IAPP-CIPP-E Exam Information and Guideline
Certified Information Privacy Professional/Europe (CIPP/E)
Below are complete topics detail with latest syllabus and course outline, that will help you good knowledge about exam objectives and topics that you have to prepare. These contents are covered in questions and answers pool of exam.
Exam Code: IAPP-CIPP-E
Exam Name: Certified Information Privacy Professional/Europe (CIPP/E)
Format: 90 multiple-choice questions (60 scored, 20 non-scored trial items).
Duration: 150 minutes (2.5 hours).
Passing Score: 300 out of 500 (approximately 65-80% correct answers).
Languages: Available in English, French, and German.
Domain I: Introduction to European Data Protection
- Origins and Historical Context of Data Protection Law:
- Evolution of data protection in Europe.
- Key milestones: European Convention on Human Rights (ECHR), Convention 108 (Council of Europe), OECD Privacy Guidelines.
- Influence of national data protection laws pre-GDPR.
- Human Rights Laws:
- Article 8 of the ECHR (right to privacy).
- Charter of Fundamental Rights of the European Union (Articles 7 and 8).
- Interaction between human rights and data protection.
- European Union Institutions:
- Roles of the European Commission, Council of the European Union, European Parliament, and Court of Justice of the European Union (CJEU).
- Influence of EU institutions on data protection policy.
- Legislative Framework:
- Overview of the GDPR and its scope.
- Pre-GDPR directives (e.g., Data Protection Directive 95/46/EC).
- Other relevant frameworks: ePrivacy Directive (2002/58/EC), Law Enforcement Directive (2016/680).
Domain II: European Data Protection Law and Regulation
- Data Protection Concepts:
- Personal data vs. non-personal data.
- Sensitive personal data (special categories under GDPR Article 9).
- Anonymization and pseudonymization.
- Data processing principles (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality).
- Territorial and Material Scope of the GDPR:
- Application to EU and non-EU organizations (Article 3).
- Extraterritorial reach (e.g., targeting EU data subjects).
- Establishment and main establishment concepts.
- Data Processing Principles:
- GDPR Article 5 principles.
- Accountability and demonstrating compliance (Article 5(2)).
- Lawful Processing Criteria:
- Legal bases for processing (Article 6): consent, contract, legal obligation, vital interests, public task, legitimate interests.
- Conditions for consent (Article 7).
- Special categories of data (Article 9).
- Information Provision Obligations:
- Transparency requirements (Articles 12-14).
- Privacy notices and policies.
- Timing and format of information provision.
- Data Subjects’ Rights:
- Right to access (Article 15).
- Right to rectification (Article 16).
- Right to erasure (“right to be forgotten,” Article 17).
- Right to restriction of processing (Article 18).
- Right to data portability (Article 20).
- Right to object (Article 21).
- Automated decision-making and profiling (Article 22).
- Security of Personal Data:
- Technical and organizational measures (Article 32).
- Risk-based approach to security.
- Data breach notification requirements (Articles 33-34).
- Accountability Requirements:
- Data Protection by Design and by Default (Article 25).
- Data Protection Impact Assessments (DPIAs, Article 35).
- Record of processing activities (Article 30).
- Appointment of Data Protection Officers (DPOs, Articles 37-39).
Domain III: Compliance with European Data Protection Laws and Regulations
- International Data Transfers:
- GDPR Chapter V (Articles 44-50).
- Adequacy decisions (Article 45).
- Standard Contractual Clauses (SCCs).
- Binding Corporate Rules (BCRs).
- Schrems I and Schrems II rulings and their impact on EU-U.S. data transfers.
- Derogations (Article 49).
- Supervision and Enforcement:
- Role of Data Protection Authorities (DPAs).
- European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS).
- One-stop-shop mechanism (Article 56).
- Cooperation and consistency mechanisms (Articles 60-62).
- Fines and penalties (Article 83).
- Consequences for GDPR Violations:
- Administrative fines (up to €20 million or 4% of annual global turnover).
- Corrective measures (Article 58).
- Liability and compensation (Article 82).
- Employment Data:
- Processing employee data under GDPR.
- Workplace monitoring and consent.
- National variations in employment data protection.
- Direct Marketing:
- ePrivacy Directive and GDPR interplay.
- Consent for electronic marketing.
- Opt-in vs. opt-out rules.
- Internet Technology and Communications:
- Cookies and tracking technologies (ePrivacy Directive).
- Privacy by Design in technology.
- AI and data ethics.
- Financial and Health Data:
- Special considerations for financial data.
- Processing health data (Article 9(2)).
- National derogations for sensitive data.
- Personal Data: Any information relating to an identified or identifiable natural person (data subject).
- Data Subject: A natural person whose personal data is processed.
- Data Controller: The entity that determines the purposes and means of processing personal data.
- Data Processor: The entity that processes personal data on behalf of the controller.
- Processing: Any operation performed on personal data (e.g., collection, storage, use, deletion).
- GDPR: General Data Protection Regulation (EU) 2016/679, the primary EU data protection law.
- Consent: Freely given, specific, informed, and unambiguous agreement to data processing.
- Anonymization: Rendering personal data non-identifiable without the possibility of re-identification.
- Pseudonymization: Processing personal data so it can no longer be attributed to a data subject without additional information.
- Data Protection Officer (DPO): A designated individual responsible for overseeing GDPR compliance.
- Data Protection Authority (DPA): National or regional authority responsible for enforcing data protection laws.
- European Data Protection Board (EDPB): An EU body coordinating DPAs and issuing guidelines.
- Schrems II: A 2020 CJEU ruling invalidating the EU-U.S. Privacy Shield and emphasizing safeguards for international data transfers.
- Standard Contractual Clauses (SCCs): Pre-approved contractual terms for international data transfers.
- Binding Corporate Rules (BCRs): Internal policies for intra-group international data transfers.
- Data Protection Impact Assessment (DPIA): A process to identify and mitigate risks in high-risk data processing.
- Privacy by Design and by Default: Embedding data protection into systems and processes from the outset.
- ePrivacy Directive: EU Directive 2002/58/EC governing electronic communications and cookies.
- Adequacy Decision: An EU determination that a third country ensures an adequate level of data protection.
- One-Stop-Shop Mechanism: A GDPR process allowing organizations to deal primarily with one DPA for cross-border processing.