The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data (Article 4(7) GDPR).

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) GDPR) and does not decide the purposes.

Territorial Scope – Article 3(1)

GDPR applies to processing in the context of the activities of an establishment of a controller or processor in the EU, regardless of where the data subjects are located.

Territorial Scope – Article 3(2)

GDPR also applies to non-EU controllers/processors that offer goods or services to, or monitor the behaviour of, data subjects in the EU.

Data Protection Principles (Article 5)

Lawfulness, fairness, transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; accountability.

Data Protection Officer, a role required in certain circumstances to advise on and monitor GDPR compliance.

Data Protection Impact Assessment, a process to assess and mitigate high risks to individuals’ rights and freedoms arising from data processing.

European Data Protection Board, the EU body that ensures consistent application of the GDPR.

CIPP/E Exam Techniques, Practice Questions and Final Review — CIPP/E Exam Prep: Mastering European Data Protection Law and the GDPR

Step 1 – Know the CIPP/E Exam Mechanics and Timing

Current CIPP/E Exam Format

As of 2026, CIPP/E is computer-based, 90 multiple-choice questions in 150 minutes (2.5 hours). Aim well above the typical pass threshold of around 75%.

Baseline Pacing Plan

90 questions / 150 minutes ≈ 1 minute 40 seconds each. Aim to finish a first full pass in 90–100 minutes, leaving 50–60 minutes for review.

First Pass Strategy

Spend up to 60–75 seconds on straightforward items. If stuck after ~75 seconds, make your best guess, flag the question, and move on to protect your time.

Second Pass Strategy

Use remaining time to revisit flagged questions, starting with the trickiest or most GDPR-heavy. This ensures you do not sacrifice easy points at the end.

Step 2 – A 4-Step Method to Dissect Any Question

Start With the Question Stem

Read the last line first to see what is being asked: role, legal basis, obligation, scope, or best next step. This focuses your reading of the scenario.

Identify Context and Actors

On a quick read, note who is involved, where they are located, what data is processed, and what activity is happening (e.g., marketing, HR, AI profiling).

Find the Core Legal Issue

Translate the story into a legal question: scope, legal basis, controller obligation, DPIA/DPO requirement, or cross-border transfer rules.

Eliminate, Then Choose

First eliminate options that contradict clear GDPR rules or confuse roles. Then pick the most complete and proportionate remaining answer.

Step 3 – Worked Example: Dissecting a Tricky Scenario

Scenario Overview

A German fitness app tracks heart rate and GPS. A Canadian tourist downloads it in Berlin and keeps using it in Canada. Data are stored by a US cloud provider. Does GDPR apply to this user?

Identify the Legal Issue

The question is about GDPR territorial scope (Article 3). Focus on the controller’s establishment and whether services are offered to data subjects in the EU.

Evaluate the Options

A: wrong (nationality is irrelevant). B: misleading (storage location is not decisive). D: wrong (no time limit based on presence). C: best fit, as services are offered in the EU.

Key Lesson

When no option is perfect, pick the one that best reflects the GDPR’s structure and logic. Do not overthink wording if the legal core is correct.

Step 4 – High-Yield GDPR Articles and Themes (Based on Current Blueprint)

Core Scope and Concepts

Prioritise Articles 2–4: scope, personal data, special categories, processing, controller, processor, joint controllers, and recipients.

Principles and Legal Bases

Focus on Article 5 principles and Articles 6–9 on legal bases, consent, and special categories. These underpin many scenario questions.

Rights and Obligations

Review Articles 12–23 on data subject rights and Articles 24–39 on accountability, processors, security, breaches, DPIAs, and DPOs.

Transfers and Enforcement

Know Chapter V (Articles 44–50) on international transfers and Articles 51–84 on DPAs, EDPB, one-stop-shop, remedies, and fines.

Related EU Instruments

Be aware of ePrivacy (cookies, marketing), NIS/NIS 2 (cybersecurity), and the EU AI Act (risk-based AI rules and links to data protection).

Step 5 – Quick Check: High-Yield Focus

Test your ability to prioritise topics for last-week study.

You have limited time in your final week. Which area is LEAST likely to be a high-yield focus compared with the others, based on the current CIPP/E Blueprint?

