Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. IAPP
  3. CIPP-E

IAPP CIPP-E Exam (page: 7)
IAPP Certified Information Privacy Professional/Europe (CIPP/E)
Updated on: 15-Feb-2026

Viewing Page 7 of 55
CIPP-E PDF 307 Questions

Article 5(1)(b) of the GDPR states that personal data must be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes." Based on Article 5(1)(b),

what is the impact of a member state's interpretation of the word "incompatible"?

  1. It dictates the level of security a processor must follow when using and storing personal data for two different purposes.
  2. It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of personal data.
  3. It sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data.
  4. It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original intended purpose.

Answer(s): D

Explanation:

The purpose limitation principle requires that personal data be collected for specified, explicit and legitimate purposes and not be further processed in a manner that is incompatible with those purposes. However, the GDPR does not provide a clear definition of what constitutes an incompatible purpose. Instead, it leaves room for interpretation by the member states, taking into account the context and circumstances of the processing. This means that the degree of flexibility a controller has in using personal data for a new purpose may vary depending on the member state's law and guidance. Some factors that may affect the compatibility assessment include the link between the original and the new purpose, the expectations of the data subject, the nature of the data, the impact of the further processing, and the safeguards applied by the controller.


Reference:

GDPR Article 5(1)(b), which states the purpose limitation principle. GDPR Article 6(4), which lists the criteria for assessing the compatibility of a new purpose. ICO guidance, which explains the purpose limitation principle and provides examples of compatible and incompatible purposes.
[EDPB guidelines], which provide further guidance on the application of the purpose limitation principle.



Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the company encrypt all personal data at rest.
Which GDPR principle is she following?

  1. Accuracy
  2. Storage Limitation
  3. Integrity and confidentiality
  4. Lawfulness, fairness and transparency

Answer(s): C

Explanation:

The GDPR requires that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. This principle is known as integrity and confidentiality, or sometimes as security. Encryption is one of the possible technical measures that can be used to protect personal data at rest, as it makes the data unintelligible to anyone who does not have the key to decrypt it. By recommending that the company encrypts all personal data at rest, Tanya is following the principle of integrity and confidentiality, as she is ensuring that the personal data is secure and protected from unauthorised access or accidental damage.


Reference:

1: Article 5(1)(f) of the GDPR 2: A guide to the data protection principles | ICO 3: Encryption | ICO


https://www.icaew.com/technical/technology/data/data-protection/data-protection- articles/do-i- have-to-encrypt-personal-data-to-comply-with-dpa-2018



A well-known video production company, based in Spain but specializing in documentaries filmed worldwide, has just finished recording several hours of footage featuring senior citizens in the streets of Madrid. Under what condition would the company NOT be required to obtain the consent of everyone whose image they use for their documentary?

  1. If obtaining consent is deemed to involve disproportionate effort.
  2. If obtaining consent is deemed voluntary by local legislation.
  3. If the company limits the footage to data subjects solely of legal age.
  4. If the company's status as a documentary provider allows it to claim legitimate interest.

Answer(s): D

Explanation:

According to the GDPR, consent is one of the six lawful bases for processing personal data, but not the only one. The other five are: contract, legal obligation, vital interests, public task and legitimate interests. Legitimate interests can be invoked by controllers who process personal data for their own benefit or for the benefit of third parties, as long as such processing does not override the rights and freedoms of the data subjects, especially if they are children. The GDPR also recognizes that processing personal data for journalistic purposes or the purposes of academic, artistic or literary expression may be necessary for the exercise of the right to freedom of expression and information, which is a legitimate interest. Therefore, the company may not need to obtain the consent of everyone whose image they use for their documentary, if they can demonstrate that their processing is necessary for the purposes of their journalistic, artistic or literary expression, and that they have taken into account the reasonable expectations of the data subjects and the potential impact on their privacy. The company should also comply with any relevant national laws or codes of conduct that may apply to such processing.


Reference:

GDPR, Article 6(1)(a)-(f)
GDPR, Recital 47

GDPR, Article 85



A Spanish electricity customer calls her local supplier with Questions: about the company's upcoming merger. Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information?

  1. Verify that the request is applicable to the data collected before the GDPR entered into force.
  2. Verify that the purpose of the request from the customer is in line with the GDPR.
  3. Verify that the personal data has not already been sent to the customer.
  4. Verify that the identity of the customer can be proven by other means.

Answer(s): D

Explanation:

According to Article 13 of the GDPR, the controller (in this case, the electricity supplier) has the obligation to provide the data subject (in this case, the customer) with information about the processing of their personal data, including the recipients or categories of recipients of the personal data, if any. However, before providing such information, the controller must verify the identity of the data subject, to ensure that the information is not disclosed to unauthorized persons. This verification can be done by other means than the personal data already collected, such as asking for additional information, sending a verification code, or using a secure online portal. The other options (A, B, and C) are not relevant for this verification, as they do not relate to the identity of the data subject, but to the scope, purpose, and history of the processing.


