P/E CIPP/E CIPP/E CIPP/E CIPP/E CIPP/

IPP/E CIPP/E CIPP/E CIPP/E CIPP/E CIP

Certified Information Privacy

Professional/Europe (CIPP/E)

Study Guide

Effective February 2019

WELCOME
Congratulations on taking the first step toward achieving an IAPP privacy certification. This study guide
contains the basic information you need to get started:

• An explanation of the IAPP certification programme structure

• Key areas of knowledge for the CIPP/E programme
• Recommended steps to help you prepare for your exam
• A detailed body of knowledge for the CIPP/E programme
• An exam blueprint
• Example questions
• General exam information

CIPP/E Study Guide  2

The IAPP Certification Programme Structure

The IAPP currently offers three certification programmes: The Certified Information Privacy
Professional (CIPP), the Certified Information Privacy Manager (CIPM) and the Certified Information
Privacy Technologist (CIPT).
The CIPP is the “what” of privacy. Earning this designation demonstrates your mastery of a
principles-based framework in information privacy in a legal or practical specialisation. Within the CIPP,
there are four concentrations:
• Asian privacy (CIPP/A)
• Canadian privacy (CIPP/C)
• European privacy (CIPP/E)
• U.S. private-sector privacy (CIPP/US)

The CIPM is the “how” of privacy operations. Earning this designation shows you understand how to
manage privacy in an organization through process and technology.

The CIPT is the “how” of technology. Earning this designation shows you understand how to manage
a privacy program across all stages of its lifecycle.

There are no concentrations within the CIPM or CIPT—they cross all jurisdictions and industries.

Requirements for IAPP Certification

1. You must pay an annual maintenance fee of $125 USD

OR

2. You can become a member of the IAPP—with access to numerous benefits like discounts,
networking opportunities, members-only resources and more—for just $275 USD, which includes
your annual maintenance fee.

More information about IAPP membership, including levels, benefits and rates, is available on the IAPP
website at iapp.org/join.

CIPP/E Study Guide  3

CIPP/E Key Areas of Knowledge

The Certified Information Privacy Professional/Europe (CIPP/E) programme is the first professional
credential specific to European data protection professionals that is part of a comprehensive
principles-based framework and knowledge base in information privacy. The CIPP/E encompasses
pan-European and national data protection laws, the European model for privacy enforcement, key
privacy terminology, and practical concepts concerning the protection of personal data and trans-border
data flows.

Key areas of knowledge include:

• The content of European data protection law: origins, institutions and legislative framework

• Data protection concepts, principles and application, processing criteria, obligations, data
subject rights, confidentiality and security, notification requirements, international data transfers,
and supervision and enforcement

• European data protection practices related to employment, surveillance, direct marketing and
outsourcing

• Internet technology and communications, including cloud computing, search engines

and social networking

CIPP/E Study Guide  4

Preparation
Privacy certification is an important effort that requires advance preparation. Deciding how you will
prepare for your exams is a personal choice that should include an assessment of your professional
background, scope of data protection knowledge and your preferred method of learning.

In general, the IAPP recommends that you plan for a minimum of 30 hours of study time in advance of
your exam date; however, you might need more or fewer hours depending on your personal choices
and professional experience.

The IAPP recommends you prepare in the following manner:

1. Review the Body of Knowledge

The body of knowledge for the CIPP/E programme is a comprehensive outline of the subject matter
areas covered by the CIPP/E exam. Review it carefully to help determine which areas merit additional
focus in your preparation. See pages 6–8.

2. Review the Exam Blueprint

The CIPP/E exam blueprint on page 9 specifies the number of items from each area of the body
of knowledge that will appear on the exam. Studying the blueprint can help you further target your
primary study needs.

3. Study the CIPP/E Textbook

European Data Protection: Law and Practice is the authoritative reference for the CIPP/E program.
The IAPP strongly recommends you take the time to carefully read and study the textbook. The
electronic version of the official CIPP/E textbook is included free with the purchase of CIPP/E
online or live online training. The print version is included free with the purchase of CIPP/E in-person
training classes.

4. Get Certification Training

The IAPP offers both in-person training classes, live online and online training to help you prepare for
your exams.You can find a list of scheduled classes and/or purchase online training in the IAPP store.

5. Take the CIPP/E Sample Questions

Sample questions are a great way to gain familiarity with the format and content of the actual
designation exams. They are available for purchase in a downloadable PDF file containing the questions,
an answer key and an explanation of each correct answer. Sample questions are included free with the
purchase of CIPP/E online, live online and in-person training classes.

