats the facial templates as a special category of data and, if so, what that means for the lawful basis. Which statement best reflects the GDPR position on this processing?
AThe templates are ordinary personal data because a photograph only becomes special category data once it is published, so Article 6 alone governs the boarding gates.
BBecause boarding is a contractual necessity, Article 9 is automatically satisfied and no separate special category condition needs to be identified.
CFacial recognition for access control falls under the general prohibition on automated decision-making, so the only requirement is offering passengers human review of any non-match.
DThe templates are biometric data processed for unique identification and therefore special category data, so an Article 9 exception, typically explicit consent, must apply on top of an Article 6 basis.check_circle Correct
Identify that biometric data processed for unique identification is special category data requiring both an Article 6 basis and an Article 9 condition. Article 9(1) classifies biometric data processed for the purpose of uniquely identifying a natural person as special category data, which is prohibited unless an Article 9(2) exception applies; the controller must therefore layer a special category condition such as explicit consent over an ordinary lawful basis.
Why A is wrong: This conflates a plain photograph with biometric processing; publication is irrelevant, and once the image is processed through specific technical means for unique identification it becomes biometric special category data, so Article 6 alone is insufficient.
Why B is wrong: Contractual necessity is an Article 6 basis only; Article 9 contains its own exhaustive list of conditions, and necessity for a contract is not among them, so a separate Article 9 condition is still required.
Why C is wrong: Automated decision rights may be engaged, but they do not displace the Article 9 special category analysis; the question of whether a valid exception authorises the biometric processing remains, so this answer misidentifies the core issue.
Why D is correct: Biometric data processed for the purpose of uniquely identifying a person is special category data under Article 9(1), so the controller needs an Article 9 condition such as explicit consent in addition to an Article 6 lawful basis.
A study plan that works
Map the blueprint and set a date
Day 1
Read the official IAPP Body of Knowledge and the five domains with their weights. Book a provisional exam date now: a fixed date converts open-ended reading into a plan and is the single biggest predictor of actually sitting the exam.
Build the legal map (Domain 1)
Week 1
Get the institutions, instruments, and history straight before the substantive law, because later domains assume you know who the CJEU is and where the GDPR came from. One line per institution and instrument is enough; aim for confident recall, not depth.
Master the core GDPR machinery (Domain 2)
Weeks 2-3
Spend the most time here, because it is the largest domain and underpins the rest. Drill personal data and special categories, controller versus processor, the data subject rights, and the conditions for valid consent until you can state each from memory.
Work through lawful processing and transfers (Domain 3)
Weeks 3-4
Cover the Article 5 principles, the six lawful bases, special-category conditions, transparency, and international transfers. Practise choosing the correct lawful basis for a scenario and walking the transfer toolkit in order from adequacy to safeguards.
Cover scope, accountability, and compliance contexts (Domains 4 and 5)
Week 5
Learn territorial scope, the DPIA and DPO triggers, the supervisory structure, and the fine tiers, then apply the whole framework to the specific contexts in Domain 5 such as employment, surveillance, marketing, and cookies.
Practise on scenarios with worked explanations
Week 5
Move to full practice sets and read the explanation for every question, including the ones you got right. The exam tests reasoning between plausible options, so understanding why a near-miss answer is wrong is where the marks are.
Find your weak domains, then sit a timed mock
Week 6
Use your per-domain accuracy to drill the two domains dragging you down rather than re-reading what you already know. Then take at least one full timed mock to rehearse pacing, and review every missed question before booking or sitting.
Know when you're ready
Readiness for the CIPP/E is a score on scenario questions you have not seen before, not a feeling that the material is familiar. Those are different things, and the gap between them is where people fail. Re-reading the Body of Knowledge builds fluency, and fluency feels like knowledge, so confidence rises while real recall does not. The fix is to test yourself: if you can read a fresh scenario, settle the controller-versus-processor question, pick the lawful basis that fits the facts, and explain why the near-miss options are wrong, you know it; if you can only nod along to an explanation, you do not yet.
