CIPP/E Exam Prep Free practice test →

Free CIPP/E Practice Questions

10 free, exam-style CIPP/E (CIPP/E) practice questions with answers and explanations. No signup required. Work through them below, then take the full free CIPP/E practice test to study every exam domain.

Question 1

A data subject claims that a national government's surveillance program breaches Article 8 of the European Convention on Human Rights (ECHR). Which body has jurisdiction to hear a complaint brought directly under the ECHR?

  1. The Court of Justice of the European Union (CJEU)
  2. The European Court of Human Rights (ECtHR)
  3. The national data protection supervisory authority
  4. The European Data Protection Board (EDPB)
Show answer & explanation

Correct answer: B - The European Court of Human Rights (ECtHR)

Question 2

On Monday morning, a controller becomes aware that an unauthorised third party has accessed a file containing customers' names and email addresses. Under the GDPR, the controller must notify the competent supervisory authority:

  1. Immediately and in every case, regardless of the likely impact on the individuals
  2. Only where the breach is likely to result in a high risk to those individuals
  3. Within 72 hours of awareness, unless the breach is unlikely to pose a risk to individuals
  4. Within 72 hours of completing its full forensic investigation into the cause and scope of the breach
Show answer & explanation

Correct answer: C - Within 72 hours of awareness, unless the breach is unlikely to pose a risk to individuals

Question 3

A customer asks her bank to transmit her transaction history directly to a competing provider, invoking the right to data portability. The bank processes that data to meet its anti-money-laundering legal obligations. Is the bank required to comply?

  1. Yes - every category of personal data a controller holds about a customer is portable
  2. Yes - because the data is processed by automated means, this alone triggers the right
  3. No - the customer must first submit the request in a structured, machine-readable format
  4. No - portability does not apply to data processed under a legal obligation
Show answer & explanation

Correct answer: D - No - portability does not apply to data processed under a legal obligation

Question 4

A retailer engages an email-marketing platform to send campaigns to the retailer's customer list. The platform acts only on the retailer's documented instructions and for the retailer's own purposes. Under the GDPR, the platform is acting as a:

  1. Processor, because it acts on the retailer's behalf and on its instructions
  2. Controller, because it has access to and stores the customers' personal data
  3. Joint controller, because both organisations are actively involved in the processing operation
  4. Third party, because it is a separate legal entity from the retailer
Show answer & explanation

Correct answer: A - Processor, because it acts on the retailer's behalf and on its instructions

Question 5

A gym wants to use members' fingerprint scans to control access to the premises. What does the GDPR require before the gym can lawfully process this biometric data used to uniquely identify members?

  1. Only the members' consent under Article 6 is required
  2. Both an Article 6 lawful basis and a condition under Article 9(2)
  3. Only a condition under Article 9(2), as it overrides the Article 6 requirement
  4. Nothing further, because biometric data is special only when it reveals health information
Show answer & explanation

Correct answer: B - Both an Article 6 lawful basis and a condition under Article 9(2)

Question 6

An EU company transfers employee data to a US service provider that is NOT certified under the EU-US Data Privacy Framework, relying on Standard Contractual Clauses (SCCs). Following the Schrems II ruling, what must the company also do?

  1. Nothing further - Schrems II invalidated the SCCs, so another transfer tool must be selected
  2. Rely on each employee's explicit consent for every transfer, as it is now the only lawful option
  3. Assess whether US law ensures essentially equivalent protection and add supplementary measures if needed
  4. Apply to its supervisory authority for an adequacy decision covering this specific transfer
Show answer & explanation

Correct answer: C - Assess whether US law ensures essentially equivalent protection and add supplementary measures if needed

Question 7

Which of the following infringements can attract the HIGHER tier of administrative fine under the GDPR - up to 20 million euros or 4% of total worldwide annual turnover, whichever is higher?

  1. Failing to notify a personal data breach to the supervisory authority within 72 hours
  2. Failing to implement appropriate technical and organisational security measures
  3. Failing to maintain adequate records of the organisation's processing activities
  4. Processing personal data without a valid lawful basis
Show answer & explanation

Correct answer: D - Processing personal data without a valid lawful basis

Question 8

Under the GDPR, in which of the following situations is the designation of a Data Protection Officer (DPO) MANDATORY?

  1. When large-scale, regular and systematic monitoring of individuals is a core activity
  2. Whenever the organisation employs more than 250 members of staff
  3. Whenever the organisation processes any special-category or health-related data whatsoever
  4. Whenever the organisation transfers any personal data to a country outside the EEA
Show answer & explanation

Correct answer: A - When large-scale, regular and systematic monitoring of individuals is a core activity

Question 9

An employer plans to introduce a system that continuously monitors employees' productivity and intends to rely on the employees' consent as its lawful basis. Why is this approach likely to be problematic under the GDPR?

  1. Consent for monitoring must be given verbally and formally recorded by the HR department
  2. Consent is unlikely to be freely given due to the imbalance of power between employer and employee
  3. Employee data may never be processed for monitoring purposes without the prior written approval of a trade union
  4. Consent is automatically valid because the employees have signed an employment contract
Show answer & explanation

Correct answer: B - Consent is unlikely to be freely given due to the imbalance of power between employer and employee

Question 10

A company's website places analytics cookies on visitors' devices and obtains 'consent' by displaying a checkbox that is already ticked by default. Is this a valid way to obtain consent under EU law?

  1. Yes - a pre-ticked box is acceptable as long as the visitor is given the option to untick it later
  2. Yes - analytics cookies are strictly necessary and therefore do not require any consent
  3. No - valid consent requires a clear affirmative act, and a pre-ticked box does not qualify
  4. No - consent for cookies must always be obtained in writing and signed by the visitor
Show answer & explanation

Correct answer: C - No - valid consent requires a clear affirmative act, and a pre-ticked box does not qualify

Ready for the real thing?

Practice hundreds more CIPP/E questions with instant scoring, weak-area drills, and full exam simulations.

Start the free practice test See pricing