Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. IAPP
  3. CIPP-E

IAPP CIPP-E Exam (page: 10)
IAPP Certified Information Privacy Professional/Europe (CIPP/E)
Updated on: 15-Feb-2026

Viewing Page 10 of 55
CIPP-E PDF 307 Questions

SCENARIO

Please use the following to answer the next question:

TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company's outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company

Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.'s foundering business.

During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories ­ age, income, ethnicity ­ that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website's traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website's effectiveness. Oliver enthusiastically engages Techiva for these services.

Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.'s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva's system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company's system of access control must be reconsidered.

With regard to TripBliss Inc.'s use of website cookies, which of the following statements is correct?

  1. Because not all of the cookies are strictly necessary to enable the use of a service requested from TripBliss Inc., consent requirements apply to their use of cookies.
  2. Because of the categories of data involved, explicit consent for the use of cookies must be obtained separately from customers.
  3. Because Techiva will receive only aggregate statistics of data collected from the cookies, no additional consent is necessary.
  4. Because the use of cookies involves the potential for location tracking, explicit consent must be obtained from customers.

Answer(s): A

Explanation:

According to the ePrivacy Directive (2002/58/EC), the use of cookies or similar devices that store or access information on the user's device requires the user's consent, unless the cookie is strictly necessary to enable the use of a service requested by the user. For example, a cookie that remembers the items in a shopping cart does not require consent, but a cookie that tracks the user's browsing behavior for analytics or advertising purposes does. The consent must be freely given, specific, informed, and unambiguous, and can be obtained through appropriate settings of the browser or other application. The consent must also be separate from other consents, such as the consent to the processing of personal data. The categories of data involved or the recipients of the data do not affect the consent requirement for the use of cookies. The consent must also be obtained before the cookie is placed or accessed, unless the cookie is exempted. Therefore, option A is correct.
Option B is incorrect because explicit consent is not required for the use of cookies, unless the cookie also involves the processing of special categories of personal data under the GDPR. However, in this scenario, there is no indication that the cookies collect or process such data. Therefore, option B is incorrect.
Option C is incorrect because the consent requirement for the use of cookies does not depend on the recipients of the data or the level of aggregation of the data. The consent must be obtained from the user whose device is accessed or stored by the cookie, regardless of who receives the data or how it is processed. Therefore, option C is incorrect.
Option D is incorrect because the consent requirement for the use of cookies does not depend on the potential for location tracking. The consent must be obtained for any cookie that is not strictly necessary to enable the use of a service requested by the user, regardless of the type or purpose of the cookie. Therefore, option D is incorrect.


Reference:

ePrivacy Directive, Article 5(3)
GDPR, Article 4(11), Article 7, Article 9
CIPP/E Study Guide, Chapter 5, Section 5.2.2



Company X has entrusted the processing of their payroll data to Provider Y. Provider Y stores this encrypted data on its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify?

  1. The public
  2. Company X
  3. Law enforcement
  4. The supervisory authority

Answer(s): B

Explanation:

According to Article 33 of the GDPR, in the case of a personal data breach, the processor (Provider Y) shall notify the controller (Company X) without undue delay after becoming aware of the breach. The processor does not have the obligation to notify the supervisory authority, the public, or law enforcement, unless otherwise required by law. The controller is responsible for notifying the supervisory authority and, where necessary, the data subjects, unless the breach is unlikely to result in a risk to their rights and freedoms.


Reference:

Article 33 of the GDPR, which regulates the notification of a personal data breach to the supervisory authority.

[Article 34 of the GDPR], which regulates the communication of a personal data breach to the data subject.
ICO guidance, which explains the roles and responsibilities of controllers and processors in relation to data breach notification.



When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach?

  1. Documenting due diligence steps taken in the pre-contractual stage.
  2. Conducting a risk assessment to analyze possible outsourcing threats.
  3. Requiring that the processor directly notify the appropriate supervisory authority.
  4. Maintaining evidence that the processor was the best possible market choice available.