6. Review other IAPP Preparation Resources

Additional resources are available on the IAPP website, including a searchable glossary of terms.

CIPP/E Study Guide  5

CIPP/E Common Body of Knowledge Outline

I. Introduction to European Data Protection

A. Origins and Historical Context of Data Protection Law

1. Rationale for data protection
2. Human rights laws
3. Early laws and regulations
4. The need for a harmonised European approach
5. The Treaty of Lisbon
6. A modernised framework
B. European Union Institutions
1. Council of Europe
2. European Court of Human Rights
3. European Parliament
4. European Commission
5. European Council
6. European Court of Justice
C. Legislative Framework
1. The Council of Europe Convention for the Protection of Individuals with Regard to the
Automatic Processing of Personal Data of 1981 (The CoE Convention)
2. The EU Data Protection Directive (95/46/EC)
3. The EU Directive on Privacy and Electronic Communications (2002/58/EC) – as
amended
4. The EU Directive on Electronic Commerce (2000/31/EC)
5. European data retention regimes
6. The General Data Protection Regulation (GDPR) and related legislation

II. European Data Protection Law and Regulation

C. Data Protection Concepts

1. Personal data
4. Sensitive personal data
5. Pseudonymous and anonymous data
6. Processing
7. Controller
8. Processor
9. Data subject
B. Territorial and Material Scope of the General Data Protection Regulation
1. Establishment in the EU
2. Non-establishment in the EU
C. Data Protection Principles
1. Fairness and lawfulness
2. Purpose limitation
3. Proportionality
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality

CIPP/E Study Guide  6

 D. Legitimate Processing Criteria
1. Consent
2. Contractual necessity
3. Legal obligation, vital interests and public interest
4. Legitimate interests
5. Special categories of processing
E. Information Provision Obligations
1. Transparency principle
2. Privacy notices
3. Layered notices
F. Data Subjects Rights
1. Access
2. Rectification
3. Erasure and the right to be forgotten (RTFBF)
4. Restriction and objection
5. Automated decision making, including profiling
6. Data portability
7. Restrictions
G. Security of Personal Data
1. Appropriate technical and organisational measures
2. Breach notification
3. Vendor Management
H. Accountability Requirements
1. Responsibility of controllers and processors
2. Data protection by design and by default
3. Documentation and cooperation with regulators
4. Data protection impact assessment
5. Mandatory data protection officers
I. International Data Transfers
1. Rationale for prohibition
2. Safe jurisdictions
3. Safe Harbor and Privacy Shield
4. Model contracts
5. Binding Corporate Rules (BCRs)
6. Codes of Conduct and Certifications
7. Derogations
J. Supervision and Enforcement
1. Supervisory authorities and their powers
2. The European Data Protection Board
3. Role of the European Data Protection Supervisor (EDPS)
K. Consequences for GDPR violations
1. Process and procedures
2. Infringements and fines
3. Data subject compensation

III. Compliance with European Data Protection Law and Regulation

D. Employment Relationship
1. Legal basis for processing of employee data
2. Storage of personnel records
3. Workplace monitoring and data loss prevention
4. EU Works councils
5. Whistleblowing systems
6. ‘Bring your own device’ (BYOD) programs
CIPP/E Study Guide  7
B. Surveillance Activities
1. Surveillance by public authorities
2. Interception of communications
3. Closed-circuit television (CCTV)
4. Geolocation
C. Direct Marketing
1. Telemarketing
2. Direct marketing
3. Online behavioural targeting
D. Internet Technology and Communications
1. Cloud computing
2. Web cookies
3. Search engine marketing (SEM)
4. Social networking services

CIPP/E Study Guide  8

CIPP/E Exam Format
The CIPP/E is a 2.5 hour exam comprised of 90 multiple choice items (questions). Some of the
multiple choice items are associated with scenarios. There are no essay questions. Each correct answer is
worth one point.

Exam Blueprint

The exam blueprint indicates the minimum and maximum number of items included on the CIPP/E
exam from the major areas of the body of knowledge. Questions may be asked from any of the topics
listed under each area. You can use this blueprint to guide your preparation.

