CIPP/E Exam Prep: Mastering European Data Protection Law and the GDPR

Body of Knowledge (BoK)

The official IAPP document listing the detailed topics the CIPP/E exam can test. It defines the content scope for your study plan.

Exam Blueprint

The IAPP document that groups BoK topics into domains and shows their approximate percentage weight on the exam.

Domain II – European Data Protection Law and Regulation

The largest CIPP/E domain, covering detailed GDPR rules, ePrivacy, international transfers, and awareness of related frameworks like NIS 2 and the EU AI Act.

NIS 2 Directive

An EU cybersecurity directive (2022/2555) focusing on essential and important entities. In CIPP/E it mainly appears in relation to security of processing and incident/breach reporting.

EU AI Act

The EU regulation adopted in 2024 that introduces a risk-based framework for AI systems. For CIPP/E, know its high-level structure and its interaction with GDPR duties.

Scaled Score

A standardized exam score (often out of 100) that adjusts for slight differences in difficulty across exam forms. CIPP/E typically considers about 75/100 as the passing mark.

European Convention on Human Rights (ECHR)

A Council of Europe treaty from 1950 protecting human rights, including Article 8 on respect for private and family life. Enforced by the European Court of Human Rights.

EU Charter of Fundamental Rights

Binding since 2009, it codifies fundamental rights in EU law. Article 7 protects private and family life; Article 8 recognizes a distinct right to protection of personal data.

Directive 95/46/EC

The 1995 Data Protection Directive that harmonized Member State laws but required national implementation. It was repealed and replaced by the GDPR in 2018.

GDPR (Regulation 2016/679)

A directly applicable EU regulation on data protection, in force since May 2018, with extraterritorial reach, stronger enforcement, and enhanced data subject rights.

Primary EU law

The highest level of EU law: the treaties (TEU, TFEU) and the EU Charter. It sets the framework and limits for secondary law like the GDPR.

Secondary EU law

Law adopted under the treaties, including regulations, directives, and decisions. The GDPR is secondary law.

Ordinary Legislative Procedure (OLP)

The main EU law‑making process where the European Parliament and the Council act as co‑legislators on the basis of a proposal from the European Commission.

Supervisory Authority (SA)

An independent public authority in each Member State responsible for monitoring and enforcing GDPR, handling complaints and advising on data protection matters.

Investigative Powers (of SAs)

Powers that allow SAs to gather information and evidence, such as requesting records, conducting audits and accessing premises and equipment.

Corrective Powers (of SAs)

Powers that allow SAs to change or stop unlawful processing, including warnings, reprimands, orders to comply, processing bans and administrative fines.

European Data Protection Board (EDPB)

The EU‑level body composed of national SAs and the EDPS that issues GDPR guidance, runs the consistency mechanism and adopts binding decisions in certain disputes.

European Data Protection Supervisor (EDPS)

The independent authority that supervises data protection compliance within EU institutions, bodies, offices and agencies and participates in the EDPB.

Personal data

Any information relating to an identified or identifiable natural person (data subject), directly or indirectly, by reference to an identifier or factors specific to their identity.

Anonymous data

Data that does not relate to an identified or identifiable person, or has been rendered anonymous so the person is not identifiable by any means reasonably likely to be used. GDPR does not apply.

Pseudonymisation

Processing of personal data so it cannot be attributed to a specific person without additional information kept separately and protected. Still personal data under GDPR.

Data subject

The identified or identifiable natural person to whom personal data relates.

Processing

Any operation performed on personal data, automated or not, such as collection, storage, use, disclosure, or erasure.

Controller

The person or body that alone or jointly determines the purposes and means of processing personal data.

Lawfulness, fairness, transparency

A combined principle: processing must have a valid legal basis (lawfulness), must not be misleading or exploitative (fairness), and must be clearly explained to individuals (transparency).

Purpose limitation

Data must be collected for specific, explicit, legitimate purposes and not further processed in ways incompatible with those original purposes.