Answer(s): C

Explanation:

The GDPR imposes several obligations on data controllers when they engage data processors to process personal data on their behalf. One of these obligations is to ensure that the contract or other legal act between the controller and the processor stipulates that the processor must assist the controller in complying with its obligations under the GDPR, including the obligation to notify personal data breaches to the competent supervisory authority and, where applicable, to the affected data subjects. However, this does not mean that the processor can directly notify the supervisory authority without the involvement of the controller. The GDPR clearly states that it is the controller's responsibility to notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of the breach. The processor must only notify the controller without undue delay after becoming aware of the breach. Therefore, requiring that the processor directly notify the appropriate supervisory authority is not an action that a data controller can depend upon to avoid liability in the event of a security breach, as it would be contrary to the GDPR and the controller's own obligation. Options A, B and D are actions that a data controller can take to reduce the risk of liability, as they demonstrate that the controller has exercised due diligence, assessed the potential impact of outsourcing, and chosen a reliable and compliant processor.


Reference:

1: Article 28(3)(f) of the GDPR 2: Article 33(1) of the GDPR 3: Article 33(2) of the GDPR



WP29's "Guidelines on Personal data breach notification under Regulation 2016/679'' provides examples of ways to communicate data breaches transparently.
Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?

  1. A postal notification
  2. A direct electronic message
  3. A notice on a corporate blog
  4. A prominent advertisement in print media

Answer(s): C

Explanation:

According to the WP29's "Guidelines on Personal data breach notification under Regulation 2016/679'', the communication of a personal data breach to the data subjects should be clear, concise, transparent, easily accessible and understandable, and use clear and plain language. The communication should also be made as soon as reasonably feasible and in close cooperation with the supervisory authority. The guidelines provide some examples of methods that may be effective for communicating a breach to data subjects, such as a direct electronic message (e.g. email, SMS, direct message), a postal notification, a prominent advertisement in print media, or a notice on the homepage of the affected website. However, the guidelines also state that a notice on a corporate blog or social media would not be an effective method of communication, as it would not reach all the affected data subjects and would not allow them to take immediate action to protect themselves. Therefore, the correct answer is C. A notice on a corporate blog.


Reference:

WP29's "Guidelines on Personal data breach notification under Regulation 2016/679'', pages 20-211


https://www.google.com/url?
sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwih19CSx9LqAhVQe8AKHe- VDQEQFjAAegQIAhAB&url=https%3A%2F%2Fec.europa.eu%2Fnewsroom%2Farticle29%2Fdocument .cfm% 3Fdoc_id%3D49827&usg=AOvVaw2uhYsKyRzJ6lwhQyiMURJF (21)



Which of the following would require designating a data protection officer?

  1. Processing is carried out by an organization employing 250 persons or more.
  2. Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.
  3. The core activities of the controller or processor consist of processing operations of financial information or information relating to children.
  4. The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale.

Answer(s): D

Explanation:

According to Article 37 of the GDPR, the designation of a data protection officer (DPO) is mandatory for controllers and processors in three cases1:
When the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
When the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
When the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

The GDPR does not define what constitutes "regular and systematic monitoring" or "large scale", but the Article 29 Working Party (now replaced by the European Data Protection Board) has provided some guidance on these concepts. According to the guidance, "regular and systematic monitoring" includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising, but also offline activities such as CCTV or health data monitoring. The guidance also suggests some criteria to assess whether the processing is carried out on a large scale, such as the number of data subjects concerned, the volume of data or the range of data items processed, the duration or permanence of the processing activity, and the geographical extent of the processing. In the given scenario, option D is the only one that clearly falls under the second case of mandatory DPO designation, as it implies that the controller or processor is engaged in regular and systematic monitoring of data subjects on a large scale as part of their core activities. This could include, for example, online behavioural advertising, location tracking, loyalty programs, or health data analytics. The other options are not sufficient to trigger the obligation to appoint a DPO, unless they are combined with other factors that indicate a large scale or a high risk of the processing. For instance, option A is not relevant, as the GDPR does not set a threshold based on the size or number of employees of the organisation. Option B is also not decisive, as the GDPR does not distinguish between for-profit or non-profit purposes of the processing. Option C may require a DPO if the processing of financial information or information relating to children is done on a large scale and involves special categories of data, but it is not a general rule.


