CIPP/E EXAM VERSION 3 2025/2026 WITH
ACTUAL CORRECT QUESTIONS AND
VERIFIED DETAILED ANSWERS
|FREQUENTLY TESTED QUESTIONS AND
SOLUTIONS |ALREADY GRADED A+|NEWEST|
BRAND NEW VERSION !!!|LATEST UPDATE
According to the GDPR, when consent of a data subject is required, it must be blank rather than
assumed.
Explicit
What is the intention of the right of Data Portability?
To improve competition among services
How many articles are there in the GDPR?
99
Name some differences between the Data Protection Directive and GDPR
GDPR applies without further intervention of national parliaments, GDPR assigns additional
requirements to proccessors not just controllers, GDPR regulation applies based on where the
data subject is not where the processing happens, GDPR is broader because it makes websites
with cookies or apps that retrieve usage info subject to it, GDPR standards for consent are
higher, language for children in the GDPR must be understandable by children, as well as GDPR's
new RTBF, Data portability restriction of processing and in relation to profiling. GDPR limita the
previous right for a controller to charge a fee to only when the data request is excessive.
Unlike in the Directive, for GDPR, company accountability means they must demonstrate their
blank.
Compliance
Name some requirements of the GDPR's accountability regime.
1|Page
,Data protection policies and measures, data protection by design and default, record keeping,
cooperation with supervisory authorities, DAta Protection impact assessments (DPIAs),
consultation with DPAs for high risk cases, DPOs for public sector processors and those with big
data processing activities.
The Directive applies only to controllers whereas GDPR applies to
Controllers and processors
A processor under GDPR May not subcontract a service without first getting the consent of the
blank.
Controller
Under the GDPR, it's easier to legitimize international data transfers via what methods? There
are at least 5.
Binding Corporate Rules (BCRs), standard contractual clauses (adopted by the Commission or
adopted by the DPA and approved by the Commission), an approved code of conduct, an
approved certification mechanism, or other contractual clauses authorized by a DPA according
to the consistency mechanism.
Under the GDPR, a data breach that could risk rights and freedoms of natural persons must be
reported within 72 hours of becoming aware of it.
The relevant Data Protection Authority (DPA)
True or false? Under GDPR a data subject has the right to compensation for damages caused by
a data breach.
True
How much is the most severe fine for failure to comply with GDPR?
Up to 20m euros or 4% of annual worldwide turnover.
True or false? The ePrivacy Directive applies to comms over company intranet.
False. Only public networks.
Under the ePrivacy Directive, location data can only be processed if consent is granted or if the
data is blank.
Anonymised
Per the ePrivacy Directive, if a data subject's personal data is collected over a public network
they subscribe to, do they need to be informed before being included in a directory?
2|Page
, Yes
True or false? Can an internet provider bring legal proceedings against spammers under the
ePrivacy Directive?
Yes
Per the ePrivacy Directive, must companies get a data subjects consent to store cookies?
Yes, with few exceptions.
Unambiguous consent, which infers consent based on a data subject's actions, is also referred to
as what?
Implied consent
The ePrivacy Regulation of 2017 is meant to harmonize the ePrivacy Directive with what?
GDPR
True or false? The ePrivacy Directive applies to mobile phone messaging services.
False, but the ePrivacy Regulation will.
Under the EPrivacy Regulation in progress, how could a controller avoid having to delete a
subject's metadata? There are 3
Anonymize it, get the subject's consent or establish a need to store the data for billing purposes
Consent, directories, and spam violations of the ePrivacy Directive impose fines up to blank or
blank of total annual worldwide turnover.
10m euros, 2%
Which Directive, now ruled invalid by the CJEU, concerns holding on to traffic and location data
for the purposes of antiterrorism or serious crime?
Data Retention Directive
What is a key difference between Directives and Regulations?
directives require member states to implement them as national laws whereas regulations are
directly applicable to member states and so need no further implementation into national laws
True or false? IP addresses and cookies are personal data.
True
True or false? Information does not need to be true to be considered personal data.
