CIPP/E Actual Exam Version 1
CIPP/E ACTUAL EXAM VERSION 1 NEWEST 2025/2026
COMPLETE 150 QUESTIONS AND CORRECT DETAILED ANSWERS
(VERIFIED ANSWERS) |ALREADY GRADED A+||BRAND NEW
VERSION!!
An employee of company ABCD has just noticed a memory stick containing
records of client
data, including their names, addresses and full contact details has disappeared.
The data on the stick
is unencrypted and in clear text. It is uncertain what has happened to the stick at
this stage, but it
likely was lost during the travel of an employee. What should the company do?
(A). Notify as soon as possible the data protection supervisory authority that a
data breach may have
taken place.
(B). Launch an investigation and if nothing is found within one month, notify the
data protection
supervisory authority.
(C). Invoke the "disproportionate effort" exception under Article 33 to postpone
notifying data
subjects until more information can be gathered.
(D). Immediately notify all the customers of the company that their information
has been accessed by
an unauthorized person. - ANSWER-A). Notify as soon as possible the data
protection supervisory authority that a data breach may have taken place.
1|Page
, CIPP/E Actual Exam Version 1
An unforeseen power outage results in company Z's lack of access to customer
data for six
hours. According to article 32 of the GDPR, this is considered a breach. Based on
the WP 29's
February, 2018 guidance, company Z should do which of the following?
(A). Notify affected individuals that their data was unavailable for a period of time.
(B). Document the loss of availability to demonstrate accountability
(C). Notify the supervisory authority about the loss of availability
(D). Conduct a thorough audit of all security systems - ANSWER-C). Notify the
supervisory authority about the loss of availability
How is the GDPR's position on consent MOST likely to affect future app design and
implementation?
(A). App developers will expand the amount of data necessary to collect for an
app's functionality.
(B). Users will be given granular types of consent for particular types of
processing.
(C). App developers' responsibilities as data controllers will increase.
(D). Users will see fewer advertisements when using apps. - ANSWER-B). Users will
be given granular types of consent for particular types of processing.
2|Page
, CIPP/E Actual Exam Version 1
In which situation would a data controller most likely be able to justify the
processing of the
data of a child without parental consent?
(A). When the data is to be processed for market research.
(B). When providing preventive or counselling services to the child.
(C). When providing the child with materials purely for educational use.
(D). When a legitimate business interest makes obtaining consent impractical. -
ANSWER-B). When providing preventive or counselling services to the child.
A mobile device application that uses cookies will be subject to the consent
requirement of
which of the following?
(A). The ePrivacy Directive
(B). The E-Commerce Directive
(C). The Data Retention Directive
(D). The EU Cybersecurity Directive - ANSWER-A). The ePrivacy Directive
A Spanish electricity customer calls her local supplier with Questions: about the
company's
upcoming merger. Specifically, the customer wants to know the recipients to
whom her personal
data will be disclosed once the merger is final. According to Article 13 of the
GDPR, what must the
3|Page
, CIPP/E Actual Exam Version 1
company do before providing the customer with the requested information?
(A). Verify that the request is applicable to the data collected before the GDPR
entered into force.
(B). Verify that the purpose of the request from the customer is in line with the
GDPR.
(C). Verify that the personal data has not already been sent to the customer.
(D). Verify that the identity of the customer can be proven by other means. -
ANSWER-A). Verify that the request is applicable to the data collected before the
GDPR entered into force.
An entity's website stores text files on EU users' computer and mobile device
browsers. Prior
to doing so, the entity is required to provide users with notices containing
information and consent
under which of the following frameworks?
(A). General Data Protection Regulation 2016/679.
(B). E-Privacy Directive 2002/58/EC.
(C). E-Commerce Directive 2000/31/EC.
(D). Data Protection Directive 95/46/EC. - ANSWER-(D). Data Protection Directive
95/46/EC.
