CIPP/E PRACTICE EXAM 2025
QUESTIONS AND ANSWERS
Which statement is correct when considering the right to privacy under article 8 of the
European Convention on Human Rights? - ANS The right to privacy has to be balanced
against other rights under the ECHR
What is the one major goal that the OECD Guidelinges, Convention 108, and the Directive all
had in common but largely failed to achieve in Europe? - ANS The restriction of cross-border
data flow
Which EU institution is vested with the competence to propose new data protection legislation
on its own initiative? - ANS Commission
Which institution has the power to adopt findings that confirm the adequacy of the data
protection level in a non-EU country? - ANS European Commission
What type of data lies beyond the scope of the GDPR? - ANS Anonymised
What is the consequence if a processor makes an independent decision regarding the purposes
and means of processing it carries out on behalf of a controller? - ANS The processor will be
considered to be a controller
With the issue of consent, the GDPR allows member states some choice regarding what? -
ANS The age which children must be required to obtain parental consent
COPYRIGHT © 2025 THESTAR ALL RIGHTS RESERVED 1
,Which sentence BEST summarizes the concepts of Fairness, lawfullness, and transparency, as
expressly required by Article 5 of the GDPR? - ANS Fairness and transparency refer to the
communication of key information before collecting data; lawfulness refers to compliance with
government regulations
Assuming that the "without undue delay" provison is followed, what is the time limit for
complying with a data access request? - ANS 1 month + additional 2 months
Company X has entrusted the processing of their payroll data provider to Y. Provider Y stores
this encrypted data on its server. The IT department of Provider Y finds out that someone
managed to hack into the system and take a copy of the data from its server. In this scenario,
whom does Provider Y have the obligation to notify? - ANS Company X
Which of the following would require designationg a data protection officer? - ANS The core
activites of the controller or processor consist of processing operations that require systematic
monitoring of data subjects on a large scale. (public authority or large scal sensitive data would
apply as well)
When is a data sharing agreement MOST likely to be needed? - ANS When personal data is
being shared between commercial orgs acting as joint data controllers
An employee of company X has just noticed a memory stick containing records of client data,
including their names, addresses and full contact details has disappeared. The data on the stick
is unencrypted and in clear text. It is uncertain what has happened to the stick as this stage, but
it likely was lost during the travel of an employee. What should the company do? -
ANS Notify as soon as possible the data protection supervisory authority that a data breach
may have taken place
The GDPR specifies fines that may be levied against data controllers for certain infringements.
Which of the following infringements would be subject to the less severe administrative fine of
up to 10 million Euros? - ANS Failure to implement technical and organisational measures to
ensure data protection is enshrined by design and default
COPYRIGHT © 2025 THESTAR ALL RIGHTS RESERVED 2
, Why is it advisable to avoid consent as a legal basis for an employer to process employee data?