3|Page
ACTUAL CORRECT QUESTIONS AND
VERIFIED DETAILED ANSWERS
|FREQUENTLY TESTED QUESTIONS AND
SOLUTIONS |ALREADY GRADED A+|NEWEST|
BRAND NEW VERSION !!!|LATEST UPDATE
According to the GDPR, when consent of a data subject is required, it must be blank rather than
assumed.
Explicit
What is the intention of the right of Data Portability?
To improve competition among services
How many articles are there in the GDPR?
99
Name some differences between the Data Protection Directive and GDPR
GDPR applies without further intervention of national parliaments, GDPR assigns additional
requirements to proccessors not just controllers, GDPR regulation applies based on where the
data subject is not where the processing happens, GDPR is broader because it makes websites
with cookies or apps that retrieve usage info subject to it, GDPR standards for consent are
higher, language for children in the GDPR must be understandable by children, as well as GDPR's
new RTBF, Data portability restriction of processing and in relation to profiling. GDPR limita the
previous right for a controller to charge a fee to only when the data request is excessive.
Unlike in the Directive, for GDPR, company accountability means they must demonstrate their
blank.
Compliance
Name some requirements of the GDPR's accountability regime.
1|Page
,Data protection policies and measures, data protection by design and default, record keeping,
cooperation with supervisory authorities, DAta Protection impact assessments (DPIAs),
consultation with DPAs for high risk cases, DPOs for public sector processors and those with big
data processing activities.
The Directive applies only to controllers whereas GDPR applies to
Controllers and processors
A processor under GDPR May not subcontract a service without first getting the consent of the
blank.
Controller
Under the GDPR, it's easier to legitimize international data transfers via what methods? There
are at least 5.
Binding Corporate Rules (BCRs), standard contractual clauses (adopted by the Commission or
adopted by the DPA and approved by the Commission), an approved code of conduct, an
approved certification mechanism, or other contractual clauses authorized by a DPA according
to the consistency mechanism.
Under the GDPR, a data breach that could risk rights and freedoms of natural persons must be
reported within 72 hours of becoming aware of it.
The relevant Data Protection Authority (DPA)
True or false? Under GDPR a data subject has the right to compensation for damages caused by
a data breach.
True
How much is the most severe fine for failure to comply with GDPR?
Up to 20m euros or 4% of annual worldwide turnover.
True or false? The ePrivacy Directive applies to comms over company intranet.
False. Only public networks.
Under the ePrivacy Directive, location data can only be processed if consent is granted or if the
data is blank.
Anonymised
Per the ePrivacy Directive, if a data subject's personal data is collected over a public network
they subscribe to, do they need to be informed before being included in a directory?
2|Page
, Yes
True or false? Can an internet provider bring legal proceedings against spammers under the
ePrivacy Directive?
Yes
Per the ePrivacy Directive, must companies get a data subjects consent to store cookies?
Yes, with few exceptions.
Unambiguous consent, which infers consent based on a data subject's actions, is also referred to
as what?
Implied consent
The ePrivacy Regulation of 2017 is meant to harmonize the ePrivacy Directive with what?
GDPR
True or false? The ePrivacy Directive applies to mobile phone messaging services.
False, but the ePrivacy Regulation will.
Under the EPrivacy Regulation in progress, how could a controller avoid having to delete a
subject's metadata? There are 3
Anonymize it, get the subject's consent or establish a need to store the data for billing purposes
Consent, directories, and spam violations of the ePrivacy Directive impose fines up to blank or
blank of total annual worldwide turnover.
10m euros, 2%
Which Directive, now ruled invalid by the CJEU, concerns holding on to traffic and location data
for the purposes of antiterrorism or serious crime?
Data Retention Directive
What is a key difference between Directives and Regulations?
directives require member states to implement them as national laws whereas regulations are
directly applicable to member states and so need no further implementation into national laws
True or false? IP addresses and cookies are personal data.
True
True or false? Information does not need to be true to be considered personal data.
3|Page