Reference:

1: Article 37 of the GDPR
2: Guidelines on Data Protection Officers (`DPOs')
3: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
4: https://edpb.europa.eu/sites/edpb/files/files/file1/wp243rev01_en.pdf
5: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
6: [https://edpb.europa.eu/sites/edpb/files/files/file1/wp243rev01_en.pdf]
7: [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679]


https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data- protection- regulation-gdpr/accountability-and-governance/data-protection-officers/



Viewing Page 10 of 55



Share your comments for IAPP CIPP-E exam with other users:

V 7/4/2023 8:57:00 AM

good questions
UNITED STATES


TTB 8/22/2023 5:30:00 AM

hi, could you please update the latest dump version
Anonymous


T 7/28/2023 9:06:00 PM

this question is keep repeat : you are developing a sales application that will contain several azure cloud services and handle different components of a transaction. different cloud services will process customer orders, billing, payment, inventory, and shipping. you need to recommend a solution to enable the cloud services to asynchronously communicate transaction information by using xml messages. what should you include in the recommendation?
NEW ZEALAND


Gurgaon 9/28/2023 4:35:00 AM

great questions
UNITED STATES


wasif 10/11/2023 2:22:00 AM

its realy good
UNITED ARAB EMIRATES


Shubhra Rathi 8/26/2023 1:12:00 PM

oracle 1z0-1059-22 dumps
Anonymous


Leo 7/29/2023 8:48:00 AM

please share me the pdf..
INDIA


AbedRabbou Alaqabna 12/18/2023 3:10:00 AM

q50: which two functions can be used by an end user when pivoting an interactive report? the correct answer is a, c because we do not have rank in the function pivoting you can check in the apex app
GREECE


Rohan Limaye 12/30/2023 8:52:00 AM

best to practice
Anonymous


Aparajeeta 10/13/2023 2:42:00 PM

so far it is good
Anonymous


Vgf 7/20/2023 3:59:00 PM

please provide me the dump
Anonymous


Deno 10/25/2023 1:14:00 AM

i failed the cisa exam today. but i have found all the questions that were on the exam to be on this site.
Anonymous


CiscoStudent 11/15/2023 5:29:00 AM

in question 272 the right answer states that an autonomous acces point is "configured and managed by the wlc" but this is not what i have learned in my ccna course. is this a mistake? i understand that lightweight aps are managed by wlc while autonomous work as standalones on the wlan.
Anonymous


pankaj 9/28/2023 4:36:00 AM

it was helpful
Anonymous


User123 10/8/2023 9:59:00 AM

good question
UNITED STATES


vinay 9/4/2023 10:23:00 AM

really nice
Anonymous


Usman 8/28/2023 10:07:00 AM

please i need dumps for isc2 cybersecuity
Anonymous


Q44 7/30/2023 11:50:00 AM

ans is coldline i think
UNITED STATES


Anuj 12/21/2023 1:30:00 PM

very helpful
Anonymous


Giri 9/13/2023 10:31:00 PM

can you please provide dumps so that it helps me more
UNITED STATES


Aaron 2/8/2023 12:10:00 AM

thank you for providing me with the updated question and answers. this version has all the questions from the exam. i just saw them in my exam this morning. i passed my exam today.
SOUTH AFRICA


Sarwar 12/21/2023 4:54:00 PM

how i can see exam questions?
CANADA


Chengchaone 9/11/2023 10:22:00 AM

can you please upload please?
Anonymous


Mouli 9/2/2023 7:02:00 AM

question 75: option c is correct answer
Anonymous


JugHead 9/27/2023 2:40:00 PM

please add this exam
Anonymous


sushant 6/28/2023 4:38:00 AM

please upoad
EUROPEAN UNION


John 8/7/2023 12:09:00 AM

has anyone recently attended safe 6.0 certification? is it the samq question from here.
Anonymous


Blessious Phiri 8/14/2023 3:49:00 PM

expository experience
Anonymous


concerned citizen 12/29/2023 11:31:00 AM

52 should be b&c. controller failure has nothing to do with this type of issue. degraded state tells us its a raid issue, and if the os is missing then the bootable device isnt found. the only other consideration could be data loss but thats somewhat broad whereas b&c show understanding of the specific issues the question is asking about.
UNITED STATES


deedee 12/23/2023 5:10:00 PM

great help!!!
UNITED STATES


Samir 8/1/2023 3:07:00 PM

very useful tools
UNITED STATES


Saeed 11/7/2023 3:14:00 AM

looks a good platform to prepare az-104
Anonymous


Matiullah 6/24/2023 7:37:00 AM

want to pass the exam
Anonymous


SN 9/5/2023 2:25:00 PM

good resource
UNITED STATES