Min Max
I. Introduction to European Data Protection 4 10

A. Origins and Historical Context of Data Protection Law 1 2
Rationale for data protection, human rights laws, early laws and
regulations, the need for a harmonised European approach, the
Treaty of Lisbon; a modernized framework

B. European Union Institutions 1 3
Council of Europe, European Court of Human Rights, European
Parliament, European Commission, European Council, European
Court of Justice

C. Legislative Framework 2 5
The Council of Europe Convention for the Protection of
Individuals with Regard to the Automatic Processing of Personal
Data of 1981 (the CoE Convention), the EU Data Protection
Directive (95/46/EC), the EU Directive on Privacy and Electronic
Communications (2000/31/EC), European data retention regimes,
The General Data Protection Regulation (GDPR) and related
legislation
II. European Data Protection Law and Regulation 40 66

A. Data Protection Concepts 3 6

Personal data, sensitive personal data, pseudonymous and anonymous
data, processing, controller, processor, data subject

B. Territorial and Material Scope of the GDPR 2 4
Establishment in the EU, non-establishment in the EU

C. Data Processing Principles 3 4

Fairness and lawfulness, purpose limitation, proportionality,
accuracy, storage limitation, integrity and confidentiality

CIPP/E Study Guide  9

 Min Max

D. Lawful Processing Criteria 2 4

Consent, contractual necessity, legal obligation, vital interests and
public interest, legitimate interests, special categories of processing

E. Information Provision Obligations 5 8

Transparency principle, privacy notices, layered notices

F. Data Subject Rights 3 5

Access, rectification, erasure and the right to be forgotten, restriction
and objection, automated decision making, including profiling, data
portability, restrictions

G. Security of Personal Data 8 12
Appropriate technical and organisational measures, breach
notification, vendor management

H. Accountability Requirements 3 5
Responsibility of controllers and processors, data protection by
design and by default, documentation and cooperation with
regulators, data protection impact assessments, mandatory data
protection officers
I. International Data Transfers 7 11
Rationale for prohibition, safe jurisdictions, Safe Harbor and Privacy
Shield, model contracts, Binding Corporate Rules (BCRs), codes of
conduct and certifications, derogations

J. Supervision and Enforcement 2 4

Supervisory authorities and their powers, the European Data
Protection Board, role of the European Data Protection Supervisor
(EDPS)

K. Consequences for GDPR Violations 2 3

Process and procedures, infringement and fines, data subject
compensation

CIPP/E Study Guide  10

 Min Max

III. Compliance with European Data Protection Law and Regulation 12 25

A. Data Protection Concepts 4 7

Legal basis for processing of employee data, storage of personnel
records, workplace monitoring and data loss prevention, EU Works
councils, whistleblowing systems, ‘Bring your own device’ (BYOD)
programs

B. Surveillance Activities 1 4
Surveillance by public authorities, interception of communications,
closed-circuit television (CCTV), geolocation

C. Marketing Activities 3 7
Telemarketing, direct marketing, online behavioural targeting

D. Legitimate Processing Criteria 4 7

Cloud computing, web cookies, search engine marketing (SEM),
social networking services

CIPP/E Study Guide  11

Example Questions
1. According to the Treaty of Lisbon, the majority of EU legislation cannot be adopted without the
approval of which two European Institutions?
A. European Council and European Parliament.
B. European Commission and European Parliament.
C. European Parliament and Council of the European Union.
D. European Commission and the Court of Justice of the European Union.

2. When would a data subject have the right to require the erasure of his or her data without
undue delay?
A. When erasure is in the public interest.
B. When the controller is a public authority.
C. When the processing is carried out by automated means.
D. When the data is no longer necessary for its original purpose.

CIPP/E Study Guide  12

General Exam Information
The IAPP offers testing via computer-based delivery at test centers worldwide. There are approximately
6,000 Pearson VUE testing centers locations around the world where IAPP certification exams are
administered.

The IAPP also offers testing at our major annual conferences. Event-based testing is paper-pencil format.

You can find detailed information about how to register for exams, as well as exam-day instructions in
the IAPP Certification Information Candidate Handbook, on our website at iapp.org/certify.

Questions?
The IAPP recognizes that privacy certification is an important professional development effort requiring
commitment and preparation. We thank you for choosing to pursue certification, and we welcome your
questions and comments regarding our certification program.

Please don’t hesitate to contact us at certification@iapp.org or +1 603.427.9200.

CIPP/E Study Guide  13

Example Questions: Answers
1. According to the Treaty of Lisbon, the majority of EU legislation cannot be adopted without the
approval of which two European Institutions?
A. European Council and European Parliament.
B. European Commission and European Parliament.
C. European Parliament and Council of the European Union.
D. European Commission and the Court of Justice of the European Union.

2. When would a data subject have the right to require the erasure of his or her data without
undue delay?
A. When erasure is in the public interest.
B. When the controller is a public authority.
C. When the processing is carried out by automated means.
D. When the data is no longer necessary for its original purpose.

CIPP/E Study Guide  14