CIPP E FINAL EXAMINATION TEST 2026
FULL QUESTIONS AND CORRECT ANSWERS
⩥ Adequate Level of Protection. Answer: A label that the EU may apply
to third-party countries who have committed to protect data through
domestic law making or international commitments. Conferring of the
label requires a proposal by the European Commission, an Article 29
Working Group Opinion, an opinion of the article 31 Management
Committee, a right of scrutiny by the European Parliament and adoption
by the European Commission.
⩥ Adverse Action. Answer: Under the Fair Credit Reporting Act, the
term "adverse action" is defined very broadly to include all business,
credit and employment actions affecting consumers that can be
considered to have a negative impact, such as denying or canceling
credit or insurance, or denying employment or promotion. No adverse
action occurs in a credit transaction where the creditor makes a
counteroffer that is accepted by the consumer. Such an action requires
that the decision maker furnish the recipient of the adverse action with a
copy of the credit report leading to the adverse action.
⩥ Annual Reports. Answer: The requirement under the European Data
Protection Directive that member state data protection authorities report
on their activities at regular intervals.
,⩥ Antidiscrimination Laws. Answer: Refers to the right of people to be
treated equally.
⩥ Article 29 Working Party. Answer: A European Union organization
that functions as an independent advisory body on data protection and
privacy. While EU data protection laws are actually enforced by the
national Data Protection Authorities of EU member states.
⩥ Authentication. Answer: The process by which an entity (such as a
person or computer system) determines whether another entity is who it
claims to be. Authentication identified as an individual based on some
credential; i.e. a password, biometrics, etc. Authentication is different
from authorization. Proper authentication ensures that a person is who he
or she claims to be, but it says nothing about the access rights of the
individual.
⩥ Background Screening/Checks. Answer: Verifying an applicant's
ability to function in the working environment as well as assuring the
safety and security of existing workers. Background checks range from
checking a person's educational background to checking on past criminal
activity.
⩥ Behavioral Advertising. Answer: The act of tracking users' online
activities and then delivering ads or recommendations based upon the
tracked activities. The most comprehensive form of targeted advertising.
By building a profile on a user through their browsing habits such as
sites they visit, articles read, searches made, ads previously clicked on,
,etc., advertising companies place ads pertaining to the known
information about the user across all websites visited. Behavioral
Advertising also uses data aggregation to place ads on websites that a
user may not have shown interest in, but similar individuals had shown
interest in.
⩥ Binding Corporate Rules. Answer: Legally binding internal corporate
privacy rules for transferring personal information within a corporate
group. BCRs are typically used by corporations that operate in multiple
jurisdictions, and they are alternatives to the EU-U.S. Privacy Shield and
Model Contract Clauses. BCRs must be approved by the EU data
protection authorities of the member states in which the corporation
operates.
⩥ Binding Safe Processor Rules. Answer: Self-regulatory principles
(similar to Binding Corporate Rules) for processors that are applicable to
customer personal data. Once a supplier's BSPR are approved, a supplier
gains "safe processor" status and its customers would be able to meet the
EU Data Protection Directive's requirements for international transfers
in a similar manner as BCR allow. BSPR are currently being considered
as a concept by the Article 29 Working Party and national authorities.
⩥ Biometrics. Answer: Data concerning the intrinsic physical or
behavioral characteristics of an individual. Examples include DNA,
fingerprints, retina and iris patterns, voice, face, handwriting, keystroke
technique and gait.
, ⩥ Bodily Privacy. Answer: One of the four classes of privacy, along with
information privacy, territorial privacy and communications privacy. It
focuses on a person's physical being and any invasion thereof. Such an
invasion can take the form of genetic testing, drug testing or body cavity
searches.
⩥ Breach Disclosure. Answer: The requirement that a data controller
notify regulators and victims of incidents affecting the confidentiality
and security of personal data. It is a transparency mechanism highlights
operational failures, this helps mitigate damage and aids in the
understanding of causes of failure.
⩥ Bundesdatenschutzgesetz. Answer: A German national data protection
law that including specific requirements for data services outsourcing
agreements. The legislation contains ten specific requirements for
outsourcing agreements: (1) Subject and duration of work; (2) the extent,
type and purpose of data processing; (3) technical and organizational
measures to be taken under section 9; (4) the rectification, erasure and
blocking of data; (5) the processor's section 4 obligations, particularly
with regard to monitoring; (6) rights regarding subcontracting; (7) the
controller's monitoring rights; (8) the subcontractor's notification
obligations; (9) the extent of the controller's authority to issue
instructions to the processor; (10) the return and/or erasure of data by the
processor at the conclusion of the work.
