- What the CIPP/E Certification Actually Tests
- Exam Format: Structure, Length, and Question Types
- Domain-by-Domain Breakdown and Weight
- How CIPP/E Questions Are Written
- Registration, Fees, and Scheduling Mechanics
- Working Within the Time Limit
- A Domain-Sequenced Study Schedule
- Frequently Asked Questions
- The CIPP/E is a closed-book, multiple-choice exam administered by IAPP with a strict time limit.
- Domain 2 (European Data Protection Law and Regulation) carries the largest exam weight at 24-37%.
- Questions test scenario-based application of GDPR and related EU law, not definition recall alone.
- Domain 5 (International Data Transfers) covers 11-19% of the exam and frequently trips up candidates who skip SCCs and BCRs.
What the CIPP/E Certification Actually Tests
The Certified Information Privacy Professional/Europe (CIPP/E) is the gold-standard credential for privacy professionals working within the European data protection landscape. Issued by the International Association of Privacy Professionals (IAPP), it signals that the holder understands not just the text of the General Data Protection Regulation but the broader ecosystem of EU law, supervisory authority guidance, national derogations, and cross-border transfer mechanisms that practitioners navigate every day.
Employers across consulting firms, in-house legal teams, technology companies, and public sector bodies use the CIPP/E as a hiring filter precisely because it is not a beginner credential. It demands working knowledge of how Article 6 lawful bases interact with special category data under Article 9, how Data Protection Authorities structure enforcement, and how the Schrems II decision reshaped transfer impact assessments. If you are preparing for this exam, understanding its exact format and domain structure is the single most practical starting point.
Exam Format: Structure, Length, and Question Types
The CIPP/E exam is a computer-based, closed-book assessment. Candidates have two and a half hours (150 minutes) to answer 90 multiple-choice questions. All questions are single-answer: each presents a scenario or a direct question with four answer options, and only one is correct. There are no partial-credit items, no essay responses, and no open-ended questions.
The exam is delivered through Pearson VUE testing centres and via online proctoring. Both delivery formats present the same question structure and time constraint. The closed-book nature means that candidates cannot reference the GDPR text, EDPB guidelines, or any notes during the exam - a fact that catches under-prepared candidates off guard, since EU privacy work in practice almost always involves consulting primary sources.
Scoring and the Scaled Score Model
IAPP uses a scaled scoring model for the CIPP/E. Raw scores are converted to a scale of 100-500, with a passing score set at 300. This scaling accounts for minor variation in question difficulty across different exam forms. Candidates receive a pass/fail result immediately after completing the exam at a Pearson VUE centre, along with a scaled score and a domain-by-domain performance breakdown. That breakdown is particularly valuable: it shows exactly which of the five domains you underperformed in, giving targeted direction for a retake if needed.
Domain-by-Domain Breakdown and Weight
The CIPP/E blueprint divides the exam into five domains. Understanding the weight of each domain is essential for allocating your study time efficiently. A candidate who spends equal time on all five domains is systematically underinvesting in the areas where the most points are at stake.
Domain 1: Introduction to European Data Protection (8-14%)
This domain covers the historical foundations of European data protection, including the evolution from the 1995 Data Protection Directive through to the GDPR. It also addresses the institutional framework: the European Data Protection Board, national supervisory authorities, and the role of the European Data Protection Supervisor.
- Origins and purpose of EU privacy law
- Structure of supervisory authorities and their powers
- The GDPR's relationship to the Charter of Fundamental Rights
Domain 2: European Data Protection Law and Regulation (24-37%)
This is the heaviest domain by examination weight and the one where most candidates either win or lose their score. It encompasses the core obligations of the GDPR - lawful bases, data subject rights, controller and processor relationships, data protection by design, and the requirements for DPOs.
- All six lawful bases under Article 6, including legitimate interests assessment
- Special category data and criminal conviction data processing under Articles 9 and 10
- Data subject rights: access, erasure, portability, restriction, objection
- Controller vs. processor vs. joint controller distinctions
- Article 28 DPA requirements and Article 30 Records of Processing Activities
- DPO appointment criteria, tasks, and independence requirements
- DPIA triggers and the Article 35 process
Domain 3: European Data Processing (17-28%)
Domain 3 applies the legal framework to specific processing contexts: employment, health and research, direct marketing, telecommunications, online services, and surveillance technologies. This is where knowledge of the ePrivacy Directive, EDPB guidelines, and sector-specific rules becomes critical.
- Cookie consent under ePrivacy Directive / ePrivacy Regulation trajectory
- Employee monitoring and workplace privacy expectations
- CCTV and biometric data processing requirements
- Children's data and age verification obligations
Domain 4: Compliance (13-22%)
This domain addresses how organisations operationalise GDPR compliance: privacy notices, consent management, breach notification timelines, and accountability documentation. It tests whether candidates can identify what a compliant programme looks like in practice.