Data minimisation

Only process personal data that is adequate, relevant and limited to what is necessary for the stated purposes.

Storage limitation

Keep personal data in identifiable form no longer than necessary for the purposes for which it is processed.

Accountability

The controller is responsible for and must be able to demonstrate compliance with the GDPR principles (e.g. via records, DPIAs, policies).

Legal bases (Article 6)

The six legal bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests.

Article 12 – Core procedural rules

Sets style (concise, transparent, plain language), 1‑month deadline (plus possible 2‑month extension), free of charge principle, conditions for fees/refusal, and identity verification rules.

Article 13 vs Article 14

Article 13: information when data is collected directly from the person, given at collection. Article 14: when data comes from other sources, info given within 1 month or at first contact/disclosure, with extra details on source and categories.

Right of access (Article 15)

Lets individuals know if their data is processed, obtain a copy, and receive detailed information on purposes, recipients, retention, source, and automated processing.

Right to rectification (Article 16)

Allows individuals to correct inaccurate data and complete incomplete data without undue delay. Often used for wrong addresses, misspellings, or outdated factual information.

Right to erasure (Article 17)

Requires deletion when conditions apply (e.g., no longer necessary, consent withdrawn, unlawful processing), but includes exceptions for legal obligations, public interest, research, expression, and legal claims.

Restriction of processing (Article 18)

Temporarily limits how data is used, e.g., while accuracy is checked, instead of erasing it. Data can then only be used for narrow purposes like legal claims or with consent.

Controller

The natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of personal data (Art. 4(7)).

Processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Art. 4(8)).

Accountability

The GDPR principle that controllers are responsible for compliance with the data protection principles and must be able to demonstrate that compliance (Art. 5(2), 24).

RoPA (Records of Processing Activities)

Documentation required under Art. 30 describing processing operations, purposes, data categories, recipients, transfers, retention and security measures.

Data Protection by Design and by Default

Art. 25 duty to integrate data protection into the design of processing and to ensure, by default, that only data necessary for each purpose are processed.

DPIA (Data Protection Impact Assessment)

A structured assessment required when processing is likely to result in a high risk to individuals, used to identify and mitigate those risks (Art. 35).

Personal data breach (GDPR Article 4(12))

A security breach leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Three types of breach

Confidentiality (unauthorised access/disclosure), integrity (unauthorised alteration), availability (loss or destruction).

72-hour rule

Controllers must notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of a breach that is likely to result in a risk.

High risk vs risk

Risk to rights and freedoms triggers authority notification. High risk triggers communication to data subjects, unless a GDPR exception applies.

Article 32 GDPR

Requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

NIS 2 Directive (EU) 2022/2555

Updated EU cybersecurity law for essential and important entities, replacing the original NIS Directive. Focuses on network and information systems and incident reporting.

International transfer (GDPR, Chapter V)

A disclosure or making available of personal data by a GDPR‑subject controller/processor to another controller/processor in a third country or international organisation that is not subject to the GDPR for that processing.

Adequacy decision (Article 45)

A decision by the European Commission that a third country, territory, sector, or international organisation ensures an essentially equivalent level of data protection, allowing transfers without additional transfer tools.

Standard Contractual Clauses (SCCs)

Pre‑approved contractual clauses adopted by the Commission that, when used correctly and combined with a TIA and any needed supplementary measures, provide safeguards for international transfers under Article 46.

Binding Corporate Rules (BCRs)

Internal rules for a group of undertakings or enterprises, approved by supervisory authorities, that allow intra‑group transfers of personal data to third countries under Article 47.

Transfer Impact Assessment (TIA)

A structured assessment, required post‑Schrems II, where the exporter evaluates whether third‑country laws and practices undermine the protections in SCCs/BCRs and whether supplementary measures are needed.

Article 49 derogations

Narrow exceptions (e.g. explicit consent, necessity for contract, public interest, legal claims) that allow transfers in specific situations when no adequacy decision or Article 46 safeguard is available.