- ANS Consent may not be valid if the employee feels compelled to provide it
What is true about an employee who makes an access request to his employer for any personal
data held about him? - ANS The employer must supply all the information held about the
employee unless there is an exemption
Discover which employees are accessing cloud services and from which devices and apps
Lock down the data in those apps and devices
Monitor and analyse the apps and devices for compliance
Manage application life cycles
Monitor data sharing
An organisation should perform these steps to do which of the following? - ANS Maintain a
secure BYOD program
If a company is planning to use CCTV on its premises and is concerned with GDPR compliance, it
should first do all of the following EXCEPT? - ANS Notify the appropriate data protection
authority
In which of the following cases would an organisation MOST LIKELY be required to follow both
ePrivacy and data protection rules? - ANS When calling a potential customer to notify her of
an upcoming product sale
What permissions are required for a marketer to send an email marketing message to a
consumer in the EU? - ANS A prior opt-in consent for consumers unless they are already
customers
What is the key difference between the European Council and the Council of the EU? -
ANS Council of the EU has legislative decision making authority
COPYRIGHT © 2025 THESTAR ALL RIGHTS RESERVED 3
QUESTIONS AND ANSWERS
Which statement is correct when considering the right to privacy under article 8 of the
European Convention on Human Rights? - ANS The right to privacy has to be balanced
against other rights under the ECHR
What is the one major goal that the OECD Guidelinges, Convention 108, and the Directive all
had in common but largely failed to achieve in Europe? - ANS The restriction of cross-border
data flow
Which EU institution is vested with the competence to propose new data protection legislation
on its own initiative? - ANS Commission
Which institution has the power to adopt findings that confirm the adequacy of the data
protection level in a non-EU country? - ANS European Commission
What type of data lies beyond the scope of the GDPR? - ANS Anonymised
What is the consequence if a processor makes an independent decision regarding the purposes
and means of processing it carries out on behalf of a controller? - ANS The processor will be
considered to be a controller
With the issue of consent, the GDPR allows member states some choice regarding what? -
ANS The age which children must be required to obtain parental consent
COPYRIGHT © 2025 THESTAR ALL RIGHTS RESERVED 1
,Which sentence BEST summarizes the concepts of Fairness, lawfullness, and transparency, as
expressly required by Article 5 of the GDPR? - ANS Fairness and transparency refer to the
communication of key information before collecting data; lawfulness refers to compliance with
government regulations
Assuming that the "without undue delay" provison is followed, what is the time limit for
complying with a data access request? - ANS 1 month + additional 2 months
Company X has entrusted the processing of their payroll data provider to Y. Provider Y stores
this encrypted data on its server. The IT department of Provider Y finds out that someone
managed to hack into the system and take a copy of the data from its server. In this scenario,
whom does Provider Y have the obligation to notify? - ANS Company X
Which of the following would require designationg a data protection officer? - ANS The core
activites of the controller or processor consist of processing operations that require systematic
monitoring of data subjects on a large scale. (public authority or large scal sensitive data would
apply as well)
When is a data sharing agreement MOST likely to be needed? - ANS When personal data is
being shared between commercial orgs acting as joint data controllers
An employee of company X has just noticed a memory stick containing records of client data,
including their names, addresses and full contact details has disappeared. The data on the stick
is unencrypted and in clear text. It is uncertain what has happened to the stick as this stage, but
it likely was lost during the travel of an employee. What should the company do? -
ANS Notify as soon as possible the data protection supervisory authority that a data breach
may have taken place
The GDPR specifies fines that may be levied against data controllers for certain infringements.
Which of the following infringements would be subject to the less severe administrative fine of
up to 10 million Euros? - ANS Failure to implement technical and organisational measures to
ensure data protection is enshrined by design and default
COPYRIGHT © 2025 THESTAR ALL RIGHTS RESERVED 2
, Why is it advisable to avoid consent as a legal basis for an employer to process employee data?
- ANS Consent may not be valid if the employee feels compelled to provide it
What is true about an employee who makes an access request to his employer for any personal
data held about him? - ANS The employer must supply all the information held about the
employee unless there is an exemption
Discover which employees are accessing cloud services and from which devices and apps
Lock down the data in those apps and devices
Monitor and analyse the apps and devices for compliance
Manage application life cycles
Monitor data sharing
An organisation should perform these steps to do which of the following? - ANS Maintain a
secure BYOD program
If a company is planning to use CCTV on its premises and is concerned with GDPR compliance, it
should first do all of the following EXCEPT? - ANS Notify the appropriate data protection
authority
In which of the following cases would an organisation MOST LIKELY be required to follow both
ePrivacy and data protection rules? - ANS When calling a potential customer to notify her of
an upcoming product sale
What permissions are required for a marketer to send an email marketing message to a
consumer in the EU? - ANS A prior opt-in consent for consumers unless they are already
customers
What is the key difference between the European Council and the Council of the EU? -
ANS Council of the EU has legislative decision making authority
COPYRIGHT © 2025 THESTAR ALL RIGHTS RESERVED 3
