CIPP-E EXAM 2025 QUESTIONS AND
ANSWERS
Accountability - ANS A fair information practices principle, it is the idea that when personal
information is to be transferred to another person or organization, the personal information
controller should obtain the consent of the individual or exercise due diligence and take
reasonable steps to ensure that the recipient person or organization will protect the
information consistently with other fair use principles.
Adequate Level of Protection - ANS A label that the EU may apply to third-party countries
who have committed to protect data through domestic law making or international
commitments. Conferring of the label requires a proposal by the European Commission, an
Article 29 Working Group Opinion, an opinion of the article 31 Management Committee, a right
of scrutiny by the European Parliament and adoption by the European Commission.
Adverse Action - ANS Under the Fair Credit Reporting Act, the term "adverse action" is
defined very broadly to include all business, credit and employment actions affecting
consumers that can be considered to have a negative impact, such as denying or canceling
credit or insurance, or denying employment or promotion. No adverse action occurs in a credit
transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an
action requires that the decision maker furnish the recipient of the adverse action with a copy
of the credit report leading to the adverse action.
Annual Reports - ANS The requirement under the European Data Protection Directive that
member state data protection authorities report on their activities at regular intervals.
Antidiscrimination Laws - ANS Refers to the right of people to be treated equally.
COPYRIGHT © 2025 THESTAR ALL RIGHTS RESERVED 1
,Article 29 Working Party - ANS A European Union organization that functions as an
independent advisory body on data protection and privacy. While EU data protection laws are
actually enforced by the national Data Protection Authorities of EU member states.
Authentication - ANS The process by which an entity (such as a person or computer system)
determines whether another entity is who it claims to be. Authentication identified as an
individual based on some credential; i.e. a password, biometrics, etc. Authentication is different
from authorization. Proper authentication ensures that a person is who he or she claims to be,
but it says nothing about the access rights of the individual.
Background Screening/Checks - ANS Verifying an applicant's ability to function in the working
environment as well as assuring the safety and security of existing workers. Background checks
range from checking a person's educational background to checking on past criminal activity.
Behavioral Advertising - ANS The act of tracking users' online activities and then delivering
ads or recommendations based upon the tracked activities. The most comprehensive form of
targeted advertising. By building a profile on a user through their browsing habits such as sites
they visit, articles read, searches made, ads previously clicked on, etc., advertising companies
place ads pertaining to the known information about the user across all websites visited.
Behavioral Advertising also uses data aggregation to place ads on websites that a user may not
have shown interest in, but similar individuals had shown interest in.
Binding Corporate Rules - ANS Legally binding internal corporate privacy rules for
transferring personal information within a corporate group. BCRs are typically used by
corporations that operate in multiple jurisdictions, and they are alternatives to the EU-U.S.
Privacy Shield and Model Contract Clauses. BCRs must be approved by the EU data protection
authorities of the member states in which the corporation operates.
Binding Safe Processor Rules - ANS Self-regulatory principles (similar to Binding Corporate
Rules) for processors that are applicable to customer personal data. Once a supplier's BSPR are
approved, a supplier gains "safe processor" status and its customers would be able to meet the
EU Data Protection Directive's requirements for international transfers in a similar manner as
BCR allow. BSPR are currently being considered as a concept by the Article 29 Working Party
and national authorities.
COPYRIGHT © 2025 THESTAR ALL RIGHTS RESERVED 2
, Biometrics - ANS Data concerning the intrinsic physical or behavioral characteristics of an
individual. Examples include DNA, fingerprints, retina and iris patterns, voice, face, handwriting,
keystroke technique and gait.
Bodily Privacy - ANS One of the four classes of privacy, along with information privacy,
territorial privacy and communications privacy. It focuses on a person's physical being and any
invasion thereof. Such an invasion can take the form of genetic testing, drug testing or body
cavity searches.
Breach Disclosure - ANS The requirement that a data controller notify regulators and victims
of incidents affecting the confidentiality and security of personal data. It is a transparency
mechanism highlights operational failures, this helps mitigate damage and aids in the
understanding of causes of failure.
Bundesdatenschutzgesetz - ANS A German national data protection law that including
specific requirements for data services outsourcing agreements. The legislation contains ten
specific requirements for outsourcing agreements: (1) Subject and duration of work; (2) the
extent, type and purpose of data processing; (3) technical and organizational measures to be
taken under section 9; (4) the rectification, erasure and blocking of data; (5) the processor's
section 4 obligations, particularly with regard to monitoring; (6) rights regarding
subcontracting; (7) the controller's monitoring rights; (8) the subcontractor's notification
obligations; (9) the extent of the controller's authority to issue instructions to the processor;
(10) the return and/or erasure of data by the processor at the conclusion of the work.
Charter of Fundamental Rights - ANS A treaty that consolidates human rights within the EU.
The treaty states that everyone has a right to protect their personal data, that data must be
processed for legitimate and specified purposes and that compliance is subject to control by an
authority.