Three main buckets of SA powers

1) Monitoring/advisory tasks, 2) Investigative powers (information, audits, access), 3) Corrective powers (warnings, orders, bans, fines).

Lower vs higher fine tier (Article 83)

Lower: up to 10M EUR or 2% turnover for organisational/procedural infringements. Higher: up to 20M EUR or 4% turnover for core principles, rights, and transfers.

Article 77

Right of data subjects to lodge a complaint with a supervisory authority where they live, work, or where the infringement occurred.

Articles 78 and 79

78: Judicial remedy against decisions or inaction of SAs. 79: Judicial remedy against controllers or processors.

Article 82 – core idea

Right to compensation for material or non‑material damage caused by GDPR infringements; controllers and processors can be jointly and severally liable.

Joint and several liability

Any responsible controller or processor can be required to pay full compensation; they can later seek recourse from others based on fault.

ePrivacy Directive: main focus

Protects confidentiality of electronic communications and regulates access to/storing information on terminal equipment (e.g., cookies), plus rules on traffic data, location data, directories and unsolicited communications.

Cookies: when is consent required?

Consent is required before storing/accessing information on a device unless the cookie is strictly necessary for a service requested by the user. Analytics and marketing cookies typically require prior, informed, freely given consent.

Soft opt-in for email marketing

Under many national ePrivacy laws, a business may email existing customers about similar products without prior opt-in if the email was collected during a sale, customers were informed and given a clear, easy opt-out at collection and in each email.

NIS 2: who is covered?

Essential and important entities in specified sectors (e.g., energy, transport, health, banking, digital infrastructure, some manufacturing and digital services), typically medium and large organisations.

NIS 2 vs GDPR breaches

NIS 2 focuses on cybersecurity incidents affecting network and information systems; GDPR focuses on personal data breaches risking individuals' rights. A single cyberattack can trigger both sets of notification duties.

EU AI Act: risk tiers

Unacceptable risk (banned practices), high-risk AI (strict requirements), limited-risk (transparency duties), and minimal risk (no specific AI Act obligations beyond existing law).

Controller vs Processor: quick test

Ask: Who decides **why** and **how** personal data is processed? That entity is the controller. A processor acts **on behalf of** the controller and follows its documented instructions.

Special category data extra step

For health, biometric, or other special categories, you always need: (1) an Art. 6 legal basis, and (2) an Art. 9 condition (e.g., explicit consent, employment law obligation, vital interests, public interest in public health).

Access right is not absolute

Art. 15 grants access, but Art. 15(4) and Art. 23 allow restrictions to protect others' rights and important objectives (e.g., investigations). Often the correct approach is **partial access with justified redactions**.

International transfer definition

A transfer occurs when personal data is sent or made accessible from the EEA to a third country or international organisation. Remote access from a third country (e.g., support staff) can also be a transfer.

Common transfer tools (mid-2026)

Key tools: (1) Adequacy decisions (e.g., UK, EU-US DPF for certified US entities), (2) 2021 SCCs + TIA + supplementary measures, (3) Binding Corporate Rules, (4) narrow derogations in Art. 49.

Exam pattern: outdated mechanisms

CIPP/E questions may include distractors like "EU-US Privacy Shield" or pre-2021 SCCs. These are outdated. Look for references to **2021 SCCs** or **EU-US Data Privacy Framework** instead.

Controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data (Article 4(7) GDPR).

Processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) GDPR) and does not decide the purposes.

Territorial Scope – Article 3(1)

GDPR applies to processing in the context of the activities of an establishment of a controller or processor in the EU, regardless of where the data subjects are located.

Territorial Scope – Article 3(2)

GDPR also applies to non-EU controllers/processors that offer goods or services to, or monitor the behaviour of, data subjects in the EU.

Data Protection Principles (Article 5)

Lawfulness, fairness, transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; accountability.

DPIA Trigger

Required when processing is likely to result in a high risk to the rights and freedoms of natural persons, e.g., systematic monitoring, large-scale special category data, or innovative technologies.