Free IAPP CIPP-E Exam Actual Questions

The questions for CIPP-E were last updated On Apr 24, 2025

At ValidExamDumps, we consistently monitor updates to the IAPP CIPP-E exam questions by IAPP. Whenever our team identifies changes in the exam questions,exam objectives, exam focus areas or in exam requirements, We immediately update our exam questions for both PDF and online practice exams. This commitment ensures our customers always have access to the most current and accurate questions. By preparing with these actual questions, our customers can successfully pass the IAPP Certified Information Privacy Professional/Europe exam on their first attempt without needing additional materials or study guides.

Other certification materials providers often include outdated or removed questions by IAPP in their IAPP CIPP-E exam. These outdated questions lead to customers failing their IAPP Certified Information Privacy Professional/Europe exam. In contrast, we ensure our questions bank includes only precise and up-to-date questions, guaranteeing their presence in your actual exam. Our main priority is your success in the IAPP CIPP-E exam, not profiting from selling obsolete exam questions in PDF or Online Practice Test.

 

Question No. 1

SCENARIO

Please use the following to answer the next question:

Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.

After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.

Javier contacts the U.K. Information Commissioner's Office ('ICO' -- the U.K.'s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT's main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.

Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.

Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has formed its view on the matter?

Show Answer Hide Answer
Question No. 2

Sanctions for non-compliance with the EU Artificial Intelligence Act (Al Act) could result in a maximum fine of?

Show Answer Hide Answer
Correct Answer: D

The EU Artificial Intelligence Act (AI Act) is a proposed regulation that aims to establish harmonised rules on the development and use of artificial intelligence in the EU. The AI Act classifies AI systems according to their level of risk and imposes various requirements and obligations on providers and users of such systems. The AI Act also provides for the enforcement of its rules by national competent authorities and the European Commission. According to Article 71 of the AI Act, the sanctions for non-compliance with the AI Act depend on the type and severity of the infringement. The maximum fine for the most serious infringements, such as placing on the market or putting into service prohibited AI systems, or failing to comply with the data and data governance requirements for high-risk AI systems, is the higher of up to 30 million Euro or up to 6% of the total worldwide annual turnover of the preceding financial year of the legal entity concerned. This is the same level of fine as for the most serious infringements of the General Data Protection Regulation (GDPR).


* EUR-Lex - 52021PC0206 - EN - EUR-Lex1

* European Parliament Adopts Negotiating Position on the AI Act2

Question No. 3

Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users' ethnic origin, nationality, and gender. Which would be the most appropriate legal basis for this processing under GDPR, Article 9 (Processing of special categories of personal data)?

A. Processing necessary for scientific or statistical purposes. B. Processing necessary for reasons of substantial public interest. C. Processing necessary for purposes of preventive or occupational medicine. D. Processing necessary for the defense of legal claims in potential negligence cases.

Show Answer Hide Answer
Correct Answer:

Under Article 9 of the GDPR, processing of special category data (e.g., ethnicity, health data) is prohibited unless an exception applies.

Why is C the correct answer?

AI-based medical devices fall under 'preventive or occupational medicine' as per GDPR Article 9(2)(h).

The AI system is used to detect skin cancer, a form of preventive medicine, making this the appropriate basis.

Why are other answers incorrect?

A (Scientific research or statistical purposes) While scientific research can be a legal basis, it requires additional safeguards such as anonymization, which may not be feasible in this case.

B (Substantial public interest) While public health is important, this processing is specific to medical diagnosis, making Article 9(2)(h) more appropriate.

D (Defense of legal claims) Legal claims are not relevant here, as the processing is for bias mitigation in AI training.


Question No. 4

SCENARIO

Please use the following to answer the next question:

The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron's marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron's legal department.

Registration Form

Vigotron's new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)

Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your dat

a. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron's cloud provider, Stratculous. (Read more about Stratculous here.)

Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer's name, email address or any other information gathered from the app to any third- party without a customer's consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer's legal rights or protect its business or property.

We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you

first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)

First name:

Surname:

Year of birth:

Email:

Physical Address (optional*):

Health status:

*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page.

Terms and Conditions

1. Jurisdiction. [...]

2. Applicable law. [...]

3. Limitation of liability. [...]

Consent

By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.

Emily sends the draft to Sam for review. Which of the following is Sam most likely to point out as the biggest problem with Emily's consent provision?

Show Answer Hide Answer
Correct Answer: C

According to the GDPR, personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes1.This means that data controllers must inform data subjects about the purposes of data processing and obtain their consent or another lawful basis for any new or different purposes2.

In the scenario, Brady transferred his customers' personal data to Hermes Designs, a third-party contractor, to fulfill a requested service. However, Hermes Designs used the data for a new purpose that was not disclosed to the customers: creating sample customized banner advertisements and conducting direct marketing. This is a violation of the purpose limitation principle and could expose Brady to legal risks and customer complaints.

Therefore, Brady should be concerned with Hermes Designs' handling of customer personal data and take appropriate measures to ensure compliance with the GDPR.

I hope this helps. If you have any other questions, please feel free to ask.

1: Article 5(1)(b) of the GDPR2: Article 6(4) of the GDPR


Question No. 5

SCENARIO

Please use the following to answer the next question:

Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.

Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.

Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.

In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.

Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.

In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.

Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.

After Louis has exercised his right to restrict the use of his data, under what conditions would Accidentable have grounds for refusing to comply?

Show Answer Hide Answer
Correct Answer: A