Children's Online Privacy Protection Act (COPPA) of 1998 - ANS A U.S. federal law that
applies to the operators of commercial websites and online services that are directed to
children under the age of 13. It also applies to general audience websites and online services
that have actual knowledge that they are collecting personal information from children under
COPYRIGHT © 2025 THESTAR ALL RIGHTS RESERVED 3
ANSWERS
Accountability - ANS A fair information practices principle, it is the idea that when personal
information is to be transferred to another person or organization, the personal information
controller should obtain the consent of the individual or exercise due diligence and take
reasonable steps to ensure that the recipient person or organization will protect the
information consistently with other fair use principles.
Adequate Level of Protection - ANS A label that the EU may apply to third-party countries
who have committed to protect data through domestic law making or international
commitments. Conferring of the label requires a proposal by the European Commission, an
Article 29 Working Group Opinion, an opinion of the article 31 Management Committee, a right
of scrutiny by the European Parliament and adoption by the European Commission.
Adverse Action - ANS Under the Fair Credit Reporting Act, the term "adverse action" is
defined very broadly to include all business, credit and employment actions affecting
consumers that can be considered to have a negative impact, such as denying or canceling
credit or insurance, or denying employment or promotion. No adverse action occurs in a credit
transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an
action requires that the decision maker furnish the recipient of the adverse action with a copy
of the credit report leading to the adverse action.
Annual Reports - ANS The requirement under the European Data Protection Directive that
member state data protection authorities report on their activities at regular intervals.
Antidiscrimination Laws - ANS Refers to the right of people to be treated equally.
COPYRIGHT © 2025 THESTAR ALL RIGHTS RESERVED 1
,Article 29 Working Party - ANS A European Union organization that functions as an
independent advisory body on data protection and privacy. While EU data protection laws are
actually enforced by the national Data Protection Authorities of EU member states.
Authentication - ANS The process by which an entity (such as a person or computer system)
determines whether another entity is who it claims to be. Authentication identified as an
individual based on some credential; i.e. a password, biometrics, etc. Authentication is different
from authorization. Proper authentication ensures that a person is who he or she claims to be,
but it says nothing about the access rights of the individual.
Background Screening/Checks - ANS Verifying an applicant's ability to function in the working
environment as well as assuring the safety and security of existing workers. Background checks
range from checking a person's educational background to checking on past criminal activity.
Behavioral Advertising - ANS The act of tracking users' online activities and then delivering
ads or recommendations based upon the tracked activities. The most comprehensive form of
targeted advertising. By building a profile on a user through their browsing habits such as sites
they visit, articles read, searches made, ads previously clicked on, etc., advertising companies
place ads pertaining to the known information about the user across all websites visited.
Behavioral Advertising also uses data aggregation to place ads on websites that a user may not
have shown interest in, but similar individuals had shown interest in.
Binding Corporate Rules - ANS Legally binding internal corporate privacy rules for
transferring personal information within a corporate group. BCRs are typically used by
corporations that operate in multiple jurisdictions, and they are alternatives to the EU-U.S.
Privacy Shield and Model Contract Clauses. BCRs must be approved by the EU data protection
authorities of the member states in which the corporation operates.
Binding Safe Processor Rules - ANS Self-regulatory principles (similar to Binding Corporate
Rules) for processors that are applicable to customer personal data. Once a supplier's BSPR are
approved, a supplier gains "safe processor" status and its customers would be able to meet the
EU Data Protection Directive's requirements for international transfers in a similar manner as
BCR allow. BSPR are currently being considered as a concept by the Article 29 Working Party
and national authorities.
COPYRIGHT © 2025 THESTAR ALL RIGHTS RESERVED 2
, Biometrics - ANS Data concerning the intrinsic physical or behavioral characteristics of an
individual. Examples include DNA, fingerprints, retina and iris patterns, voice, face, handwriting,
keystroke technique and gait.
Bodily Privacy - ANS One of the four classes of privacy, along with information privacy,
territorial privacy and communications privacy. It focuses on a person's physical being and any
invasion thereof. Such an invasion can take the form of genetic testing, drug testing or body
cavity searches.
Breach Disclosure - ANS The requirement that a data controller notify regulators and victims
of incidents affecting the confidentiality and security of personal data. It is a transparency
mechanism highlights operational failures, this helps mitigate damage and aids in the
understanding of causes of failure.
Bundesdatenschutzgesetz - ANS A German national data protection law that including
specific requirements for data services outsourcing agreements. The legislation contains ten
specific requirements for outsourcing agreements: (1) Subject and duration of work; (2) the
extent, type and purpose of data processing; (3) technical and organizational measures to be
taken under section 9; (4) the rectification, erasure and blocking of data; (5) the processor's
section 4 obligations, particularly with regard to monitoring; (6) rights regarding
subcontracting; (7) the controller's monitoring rights; (8) the subcontractor's notification
obligations; (9) the extent of the controller's authority to issue instructions to the processor;
(10) the return and/or erasure of data by the processor at the conclusion of the work.
Charter of Fundamental Rights - ANS A treaty that consolidates human rights within the EU.
The treaty states that everyone has a right to protect their personal data, that data must be
processed for legitimate and specified purposes and that compliance is subject to control by an
authority.
Children's Online Privacy Protection Act (COPPA) of 1998 - ANS A U.S. federal law that
applies to the operators of commercial websites and online services that are directed to
children under the age of 13. It also applies to general audience websites and online services
that have actual knowledge that they are collecting personal information from children under
COPYRIGHT © 2025 THESTAR ALL RIGHTS RESERVED 3