Detailed national implementation differences of GDPR in a single Member State
GDPR data subject rights (Articles 12–23)
International data transfers and safeguards (Chapter V)
Controller and processor obligations, including DPIAs and DPOs

Show Answer

Answer: A) Detailed national implementation differences of GDPR in a single Member State

The CIPP/E exam tests EU-level concepts and harmonised rules. Deep national implementation details for one Member State are low-yield. Rights, transfers, and controller/processor obligations are central, high-yield topics.

Step 6 – Common Pitfalls and How to Avoid Them

National Law vs EU Law

Do not base answers on deep national details unless the question explicitly asks. Use GDPR and EU-level rules as your default frame.

Scope Traps

Check material and territorial scope systematically. GDPR is not based on nationality but on establishment and targeting/monitoring of people in the EU.

Role Confusion

Identify who decides the purposes and essential means. That is the controller. Processors act on instructions and cannot repurpose data.

“Best” or “Most Appropriate”

When asked for the best response, pick the option that is proportionate, risk-based, and clearly aligned with GDPR principles and structure.

Related Instruments

For NIS 2 and the AI Act, focus on awareness: who they cover, their goals, and how they intersect with GDPR, not every article.

Step 7 – Design Your Last-Week Study Plan

Use this guided exercise to create a concrete plan for your final week before the exam. Adjust days if your exam is sooner or later.

Task 1 – Allocate your days

Imagine your exam is in 7 days. Sketch a simple plan:

Day 7–6: Core GDPR text and high-yield articles
Day 5–4: Practice questions and timed blocks
Day 3–2: Mixed scenarios and weak spots
Day 1: Light review and logistics

Write down your own 7-day outline in a notebook or notes app.

Task 2 – Set daily mini-goals

For each day, define two or three concrete goals, for example:

“Review Articles 5–9 and summarise each in my own words.”
“Do 40 timed questions in 60 minutes and analyse all mistakes.”
“Review international transfers and draw a one-page diagram.”

Pause now and draft 2–3 goals for tomorrow.

Task 3 – Plan at least two timed question blocks

In the last week, schedule:

One 45–60 minute block of 30–40 questions
One 90-minute block of ~60 questions (simulate exam pacing)

Write down the exact day, time, and resource (question bank or practice exam) you will use.

Task 4 – Define your “quick reference” sheet

Create a one-page sheet (paper or digital) that you review on the last day with:

List of high-yield articles and short keywords
Steps for breach notification (who, when, what)
Steps for DPIA and DPO designation triggers
Territorial scope checklist

Start drafting this sheet now with at least five bullet points.

Step 8 – Flashcards: Roles, Scope, and Key Mechanisms

Flip through these cards to reinforce concepts that often appear in scenarios.

Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data (Article 4(7) GDPR).
Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) GDPR) and does not decide the purposes.
Territorial Scope – Article 3(1): GDPR applies to processing in the context of the activities of an establishment of a controller or processor in the EU, regardless of where the data subjects are located.
Territorial Scope – Article 3(2): GDPR also applies to non-EU controllers/processors that offer goods or services to, or monitor the behaviour of, data subjects in the EU.
Data Protection Principles (Article 5): Lawfulness, fairness, transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; accountability.
DPIA Trigger: Required when processing is likely to result in a high risk to the rights and freedoms of natural persons, e.g., systematic monitoring, large-scale special category data, or innovative technologies.
Data Breach Notification Timeline: Controller must notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware, unless the breach is unlikely to result in a risk.
EU AI Act – Exam-Relevant Angle: Risk-based framework for AI systems (e.g., prohibited, high-risk, limited-risk). For CIPP/E, focus on its interaction with GDPR: lawful basis, transparency, data quality, and fundamental rights.

Step 9 – Build Your Exam-Day Strategy

Create a simple, repeatable plan for exam day so you can focus on thinking, not logistics.

Task 1 – Logistics checklist

Write down and confirm:

Test centre or online exam? Exact address or login steps
Required ID documents
Arrival time (aim 30 minutes early for in-person)
What you can/cannot bring (check current IAPP rules)

Task 2 – First 10 minutes rule

Decide how you will behave at the start:

Quickly scan the first 5–10 questions to settle in
If the first question looks hard, flag and move on; do not panic

Write a one-sentence rule for yourself, for example: “If I am stuck after 90 seconds, I guess, flag, and move on.”

