100% Free IAPP CIPP-E Practice Test Questions

Question 1

SCENARIO -

Please use the following to answer the next question:

CreditPlaya, SA is an established Spanish online insurance company whose exclusive activity is providing health insurance for legal residents of Spain, regardless of their nationality.

CreditPlaya autonomously manages its own website, through which a potential customer, engaging in a free pre-contractual activity, enters his or her full name, e-mail address, tax identification number (to verify residence in Spain), age, profession, and the full names of any other adult members of his or her family.

With this data, CreditPlaya immediately sends an email granting or denying eligibility for a health insurance policy. In the case of eligibility, the email also contains the eventual cost of the policy and two PDF documents – one with the contractual Terms and Conditions, and the other with the privacy notice as required by Article 13 of the GDPR.

The CreditPlaya Information Tracking System (ITS) is very efficient, with a low rate of unpaid insurance policies. The ITS is automatically fed by the information provided by every applicant, whose data is then used to refine insurance policy rates.

To ensure their back-up procedures, in January 2021 CreditPlaya started sending weekly copies of the whole database with all the applicants' personal data to an independent company in Uruguay. The information was sent through state-of-the-art encrypting tools, but once in Uruguay was stored without any encryption method.

In March 2022, the entire data base stored on the Uruguay's company servers was encrypted by malicious ransomware. There was no evidence that the data was accessed by unauthorized persons, much less altered or exfiltrated. Despite the incident, CreditPlaya found that they could rely on the locally based Spanish back-up information and carry on its activity without interrupting its operations. The incident caused the termination of the professional relationship between the two companies.

The content of the email that CreditPlaya sends does not comply with GDPR requirements because it lacks what?

A : The list of information with regard to personal data that were not obtained from the data subject, according to Article 14.

B : The list of the processors and subprocessors involved in the processing, as required by Article 28.

C : The list of processing activities as set out in the records of processing activities, according to Article 30.

D : The list of technical and organizational measures that will be implemented, according to Article 32.

Answer: D

Question 2

According to the European Data Protection Board, if a controller that is not established in the EU but still subject to the GDPR becomes aware of a personal data breach, which supervisory authority or authorities must be notified?

A : Only the supervisory authority of the EU member state in which the controller's EU representative (pursuant to Article 27) is established.

B : Only one lead supervisory authority, as a controller benefits from the one-stop shop mechanism under the GDPR’s enforcement regime.

C : Every supervisory authority of the EU member states where the controller is offering goods or services.

D : Every supervisory authority for which affected data subjects reside in their EU member state.

Answer: A

Question 3

The European Data Protection Board (EDPB) recommends measures to supplement transfer tools, in order to ensure compliance with the European Union (EU) level of personal data protection. According to these recommendations, what additional actions should be taken when a transfer to a third country is based upon an adequacy decision?

A : Adopt a supplementary data transfer mechanism.

B : Monitor the ongoing validity of the data transfer mechanism.

C : Adopt technical, contractual or organizational supplementary measures.

D : Monitor changes in the law or practice of the third country that would tower the level of protection of personal data

Answer: D

Question 4

An employee of company ABCD has just noticed a memory stick containing records of client data, including their names, addresses and full contact details has disappeared. The data on the stick is unencrypted and in clear text. It is uncertain what has happened to the stick at this stage, but it likely was lost during the travel of an employee. What should the company do?

A : Notify as soon as possible the data protection supervisory authority that a data breach may have taken place.

B : Launch an investigation and if nothing is found within one month, notify the data protection supervisory authority.

C : Invoke the "disproportionate effort" exception under Article 33 to postpone notifying data subjects until more information can be gathered.

D : Immediately notify all the customers of the company that their information has been accessed by an unauthorized person.

Answer: A

Question 5

SCENARIO -

Please use the following to answer the next question:

Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in Greece (5), Italy (15) and Spain (1), have registered their most profitable results ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based in ARRA's main Italian establishment, has organized a team event for its 420 employees and their families at its hotel in Spain.

Upon arrival at the hotel, each employee and family member is given an electronic wristband at the reception desk. The wristband serves a number of functions:

• Allows access to the "party zone" of the hotel, and emits a buzz if the user approaches any unauthorized areas

• Allows up to three free drinks for each person of legal age, and emits a buzz once this limit has been reached

• Grants a unique ID number for participating in the games and contests that have been planned.

Along with the wristband, each guest receives a QR code that leads to the online privacy notice describing the use of the wristband. The page also contains an unchecked consent checkbox. In the case of employee family members under the age of 16, consent must be given by a parent.

Among the various activities planned for the event, ARRA Hotels' HR office has autonomously set up a photocall area, separate from the main event venue, where employees can come and have their pictures taken in traditional carnival costume. The photos will be posted on ARRA Hotels' main website for general marketing purposes.

On the night of the event, an employee from one of ARRA's Greek hotels is displeased with the results of the photos in which he appears. He intends to file a complaint with the relevant supervisory authority in regard to the following:

• The lack of any privacy notice in the separate photocall area

• The unlawful cross-border processing of his personal data

• The unacceptable aesthetic outcome of his photos

Which of the following is NOT necessarily considered a factor in identifying whether the processing could be considered a "cross-border processing"?

A : The total number of the data subjects interested.

B : The potential harm for the data subjects affected.

C : The limitation of rights of the data subjects concerned.

D : The exposure of the information of the data subjects involved.

Answer: A

Free Practice IAPP CIPP-E Exam Questions 2025