How is the retention of communications traffic data for law enforcement purposes
addressed
4|Page
CIPP/E ACTUAL EXAM VERSION 1 NEWEST 2025/2026
COMPLETE 150 QUESTIONS AND CORRECT DETAILED ANSWERS
(VERIFIED ANSWERS) |ALREADY GRADED A+||BRAND NEW
VERSION!!
An employee of company ABCD has just noticed a memory stick containing
records of client
data, including their names, addresses and full contact details has disappeared.
The data on the stick
is unencrypted and in clear text. It is uncertain what has happened to the stick at
this stage, but it
likely was lost during the travel of an employee. What should the company do?
(A). Notify as soon as possible the data protection supervisory authority that a
data breach may have
taken place.
(B). Launch an investigation and if nothing is found within one month, notify the
data protection
supervisory authority.
(C). Invoke the "disproportionate effort" exception under Article 33 to postpone
notifying data
subjects until more information can be gathered.
(D). Immediately notify all the customers of the company that their information
has been accessed by
an unauthorized person. - ANSWER-A). Notify as soon as possible the data
protection supervisory authority that a data breach may have taken place.
1|Page
, CIPP/E Actual Exam Version 1
An unforeseen power outage results in company Z's lack of access to customer
data for six
hours. According to article 32 of the GDPR, this is considered a breach. Based on
the WP 29's
February, 2018 guidance, company Z should do which of the following?
(A). Notify affected individuals that their data was unavailable for a period of time.
(B). Document the loss of availability to demonstrate accountability
(C). Notify the supervisory authority about the loss of availability
(D). Conduct a thorough audit of all security systems - ANSWER-C). Notify the
supervisory authority about the loss of availability
How is the GDPR's position on consent MOST likely to affect future app design and
implementation?
(A). App developers will expand the amount of data necessary to collect for an
app's functionality.
(B). Users will be given granular types of consent for particular types of
processing.
(C). App developers' responsibilities as data controllers will increase.
(D). Users will see fewer advertisements when using apps. - ANSWER-B). Users will
be given granular types of consent for particular types of processing.
2|Page
, CIPP/E Actual Exam Version 1
In which situation would a data controller most likely be able to justify the
processing of the
data of a child without parental consent?
(A). When the data is to be processed for market research.
(B). When providing preventive or counselling services to the child.
(C). When providing the child with materials purely for educational use.
(D). When a legitimate business interest makes obtaining consent impractical. -
ANSWER-B). When providing preventive or counselling services to the child.
A mobile device application that uses cookies will be subject to the consent
requirement of
which of the following?
(A). The ePrivacy Directive
(B). The E-Commerce Directive
(C). The Data Retention Directive
(D). The EU Cybersecurity Directive - ANSWER-A). The ePrivacy Directive
A Spanish electricity customer calls her local supplier with Questions: about the
company's
upcoming merger. Specifically, the customer wants to know the recipients to
whom her personal
data will be disclosed once the merger is final. According to Article 13 of the
GDPR, what must the
3|Page
, CIPP/E Actual Exam Version 1
company do before providing the customer with the requested information?
(A). Verify that the request is applicable to the data collected before the GDPR
entered into force.
(B). Verify that the purpose of the request from the customer is in line with the
GDPR.
(C). Verify that the personal data has not already been sent to the customer.
(D). Verify that the identity of the customer can be proven by other means. -
ANSWER-A). Verify that the request is applicable to the data collected before the
GDPR entered into force.
An entity's website stores text files on EU users' computer and mobile device
browsers. Prior
to doing so, the entity is required to provide users with notices containing
information and consent
under which of the following frameworks?
(A). General Data Protection Regulation 2016/679.
(B). E-Privacy Directive 2002/58/EC.
(C). E-Commerce Directive 2000/31/EC.
(D). Data Protection Directive 95/46/EC. - ANSWER-(D). Data Protection Directive
95/46/EC.
How is the retention of communications traffic data for law enforcement purposes
addressed
4|Page