Be especially wary of early confidence on this exam, because so many options are partly true. The candidates most likely to book too soon are the ones who feel ready after one read of the law, before they have met the questions that show them how consent is dangled as a trap or how a Council of Europe body is slipped into an EU-law answer. Trust your measured per-domain accuracy over your gut, and set the bar at clearing every domain comfortably on unseen questions across more than one session, not scraping the pass mark once.
This guide gives you the map. The practice bank is where you find out whether you can navigate it, with a worked explanation and a reason every distractor is wrong on every question. Readiness scoring tells you when you are there. Not before.
Ready to put this into practice?
Free CIPP-E questions with worked explanations. No sign-up.
Read the actual question in the last line first. It tells you whether you are being asked for the lawful basis, the responsible party, or the correct action, so you can read the scenario looking for that.
Choose the most correct option, not merely a defensible one. Several answers are often partly right; the exam wants the one that fits all the facts given.
Watch for consent as a distractor. When contractual necessity or legitimate interests clearly fits, consent is usually the wrong lawful basis, especially in the employment context.
Pin down controller or processor before answering responsibility questions. Who carries an obligation almost always turns on that role, and the scenario gives you the clues.
Be wary of absolutes such as always, never, and any. Most GDPR rules carry conditions and exceptions, so a sweeping option is often the trap.
Flag and move on. Do not spend disproportionate time on one hard transfer or scope item when easier marks are waiting; cover every question first, then return.
Eliminate the two weakest options quickly. Most questions hide two clearly wrong choices, and removing them turns a guess into a far better bet.
Frequently asked questions
How do I pass the CIPP/E?
Learn the GDPR machinery in Domain 2 and the lawful processing and transfer rules in Domain 3 first, because together they are most of the exam, then apply that framework to scope, accountability, and the specific compliance contexts. Finish with scenario practice and read the worked explanation on every question so you understand why each near-miss answer fails.
Is the CIPP/E hard?
It is a knowledge exam with no drafting or coding, but it is detailed: there are many named instruments, defined terms, and conditions to hold straight. The difficulty is in choosing the most correct option among plausible ones, which is why scenario practice with worked explanations matters more than rote memorising of article numbers.
What is the pass mark for the CIPP/E?
The pass mark is 300 out of 500 on IAPP's scaled scoring, shown in the facts panel above. Because the score is scaled, your raw percentage and the scaled score are not the same thing, so aim to clear every domain comfortably in practice rather than scraping a target.
Do I need a legal background to pass?
No. Privacy officers, compliance and risk staff, and people moving into data protection pass it without a law degree. You do need to read a rule carefully, hold several conditions at once, and reason to the answer that fits all the facts, which is a skill you can build with practice.
How long should I study for the CIPP/E?
Most candidates need several weeks of focused study, more if European data protection law is new to you. Put the bulk of that time into Domains 2 and 3, which carry the most marks, and use the lower-weighted domains to secure the rest once the core is solid.
Which domains should I focus on?
European Data Protection Law and Regulation is the largest domain, followed by European Data Processing, so those two deserve the most time. Introduction, Scope and Accountability, and Compliance are smaller, but Scope and Accountability includes high-value, clear-cut topics such as the DPIA and DPO triggers that are worth securing.
Does the CIPP/E cover laws beyond the GDPR?
Yes. The GDPR is the centre of gravity, but the exam also expects you to know the wider landscape, including the ePrivacy Directive for marketing and cookies, the NIS 2 Directive, the EU Artificial Intelligence Act, and the older instruments such as Convention 108 that shaped European data protection.
How many practice questions should I do before booking?
Enough that every domain clears the pass line with margin on questions you have not seen before, and that a full timed mock feels comfortable on pacing. Quality of review matters more than raw volume: read the explanation on every question, right or wrong.
Is the CIPP/E worth it?
It is well suited to privacy officers, data protection officers, compliance staff, and legal professionals whose work involves personal data of people in the European Union. It is the most widely recognised European data protection credential and a common baseline requirement for DPO and GDPR advisory roles; the CIPM is a common next step for those who want to add privacy programme management expertise.
Examworthy is not affiliated with or endorsed by IAPP. This guide is original study material based on the public exam blueprint. We never reproduce live exam items. CIPP-E and related marks belong to their respective owners.