- 72-hour breach notification obligation to supervisory authority
- Transparency requirements and layered privacy notice structures
- Accountability documentation: RoPAs, policies, audit trails
- Enforcement powers: administrative fines under Article 83 tiers
Domain 5: International Data Transfers (11-19%)
Domain 5 is consistently underestimated by candidates. It covers the full range of mechanisms for transferring personal data outside the EEA, from adequacy decisions to Standard Contractual Clauses, Binding Corporate Rules, and derogations. Post-Schrems II Transfer Impact Assessments are a live examination topic.
- Adequacy decisions: current list of adequate countries and criteria
- 2021 EU SCCs structure and module system
- BCR requirements and approval process
- Schrems II implications and supplementary measures
- Article 49 derogations: when they apply and their limitations
For more on structuring your preparation around these domains, the CIPP/E Study Materials 2026: Books, Courses and Tools guide covers which resources address each domain most effectively.
How CIPP/E Questions Are Written
Understanding the mechanics of CIPP/E question design is as important as knowing the substantive law. IAPP deliberately writes questions as scenarios rather than definitions. A typical question might describe a mid-sized SaaS company collecting employee data in Germany, then ask which lawful basis applies, whether a DPIA is required, or what the controller's obligations are under Article 28. The four answer choices will often include multiple plausible options - the skill is in identifying the most legally precise or contextually appropriate response.
Common Question Patterns
- Lawful basis identification: Given a specific processing activity (marketing, employment contract, legal obligation), which Article 6 basis is most appropriate?
- Rights fulfilment: A data subject submits a request. What is the controller's obligation, timeframe, and any applicable exception?
- Transfer mechanism selection: An organisation wants to send HR data to a US parent company. Which mechanism is legally sound post-Schrems II?
- Breach response: A data breach is discovered on a Tuesday evening. What notifications are required and by when?
- Institutional identification: Which body issues opinions on cross-border processing cases under the one-stop-shop mechanism?
The distractor answers in CIPP/E questions are carefully designed to exploit common misconceptions. For example, candidates frequently confuse the Article 83(4) and 83(5) fine tiers, mistake processor obligations for controller obligations, or incorrectly apply the Legitimate Interests lawful basis to special category data. Regular practice with exam-style questions is the most direct antidote. The CIPP/E Exam Prep practice tests replicate this scenario-based format so you can identify your own distractor vulnerabilities before sitting the real exam.
Registration, Fees, and Scheduling Mechanics
The CIPP/E is administered by IAPP and scheduled through Pearson VUE. Candidates register via the IAPP website, pay the examination fee, and then receive a Pearson VUE authorisation code to book their test slot. IAPP membership provides a discounted exam fee; non-members pay a higher rate. Exam fees and membership rates are confirmed at the point of registration on the IAPP website, as these are updated periodically.
Rescheduling and cancellation policies are managed through Pearson VUE. Candidates who cancel within a specified window before their exam date may forfeit part or all of the exam fee. It is worth reviewing the current policy at the time of registration rather than assuming a blanket refund is available.
The CIPP/E credential, once earned, requires renewal every two years through Continuing Privacy Education (CPE) credits. This means the credential is not a one-time investment - professionals in the field accumulate CPEs through IAPP events, webinars, and other qualifying activities to maintain certification. Understanding this maintenance requirement upfront helps practitioners budget time and expense for ongoing professional development.
Working Within the Time Limit
At 90 questions in 150 minutes, candidates have an average of 100 seconds per question. In practice, this is comfortable for straightforward definitional questions and tighter for complex scenarios that require mentally tracing through multiple GDPR provisions. The risk is not running out of time on the exam overall - most candidates finish - but rather spending too long on difficult questions and losing focus on subsequent ones.
A practical approach is to move through the exam at a consistent pace during a first pass, flagging questions where you are uncertain, and returning to flagged items once you have answered all questions you are confident about. The Pearson VUE interface supports question flagging and review within the exam session.
Domain 5 questions - particularly those involving the nuances of SCCs, BCRs, and TIAs - tend to require more processing time than Domain 1 historical questions. Being aware of where your slower questions are likely to fall helps you mentally budget time across the exam.
The best way to develop an accurate sense of your personal pace is to take full-length, timed practice exams before sitting the real assessment. The CIPP/E Exam Prep practice platform is built specifically to simulate the 90-question timed format so your exam day timing feels familiar rather than stressful.
A Domain-Sequenced Study Schedule
Generic weekly study templates are not particularly useful for the CIPP/E because the domains are not equal in weight or complexity. The schedule below is sequenced to build foundational knowledge before tackling the high-weight domains, and to address the international transfer mechanisms - the area most candidates find hardest - while study energy is still high.