Reference:

Article 13 of the GDPR
The right to be informed (transparency) (Article 13 & 14 GDPR) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)


https://fpf.org/wp-content/uploads/2018/11/GDPR_CCPA_Comparison-Guide.pdf



Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?

  1. The data subject already has information regarding how his data will be used
  2. The provision of such information to the data subject would be too problematic
  3. Third-party data would be disclosed by providing such information to the data subject
  4. The processing of the data subject's data is protected by appropriate technical measures

Answer(s): A

Explanation:

According to Article 14 of the GDPR, where personal data is not obtained directly from the data subject, the controller must provide the data subject with certain information about the processing, such as the identity of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject. However, there are some exceptions to this obligation, as specified in Article 14(5). One of them is when the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases, the controller must take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available.


Reference:

CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, Right to be Informed - General Data Protection Regulation (GDPR)


https://dataprivacymanager.net/gdpr-exemptions-from-the-obligation-to-provide- information-to-the- individual-data-subject/



Viewing Page 7 of 55



Share your comments for IAPP CIPP-E exam with other users:

Madan 6/22/2023 9:22:00 AM

thank you for making the interactive questions
Anonymous


Vavz 11/2/2023 6:51:00 AM

questions are accurate
Anonymous


Su 11/23/2023 4:34:00 AM

i need questions/dumps for this exam.
Anonymous


LuvSN 7/16/2023 11:19:00 AM

i need this exam, when will it be uploaded
ROMANIA


Mihai 7/19/2023 12:03:00 PM

i need the dumps !
Anonymous


Wafa 11/13/2023 3:06:00 AM

very helpful
Anonymous


Alokit 7/3/2023 2:13:00 PM

good source
Anonymous


Show-Stopper 7/27/2022 11:19:00 PM

my 3rd test and passed on first try. hats off to this brain dumps site.
UNITED STATES


Michelle 6/23/2023 4:06:00 AM

please upload it
Anonymous


Lele 11/20/2023 11:55:00 AM

does anybody know if are these real exam questions?
EUROPEAN UNION


Girish Jain 10/9/2023 12:01:00 PM

are these questions similar to actual questions in the exam? because they seem to be too easy
Anonymous


Phil 12/8/2022 11:16:00 PM

i have a lot of experience but what comes in the exam is totally different from the practical day to day tasks. so i thought i would rather rely on these brain dumps rather failing the exam.
GERMANY


BV 6/8/2023 4:35:00 AM

good questions
NETHERLANDS


krishna 12/19/2023 2:05:00 AM

valied exam dumps. they were very helpful and i got a pretty good score. i am very grateful for this service and exam questions
Anonymous


Pie 9/3/2023 4:56:00 AM

will it help?
INDIA


Lucio 10/6/2023 1:45:00 PM

very useful to verify knowledge before exam
POLAND


Ajay 5/17/2023 4:54:00 AM

good stuffs
Anonymous


TestPD1 8/10/2023 12:19:00 PM

question 17 : responses arent b and c ?
EUROPEAN UNION


Nhlanhla 12/13/2023 5:26:00 AM

just passed the exam on my first try using these dumps.
Anonymous


Rizwan 1/6/2024 2:18:00 AM

very helpful
INDIA


Yady 5/24/2023 10:40:00 PM

these questions look good.
SINGAPORE


Kettie 10/12/2023 1:18:00 AM

this is very helpful content
Anonymous


SB 7/21/2023 3:18:00 AM

please provide the dumps
UNITED STATES


David 8/2/2023 8:20:00 AM

it is amazing
Anonymous


User 8/3/2023 3:32:00 AM

quesion 178 about "a banking system that predicts whether a loan will be repaid is an example of the" the answer is classification. not regresion, you should fix it.
EUROPEAN UNION


quen 7/26/2023 10:39:00 AM

please upload apache spark dumps
Anonymous


Erineo 11/2/2023 5:34:00 PM

q14 is b&c to reduce you will switch off mail for every single alert and you will switch on daily digest to get a mail once per day, you might even skip the empty digest mail but i see this as a part of the daily digest adjustment
Anonymous


Paul 10/21/2023 8:25:00 AM

i think it is good question
Anonymous


Unknown 8/15/2023 5:09:00 AM

good for students who wish to give certification.
INDIA


Ch 11/20/2023 10:56:00 PM

is there a google drive link to the images? the links in questions are not working.
AUSTRALIA


Joey 5/16/2023 5:25:00 AM

very promising, looks great, so much wow!
Anonymous


alaska 10/24/2023 5:48:00 AM

i scored 87% on the az-204 exam. thanks! i always trust
GERMANY


nnn 7/9/2023 11:09:00 PM

good need more
Anonymous


User-sfdc 12/29/2023 7:21:00 AM

sample questions seems good
Anonymous