CIPP/E 65 Exam Questions and Answers (2026)
| Full Questions and Answers with Rationales |
A+ Verified
• Outliers work on their website to company x, employee of Company X steals the
data -delete it - tells boss.
Q: What is company x legally obliged to do? -✓✓A: NotifyOutliers
• Outliers work on their website to company x, employee of Company X steals the
data -delete it - tells boss.
Q: What does Outliers then need to do? -✓✓A: Nothingas data was deleted
• Outliers work on their website to company x, employee of Company X steals the
data -delete it - tells boss.
Q: Follows on with Cookies question? -✓✓A: Consentto opt-in to cookies
• Privacy notice for new Health App collecting sensitive data.
Q: What is the problem with the draft? -✓✓A: Them form is asking for health
information from the outset, which is not legal
• Privacy notice for new Health App collecting sensitive data
Q: Potential problem with collecting children data? -✓✓A: Need to demonstrate
steps to gain parental consent
• Anna is lawyer foruniversity tasked with Student Records. Frank is a professor.
Four types of data:Student Data - personal infoEmployee Data - personal
infoAlumni Data - personal infoDepartment of Education Data:demographic data -
no personal identifiers (used to see how first year students progress, etc.)Frank
wants to build a database to process data and see how first year students in his
class progressed. Frank builds algorithm to process data without identifiers. All
university systems are encrypted. Takes data to his home laptop which is not
encrypted. Loses laptop
Q: Which types of data does Anna NOT have to include in her record of processing
activities? -✓✓Department of Education Records
• Q: What should the Anna/DPO checkto confirm he can process those data? -
✓✓More information about the algorithm he has developed
, • Q: He losses the data, what should happen next? Should they inform the students?
-✓✓Yes because potential high risk since data was not encrypted
• Case study on guy gets photo taken at a gym in Germany
-consents to them using it for marketing
-Gym HQ in France
-Gyms all over EU
-He lives in UK
-Submits request to ICO in UK
-ICO refers to CNIL (this is the SA in France)
Q: In effort of Cooperation (the lead SA, CNIL, gets their judgement) what should
the they do now? -✓✓Draft a draft decision and submit to supporting SAs for their
opinion.
• What does he have to do for lawsuit? (each location is a controller!) -✓✓Answer:
Go to each gym branch...
• Question on what he should do if he wants tosue -✓✓Sue ANY relevant branch
as each can be liable for entire damage
• ABC Insurance gives data to subsidiary which begins direct marketing to Jason.
Jason decides to switch insurance companies. ABC Insurance is direct marketing
to Jason. Jason asks them to stop but they say that there is a line in the contract he
signed saying he consents to direct marketing and he doesn't stop. Wants to
transfer data - they give it to him in PDF format. He asks for them to transfer and
they can't because it's too time-consuming and not feasible.
Q: According to GDPR regulations on direct marketing(note:I think the wording
here is key), can Jason stop ABC from direct marketing? -✓✓Jason has right to
object and ABC must immediately stop using his data.
• Q: If Jason asks to stop use of his data, what must the ABC insurance subsidiary
do? -✓✓A: Stop using the data unless for legal matters in which subsidiary is
involved.
• Q: Did ABC violate GDPR by not sending the data to the new insurance
company? -✓✓A: No, because sending it is not possible. Undue strain on the
company to send it which infringes on their rights. PDF format is enough.
| Full Questions and Answers with Rationales |
A+ Verified
• Outliers work on their website to company x, employee of Company X steals the
data -delete it - tells boss.
Q: What is company x legally obliged to do? -✓✓A: NotifyOutliers
• Outliers work on their website to company x, employee of Company X steals the
data -delete it - tells boss.
Q: What does Outliers then need to do? -✓✓A: Nothingas data was deleted
• Outliers work on their website to company x, employee of Company X steals the
data -delete it - tells boss.
Q: Follows on with Cookies question? -✓✓A: Consentto opt-in to cookies
• Privacy notice for new Health App collecting sensitive data.
Q: What is the problem with the draft? -✓✓A: Them form is asking for health
information from the outset, which is not legal
• Privacy notice for new Health App collecting sensitive data
Q: Potential problem with collecting children data? -✓✓A: Need to demonstrate
steps to gain parental consent
• Anna is lawyer foruniversity tasked with Student Records. Frank is a professor.
Four types of data:Student Data - personal infoEmployee Data - personal
infoAlumni Data - personal infoDepartment of Education Data:demographic data -
no personal identifiers (used to see how first year students progress, etc.)Frank
wants to build a database to process data and see how first year students in his
class progressed. Frank builds algorithm to process data without identifiers. All
university systems are encrypted. Takes data to his home laptop which is not
encrypted. Loses laptop
Q: Which types of data does Anna NOT have to include in her record of processing
activities? -✓✓Department of Education Records
• Q: What should the Anna/DPO checkto confirm he can process those data? -
✓✓More information about the algorithm he has developed
, • Q: He losses the data, what should happen next? Should they inform the students?
-✓✓Yes because potential high risk since data was not encrypted
• Case study on guy gets photo taken at a gym in Germany
-consents to them using it for marketing
-Gym HQ in France
-Gyms all over EU
-He lives in UK
-Submits request to ICO in UK
-ICO refers to CNIL (this is the SA in France)
Q: In effort of Cooperation (the lead SA, CNIL, gets their judgement) what should
the they do now? -✓✓Draft a draft decision and submit to supporting SAs for their
opinion.
• What does he have to do for lawsuit? (each location is a controller!) -✓✓Answer:
Go to each gym branch...
• Question on what he should do if he wants tosue -✓✓Sue ANY relevant branch
as each can be liable for entire damage
• ABC Insurance gives data to subsidiary which begins direct marketing to Jason.
Jason decides to switch insurance companies. ABC Insurance is direct marketing
to Jason. Jason asks them to stop but they say that there is a line in the contract he
signed saying he consents to direct marketing and he doesn't stop. Wants to
transfer data - they give it to him in PDF format. He asks for them to transfer and
they can't because it's too time-consuming and not feasible.
Q: According to GDPR regulations on direct marketing(note:I think the wording
here is key), can Jason stop ABC from direct marketing? -✓✓Jason has right to
object and ABC must immediately stop using his data.
• Q: If Jason asks to stop use of his data, what must the ABC insurance subsidiary
do? -✓✓A: Stop using the data unless for legal matters in which subsidiary is
involved.
• Q: Did ABC violate GDPR by not sending the data to the new insurance
company? -✓✓A: No, because sending it is not possible. Undue strain on the
company to send it which infringes on their rights. PDF format is enough.
