Full CIPP/E Exam (no answers! Test your Knowledge with this
Actual Exam Questions)
Name: Score:
178 Multiple choice questions
Definition 1 of 178
If illegal or improper activity is taking place within an organization, employees may first observe it and report
it to individuals with more authority or an agency outside of the organization. In setting up procedures to
make it possible for an employee to report such activity, per laws in a variety of jurisdictions that protect the
rights of, an organization will want to be sure that appropriate privacy safeguards are put in place.
Whistleblowing
Redlining
Flyposting
Closing
Definition 2 of 178
Part of the consistency mechanism of the GDPR, this is required between supervisory authorities when
working with controllers or processors handling the personal data of data subjects in multiple member
states. This is often referred to as (a.k.a. the "one-stop shop," whereby a lead supervisory authority works
with the supervisory authorities of other member states with affected data subjects.
Derogation
Cooperation
Cookie Directive
,Definition
Content Data
3 of 178
Article 17(1) of the GDPR establishes that data subjects have this right of their personal data if: the data is no
longer needed for its original purpose and no new lawful purpose exists; the lawful basis for the processing is
the data subject's consent, the data subject withdraws that consent, and no other lawful ground exists; the data
subject exercises the right to object, and the controller has no overriding grounds for continuing the processing;
the data has been processed unlawfully; or this is necessary for compliance with EU law or the national law of
the relevant member state.
Accretion
Erasure
Obliteration
Avulsion
Definition 4 of 178
The process by which companies can systematically assess and identify the privacy and data protection
impacts of any products they offer and services they provide. It enables them to identify the impact and take
the appropriate actions to prevent or, at the very least, minimise the risk of those impacts. are required by
the General Data Protection Regulation in some instances, particularly where a new product or service is
likely to result in a high risk to the rights and freedoms of natural persons.
Data Protection Impact Assessment
Data Privacy Information Assessment
Privacy Impact Assessment
Privacy Assessment
5 of 178
The ECHR (European Court of Human Rights) decided in 2009 that the Article 8 right to respect for private life
and family life had been violated when the applicant sought access to the secret service file on him drawn up in
the days of Communist rule in Romania and was made to wait six years. The court awarded 6,000 euros.
,Definition
Gaskin v. United Kingdom
Haralambie v. Romania
Durant v. Financial Services Authority
EU-U.S. Safe Harbor Agreement
Definition 6 of 178
An agreement that was invalidated by the Court of Justice of the European Union in 2015, that allowed for
the legal transfer of personal data between in the absence of a comprehensive adequacy decision for the
United States. It was replaced by the __________ Privacy Shield in 2016 (see Privacy Shield).
Global Privacy Enforcement Network
EU Data Protection Directive (95/46/EC)
EU-U.S. Safe Harbor Agreement
European Data Protection Board
7 of 178
Data is this if it is protected against unauthorised or unlawful processing. The GDPR requires that an
organization be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing
systems and services as part of its requirements for appropriate security. In addition, the GDPR requires that
persons authorised to process the personal data have committed themselves to confidentiality or are under an
appropriate statutory obligation of this. Confidentiality
Accountability
Integrity
Availability
Definition 8 of 178
A natural or legal person, public authority, agency or another body, to which personal data is disclosed,
whether a third party or not. Public authorities that receive personal data in the framework of a particular
inquiry in accordance with EU or member state law shall not be regarded as recipients, however. The
, Definition
processing of that data by those public authorities shall be in compliance with the applicable data protection
rules according to the purposes of the processing.
Data Processor
Established Service Provider
Data Controller
Data Recipient
9 of 178
This privacy requirement is one of the fair information practices. In the GDPR, however, it is specifically one
of the legal bases for processing personal data. According to the GDPR, for it to be valid, it must be: clearly
distinguishable from other matters, intelligible, and in clear and plain language; freely given; as easy to
withdraw as it was to provide; specific; informed; and unambiguous. Further, it must be a positive,
affirmative action (e.g., checking opt-in or choosing technical settings for web applications), with pre-ticked
boxes expressly not allowed. For certain special categories of data, as outlined in Article 9, explicit _________
is required for processing, a higher standard than unambiguous consent.
Charter of Fundamental Rights
Consent (EU specific)
Breach Disclosure (EU specific)
Communications Privacy
Definition 10 of 178
Introduced by the GDPR, a new valid adequacy mechanism for the transfer of personal data outside of the
European Union in the absence of an adequacy decision and instead of other mechanisms such as binding
corporate rules or contractual clauses. These must be developed by certifying bodies, approved by data
protection authorities or the EDPB (European Data Protection Board), and have a methodology for auditing
compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their
compliance with all aspects of applicable data protection legislation.