⩥ Charter of Fundamental Rights. Answer: A treaty that consolidates
human rights within the EU. The treaty states that everyone has a right
to protect their personal data, that data must be processed for legitimate
FULL QUESTIONS AND CORRECT ANSWERS
⩥ Adequate Level of Protection. Answer: A label that the EU may apply
to third-party countries who have committed to protect data through
domestic law making or international commitments. Conferring of the
label requires a proposal by the European Commission, an Article 29
Working Group Opinion, an opinion of the article 31 Management
Committee, a right of scrutiny by the European Parliament and adoption
by the European Commission.
⩥ Adverse Action. Answer: Under the Fair Credit Reporting Act, the
term "adverse action" is defined very broadly to include all business,
credit and employment actions affecting consumers that can be
considered to have a negative impact, such as denying or canceling
credit or insurance, or denying employment or promotion. No adverse
action occurs in a credit transaction where the creditor makes a
counteroffer that is accepted by the consumer. Such an action requires
that the decision maker furnish the recipient of the adverse action with a
copy of the credit report leading to the adverse action.
⩥ Annual Reports. Answer: The requirement under the European Data
Protection Directive that member state data protection authorities report
on their activities at regular intervals.
,⩥ Antidiscrimination Laws. Answer: Refers to the right of people to be
treated equally.
⩥ Article 29 Working Party. Answer: A European Union organization
that functions as an independent advisory body on data protection and
privacy. While EU data protection laws are actually enforced by the
national Data Protection Authorities of EU member states.
⩥ Authentication. Answer: The process by which an entity (such as a
person or computer system) determines whether another entity is who it
claims to be. Authentication identified as an individual based on some
credential; i.e. a password, biometrics, etc. Authentication is different
from authorization. Proper authentication ensures that a person is who he
or she claims to be, but it says nothing about the access rights of the
individual.
⩥ Background Screening/Checks. Answer: Verifying an applicant's
ability to function in the working environment as well as assuring the
safety and security of existing workers. Background checks range from
checking a person's educational background to checking on past criminal
activity.
⩥ Behavioral Advertising. Answer: The act of tracking users' online
activities and then delivering ads or recommendations based upon the
tracked activities. The most comprehensive form of targeted advertising.
By building a profile on a user through their browsing habits such as
sites they visit, articles read, searches made, ads previously clicked on,
,etc., advertising companies place ads pertaining to the known
information about the user across all websites visited. Behavioral
Advertising also uses data aggregation to place ads on websites that a
user may not have shown interest in, but similar individuals had shown
interest in.
⩥ Binding Corporate Rules. Answer: Legally binding internal corporate
privacy rules for transferring personal information within a corporate
group. BCRs are typically used by corporations that operate in multiple
jurisdictions, and they are alternatives to the EU-U.S. Privacy Shield and
Model Contract Clauses. BCRs must be approved by the EU data
protection authorities of the member states in which the corporation
operates.
⩥ Binding Safe Processor Rules. Answer: Self-regulatory principles
(similar to Binding Corporate Rules) for processors that are applicable to
customer personal data. Once a supplier's BSPR are approved, a supplier
gains "safe processor" status and its customers would be able to meet the
EU Data Protection Directive's requirements for international transfers
in a similar manner as BCR allow. BSPR are currently being considered
as a concept by the Article 29 Working Party and national authorities.
⩥ Biometrics. Answer: Data concerning the intrinsic physical or
behavioral characteristics of an individual. Examples include DNA,
fingerprints, retina and iris patterns, voice, face, handwriting, keystroke
technique and gait.
, ⩥ Bodily Privacy. Answer: One of the four classes of privacy, along with
information privacy, territorial privacy and communications privacy. It
focuses on a person's physical being and any invasion thereof. Such an
invasion can take the form of genetic testing, drug testing or body cavity
searches.
⩥ Breach Disclosure. Answer: The requirement that a data controller
notify regulators and victims of incidents affecting the confidentiality
and security of personal data. It is a transparency mechanism highlights
operational failures, this helps mitigate damage and aids in the
understanding of causes of failure.
⩥ Bundesdatenschutzgesetz. Answer: A German national data protection
law that including specific requirements for data services outsourcing
agreements. The legislation contains ten specific requirements for
outsourcing agreements: (1) Subject and duration of work; (2) the extent,
type and purpose of data processing; (3) technical and organizational
measures to be taken under section 9; (4) the rectification, erasure and
blocking of data; (5) the processor's section 4 obligations, particularly
with regard to monitoring; (6) rights regarding subcontracting; (7) the
controller's monitoring rights; (8) the subcontractor's notification
obligations; (9) the extent of the controller's authority to issue
instructions to the processor; (10) the return and/or erasure of data by the
processor at the conclusion of the work.
⩥ Charter of Fundamental Rights. Answer: A treaty that consolidates
human rights within the EU. The treaty states that everyone has a right
to protect their personal data, that data must be processed for legitimate
