IAPP CIPP/E Sample Questions & Practice Test

Certified Information Privacy Professional/Europe (CIPP/E) preparation focuses on European data-protection principles, GDPR roles, lawful bases, rights, transfers, security, accountability, and supervisory authority concepts.

Use these 12 original sample questions for initial self-assessment. They are not official IAPP questions and do not reproduce a live exam.

What this route should test

• GDPR principles, lawful bases, controller/processor roles, rights, and accountability
• transfer, breach, DPIA, security, and supervisory authority concepts
• applying legal vocabulary to practical processing scenarios

Official-source check

Verify current certification names, exam policies, and requirements with the IAPP certification page .

Sample Exam Questions

Question 1

Topic: controller role

Who is most likely the controller in a processing arrangement?

• A. The courier delivering office supplies
• B. The party that determines the purposes and essential means of processing
• C. Any employee with a laptop
• D. A vendor with no role in personal data

Best answer: B

Explanation: A controller determines why and how personal data is processed. Role classification drives obligations.

Question 2

Topic: processor obligations

A processor receives personal data from a controller. What is a core processor obligation?

• A. Use the data for any new purpose
• B. Ignore security safeguards
• C. Process personal data only on documented instructions, subject to contract and legal obligations
• D. Refuse to assist the controller

Best answer: C

Explanation: Processor duties commonly include documented instructions, security, assistance, subprocessor controls, and deletion or return.

Question 3

Topic: lawful basis

Why must an organization identify a lawful basis before processing?

• A. Processing personal data requires a valid legal ground tied to purpose and context
• B. Lawful basis is needed only after a complaint
• C. Any basis can be chosen after processing begins
• D. Lawful basis replaces transparency

Best answer: A

Explanation: A lawful basis supports the legitimacy of processing and must fit the specific purpose.

Question 4

Topic: data minimization

Which practice best reflects data minimization?

• A. Collecting all possible data for future undefined use
• B. Keeping unused fields forever
• C. Hiding data collection from users
• D. Collecting only personal data that is adequate, relevant, and limited to the stated purpose

Best answer: D

Explanation: Data minimization limits collection and processing to what is necessary for the purpose.

Question 5

Topic: data-subject rights

A data subject requests access to their personal data. What should the organization do?

• A. Delete all systems immediately
• B. Refuse every access request
• C. Ask marketing to decide informally
• D. Verify identity, assess scope and exceptions, respond within the applicable timeline, and document the response

Best answer: D

Explanation: Rights handling requires identity, scope, exceptions, timing, and evidence of response.

Question 6

Topic: DPIA

When is a data protection impact assessment especially relevant?

• A. Only for office-supply purchases
• B. When processing is likely to result in high risk to individuals
• C. Only after all processing has ended
• D. Never, if a vendor is involved

Best answer: B

Explanation: DPIAs support prior assessment and mitigation for high-risk processing.

Question 7

Topic: breach notification

What should be assessed after a personal-data breach?

• A. Nature of data, affected individuals, likely risk, containment, notification duties, and records
• B. Only whether the website is still online
• C. Whether logs can be destroyed
• D. Whether privacy staff can be excluded

Best answer: A

Explanation: Breach response depends on facts, risk to individuals, notification thresholds, and documentation.

Question 8

Topic: international transfers

Why are transfers outside the European Economic Area reviewed?

• A. Transfers always remove GDPR obligations
• B. Transfers automatically anonymize data
• C. Transfer rules may require adequacy, safeguards, derogations, or additional assessment
• D. Transfers are only a finance issue

Best answer: C

Explanation: International transfer mechanisms and risk assessment are central CIPP/E topics.

Question 9

Topic: accountability

Which evidence supports accountability?

• A. Processing records, policies, DPIAs, contracts, training, security measures, and documented decisions
• B. A privacy slogan
• C. No documentation
• D. A public statement with no controls

Best answer: A

Explanation: Accountability requires being able to demonstrate compliance through governance and records.

Question 10

Topic: privacy by default

What does privacy by default emphasize?

• A. Default settings should maximize collection
• B. Default settings should disable all security
• C. Default settings are unrelated to privacy
• D. Default settings should limit personal-data processing to what is necessary

Best answer: D

Explanation: Privacy by default means protective settings and necessary processing are the baseline.

Question 11

Topic: special categories

Why do special categories of personal data require careful review?

• A. They are never personal data
• B. They can always be processed for advertising
• C. They may require specific conditions and stronger safeguards because of heightened risk
• D. They remove transparency duties

Best answer: C

Explanation: Special-category data is more sensitive and often subject to stricter processing conditions.

Question 12

Topic: supervisory authority

What is a supervisory authority’s role?

• A. Replacing every controller
• B. Monitoring and enforcing data-protection law, handling complaints, and issuing guidance or decisions
• C. Selling personal data
• D. Running a company’s product roadmap

Best answer: B

Explanation: Supervisory authorities oversee compliance and enforcement within the data-protection framework.