Task 3 – Flagging and review strategy

Define how you will use flags:

Flag if: you are between two options, you suspect a trick, or you ran out of time
On review: start with questions where you have some idea, then tackle the ones where you guessed

Note down: “I will not un-flag a question unless I am 80% confident in the change.”

Task 4 – Mindset and stress management

Prepare a 3-step mini-routine for when you feel stressed:

Step 1: Look away from the screen and breathe slowly for 20 seconds
Step 2: Remind yourself: “I only need to choose the best of four options, not write the law.”
Step 3: Apply the 4-step question method and move on

Write your own short affirmation or reminder that you can silently repeat during the exam.

Step 10 – Final Practice Question: Putting It All Together

Apply timing, issue-spotting, and elimination in one more scenario.

A French online retailer uses a cloud-based AI recommendation engine hosted by a processor in another EU country. The AI system profiles customers to suggest products and adjust prices dynamically based on browsing history and purchase patterns. The retailer wants to know its MAIN immediate obligation under the GDPR before rolling out this system to all EU customers. What is the BEST answer?

Obtain explicit consent from all customers because profiling always requires explicit consent under the GDPR
Conduct a Data Protection Impact Assessment (DPIA) to assess risks and identify safeguards before full deployment
Appoint a Data Protection Officer (DPO) because all organisations using AI must have one under the EU AI Act
Transfer all data to servers located in the same Member State to avoid cross-border transfer rules

Show Answer

Answer: B) Conduct a Data Protection Impact Assessment (DPIA) to assess risks and identify safeguards before full deployment

Dynamic pricing and profiling for significant effects on individuals are likely high-risk activities and may trigger a DPIA requirement under the GDPR. Explicit consent is not always required for profiling; it depends on context and legal basis. The AI Act does not automatically require every organisation using AI to appoint a DPO. Data processed within the EU internal market is not an international transfer issue simply because it crosses Member State borders.

Key Terms

DPO: Data Protection Officer, a role required in certain circumstances to advise on and monitor GDPR compliance.
DPIA: Data Protection Impact Assessment, a process to assess and mitigate high risks to individuals’ rights and freedoms arising from data processing.
EDPB: European Data Protection Board, the EU body that ensures consistent application of the GDPR.
GDPR: General Data Protection Regulation (Regulation (EU) 2016/679), the main EU data protection law in force since May 2018.
IAPP: International Association of Privacy Professionals, the organisation that administers the CIPP/E exam.
NIS 2: Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, updating the original NIS Directive.
CIPP/E: Certified Information Privacy Professional/Europe, an IAPP certification focused on European data protection law and practice.
EU AI Act: A comprehensive EU regulation adopted in 2024 that creates a risk-based framework for AI systems, with phased application starting after its entry into force.
Territorial Scope: Rules determining when the GDPR applies based on where processing activities and data subjects are located (Article 3 GDPR).
International Data Transfers: Transfers of personal data from the EU/EEA to third countries or international organisations, governed by Chapter V of the GDPR.

Step 1 – Know the CIPP/E Exam Mechanics and Timing

Current CIPP/E Exam Format

Baseline Pacing Plan

First Pass Strategy

Second Pass Strategy

Step 2 – A 4-Step Method to Dissect Any Question

Start With the Question Stem

Identify Context and Actors

Find the Core Legal Issue

Eliminate, Then Choose

Step 3 – Worked Example: Dissecting a Tricky Scenario

Scenario Overview

Identify the Legal Issue

Evaluate the Options

Key Lesson

Step 4 – High-Yield GDPR Articles and Themes (Based on Current Blueprint)

Core Scope and Concepts

Principles and Legal Bases

Rights and Obligations

Transfers and Enforcement

Related EU Instruments

Step 5 – Quick Check: High-Yield Focus

Step 6 – Common Pitfalls and How to Avoid Them

National Law vs EU Law

Scope Traps

Role Confusion

“Best” or “Most Appropriate”

Related Instruments

Step 7 – Design Your Last-Week Study Plan

Step 8 – Flashcards: Roles, Scope, and Key Mechanisms

Step 9 – Build Your Exam-Day Strategy

Step 10 – Final Practice Question: Putting It All Together

Key Terms

Finished reading?