Automated Processing
Actual Exam Questions)
Name: Score:
178 Multiple choice questions
Definition 1 of 178
If illegal or improper activity is taking place within an organization, employees may first observe it and report
it to individuals with more authority or an agency outside of the organization. In setting up procedures to
make it possible for an employee to report such activity, per laws in a variety of jurisdictions that protect the
rights of, an organization will want to be sure that appropriate privacy safeguards are put in place.
Whistleblowing
Redlining
Flyposting
Closing
Definition 2 of 178
Part of the consistency mechanism of the GDPR, this is required between supervisory authorities when
working with controllers or processors handling the personal data of data subjects in multiple member
states. This is often referred to as (a.k.a. the "one-stop shop," whereby a lead supervisory authority works
with the supervisory authorities of other member states with affected data subjects.
Derogation
Cooperation
Cookie Directive
,Definition
Content Data
3 of 178
Article 17(1) of the GDPR establishes that data subjects have this right of their personal data if: the data is no
longer needed for its original purpose and no new lawful purpose exists; the lawful basis for the processing is
the data subject's consent, the data subject withdraws that consent, and no other lawful ground exists; the data
subject exercises the right to object, and the controller has no overriding grounds for continuing the processing;
the data has been processed unlawfully; or this is necessary for compliance with EU law or the national law of
the relevant member state.
Accretion
Erasure
Obliteration
Avulsion
Definition 4 of 178
The process by which companies can systematically assess and identify the privacy and data protection
impacts of any products they offer and services they provide. It enables them to identify the impact and take
the appropriate actions to prevent or, at the very least, minimise the risk of those impacts. are required by
the General Data Protection Regulation in some instances, particularly where a new product or service is
likely to result in a high risk to the rights and freedoms of natural persons.
Data Protection Impact Assessment
Data Privacy Information Assessment
Privacy Impact Assessment
Privacy Assessment
5 of 178
The ECHR (European Court of Human Rights) decided in 2009 that the Article 8 right to respect for private life
and family life had been violated when the applicant sought access to the secret service file on him drawn up in
the days of Communist rule in Romania and was made to wait six years. The court awarded 6,000 euros.
,Definition
Gaskin v. United Kingdom
Haralambie v. Romania
Durant v. Financial Services Authority
EU-U.S. Safe Harbor Agreement
Definition 6 of 178
An agreement that was invalidated by the Court of Justice of the European Union in 2015, that allowed for
the legal transfer of personal data between in the absence of a comprehensive adequacy decision for the
United States. It was replaced by the __________ Privacy Shield in 2016 (see Privacy Shield).
Global Privacy Enforcement Network
EU Data Protection Directive (95/46/EC)
EU-U.S. Safe Harbor Agreement
European Data Protection Board
7 of 178
Data is this if it is protected against unauthorised or unlawful processing. The GDPR requires that an
organization be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing
systems and services as part of its requirements for appropriate security. In addition, the GDPR requires that
persons authorised to process the personal data have committed themselves to confidentiality or are under an
appropriate statutory obligation of this. Confidentiality
Accountability
Integrity
Availability
Definition 8 of 178
A natural or legal person, public authority, agency or another body, to which personal data is disclosed,
whether a third party or not. Public authorities that receive personal data in the framework of a particular
inquiry in accordance with EU or member state law shall not be regarded as recipients, however. The
, Definition
processing of that data by those public authorities shall be in compliance with the applicable data protection
rules according to the purposes of the processing.
Data Processor
Established Service Provider
Data Controller
Data Recipient
9 of 178
This privacy requirement is one of the fair information practices. In the GDPR, however, it is specifically one
of the legal bases for processing personal data. According to the GDPR, for it to be valid, it must be: clearly
distinguishable from other matters, intelligible, and in clear and plain language; freely given; as easy to
withdraw as it was to provide; specific; informed; and unambiguous. Further, it must be a positive,
affirmative action (e.g., checking opt-in or choosing technical settings for web applications), with pre-ticked
boxes expressly not allowed. For certain special categories of data, as outlined in Article 9, explicit _________
is required for processing, a higher standard than unambiguous consent.
Charter of Fundamental Rights
Consent (EU specific)
Breach Disclosure (EU specific)
Communications Privacy
Definition 10 of 178
Introduced by the GDPR, a new valid adequacy mechanism for the transfer of personal data outside of the
European Union in the absence of an adequacy decision and instead of other mechanisms such as binding
corporate rules or contractual clauses. These must be developed by certifying bodies, approved by data
protection authorities or the EDPB (European Data Protection Board), and have a methodology for auditing
compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their
compliance with all aspects of applicable data protection legislation.
Automated Processing