Domain 1 - Foundations and Institutional Framework
- History: from Directive 95/46/EC to GDPR - understand why the Regulation replaced the Directive
- EDPB, EDPS, national DPA roles and powers
- One-stop-shop mechanism and lead supervisory authority concept
- Complete 20 Domain 1 practice questions to benchmark baseline
Domain 2 - Core GDPR Law (Highest Weight)
- Work through each Article 6 lawful basis with concrete examples for each
- Memorise the Article 9 special categories and the conditions under Article 9(2)
- Map the eight data subject rights to their associated Articles, timeframes, and exceptions
- Distinguish controller, processor, and joint controller obligations line by line
- Complete 40-50 Domain 2 practice questions; review every incorrect answer
Domain 5 - International Data Transfers
- Map the hierarchy of transfer mechanisms: adequacy → SCCs → BCRs → Article 49
- Study the 2021 SCC modules and understand which applies in which controller/processor scenario
- Work through the Schrems II judgment logic and the Transfer Impact Assessment process
- Complete focused Domain 5 practice questions before moving on
Domains 3 and 4 - Processing Contexts and Compliance Operations
- ePrivacy Directive: cookie consent, electronic communications, direct marketing rules
- Employment context: monitoring, BYOD, pre-employment screening
- 72-hour breach notification mechanics and Article 83 fine tier structure
- DPIAs: mandatory triggers, the nine Article 35(7) elements, prior consultation threshold
Full Exam Simulation and Weak-Area Remediation
- Take two full 90-question timed practice exams
- Use domain performance breakdowns to identify gaps
- Review EDPB guidelines on whichever domain scored lowest
- Final targeted practice on distractor-heavy question types
This sequence applies spaced repetition naturally - Domain 2 material is encountered in weeks 2-3, reinforced through Domain 3 and 4 context in week 5, and tested again during full simulations in week 6. For a detailed look at which textbooks and EDPB guidelines to use during each phase, see the CIPP/E Study Materials 2026: Books, Courses and Tools article.
| Domain | Exam Weight | Study Priority | Key Topics to Master |
|---|---|---|---|
| Domain 1: Introduction to European Data Protection | 8-14% | Moderate (foundational) | GDPR history, DPA structure, EDPB powers |
| Domain 2: European Data Protection Law and Regulation | 24-37% | Highest | Lawful bases, data subject rights, controller/processor, DPO, DPIA |
| Domain 3: European Data Processing | 17-28% | High | ePrivacy, employment, health, surveillance technologies |
| Domain 4: Compliance | 13-22% | Moderate-High | Breach notification, accountability docs, Article 83 fines |
| Domain 5: International Data Transfers | 11-19% | High (often underestimated) | SCCs, BCRs, adequacy decisions, TIAs, Article 49 derogations |
Key Takeaway
Domain 2 alone covers at least a quarter of your exam score and can represent more than a third. Any study plan that does not dedicate disproportionate time to GDPR's core obligations - lawful bases, data subject rights, and controller/processor distinctions - is structurally underprepared. Complement your reading with timed scenario practice on the CIPP/E Exam Prep platform to convert knowledge into exam-ready application.
Frequently Asked Questions
The CIPP/E consists of 90 multiple-choice questions with a time limit of 150 minutes (two and a half hours). All questions are single-answer with four options. There is no negative marking for incorrect answers, so leaving questions blank is never advantageous.
IAPP uses a scaled scoring model where results are reported on a 100-500 scale. The passing mark is 300. After completing the exam at a Pearson VUE centre, candidates receive their scaled score and a domain-by-domain performance breakdown immediately.
Domain 2 (European Data Protection Law and Regulation) is both the heaviest weighted - at 24-37% of the exam - and the most conceptually demanding. It requires detailed knowledge of every GDPR chapter, from lawful bases and data subject rights through to DPO obligations and DPIA requirements. Domain 5 (International Data Transfers) is frequently underestimated and requires specific attention given the complexity introduced by post-Schrems II transfer impact assessments.
No. The CIPP/E is a closed-book exam. No reference materials, notes, or electronic resources are permitted during the assessment. This means candidates must have internalised the key provisions, Article numbers, timeframes, and procedural requirements - not just know that the GDPR exists as a document they can look up.
The CIPP/E is primarily scenario-based rather than definitional. Most questions present a realistic business situation - a company processing employee data, a cross-border transfer to a third country, a data breach discovered on a weekend - and ask candidates to identify the correct legal obligation, mechanism, or compliance step. This applied format means candidates who have read the GDPR but never practised applying it to scenarios are often surprised by the difficulty. Working through exam-format practice questions is essential preparation, not optional reinforcement.