rivacy P

tion P rof
a es
m
r

sio
fo

Certified Information
CIPP
Certified In

nal
/ Europe
Privacy Professional/
E Europe
Effective March 2023

© International Association of Privacy

Professionals 2023, All Rights Reserved
© International Association of Privacy Professionals 2020, All Rights Reserved
 WELCOME
Congratulations on taking the first step toward achieving an IAPP privacy certification. This study guide
contains the basic information you need to get started:

• An explanation of the IAPP certification programme structure

• Key areas of knowledge for the CIPP/E programme
• Recommended steps to help you prepare for your exam
• A detailed body of knowledge for the CIPP/E programme
• An exam blueprint
• Example questions
• General exam information

© International Association of Privacy Professionals 2020, All Rights Reserved CIPP/E Study Guide 2
 The IAPP Certification Programme Structure

The IAPP currently offers three certification programmes: the Certified Information Privacy Professional
(CIPP), the Certified Information Privacy Manager (CIPM) and the Certified Information Privacy
Technologist (CIPT).

CIPP certification demonstrates a mastery of data privacy laws and regulations and how to apply them:
jurisdictional laws, regulations and enforcement models, plus legal requirements for handling and
transferring data. Within the CIPP, there are four concentrations:

Asian privacy (CIPP/A)

Canadian privacy (CIPP/C)
European privacy (CIPP/E)
U.S. private-sector privacy (CIPP/US)

CIPM certification demonstrates understanding of implementing privacy regulatory requirements in

day-to-day operations. It confirms the ability to create a company vision, structure a data protection
team, develop and implement system frameworks, communicate to stakeholders and measure
performance.

CIPT certification demonstrates a deep understanding of privacy’s role in technology, including building
privacy-friendly products, services and systems; deploying emerging technologies while respecting
consumer privacy; establishing privacy practices for data security and control.

There are no concentrations within the CIPM or CIPT—they cross all jurisdictions and industries.

Requirements for IAPP Certification

1. You must pay a certification maintenance fee of USD250 for two years

OR

2. You can become a member of the IAPP—with access to numerous benefits like discounts,
networking opportunities, members-only resources and more—for just USD295 annually, which
includes your maintenance fee.

More information about IAPP membership, including levels, benefits and rates, is available on the IAPP
website at iapp.org/join.

© International Association of Privacy Professionals 2020, All Rights Reserved CIPP/E Study Guide 3
 CIPP/E Key Areas of Knowledge

The Certified Information Privacy Professional/Europe (CIPP/E) programme is the first professional
credential specific to European data protection professionals that is part of a comprehensive
principles-based framework and knowledge base in information privacy. The CIPP/E encompasses
pan-European and national data protection laws, the European model for privacy enforcement, key
privacy terminology, and practical concepts concerning the protection of personal data and trans-border
data flows.

Key areas of knowledge include:

• The content of European data protection law: origins, institutions and legislative framework

• Data protection concepts, principles and application, processing criteria, obligations, data
subject rights, confidentiality and security, notification requirements, international data transfers,
and supervision and enforcement

• European data protection practices related to employment, surveillance, direct marketing and
outsourcing

• Internet technology and communications, including cloud computing, search engines

and social networking

© International Association of Privacy Professionals 2020, All Rights Reserved CIPP/E Study Guide 4
 Preparation
Privacy certification is an important effort that requires advance preparation. Deciding how you will
prepare for your exams is a personal choice that should include an assessment of your professional
background, scope of data protection knowledge and your preferred method of learning.

In general, the IAPP recommends that you plan for a minimum of 30 hours of study time in advance of
your exam date; however, you might need more or fewer hours depending on your personal choices
and professional experience.

The IAPP recommends you prepare in the following manner:

1. Review the Body of Knowledge

The body of knowledge for the CIPP/E programme is a comprehensive outline of the subject matter
areas covered by the CIPP/E exam. Review it carefully to help determine which areas merit additional
focus in your preparation. See pages 6–8.

2. Review the Exam Blueprint

The CIPP/E exam blueprint on page 9 specifies the number of items from each area of the body
of knowledge that will appear on the exam. Studying the blueprint can help you further target your
primary study needs.

3. Study the CIPP/E Textbook

European Data Protection: Law and Practice is the authoritative reference for the CIPP/E program.
The IAPP strongly recommends you take the time to carefully read and study it. Print and digital
versions of the textbook are available through the IAPP store.

4. Get Certification Training

The IAPP offers in-person training classes, live online and online training to help you prepare for your
exams.You can find a list of scheduled classes and/or purchase online training in the IAPP store.

5. Take the CIPP/E practice exam

IAPP Practice Exams provide insight into how you might perform on your certification exam. Practice
exams consist of 90 questions in the same format as official certification exams. The questions are
developed by IAPP-selected experts to match the depth and rigor of the actual exam.

6. Review other IAPP Preparation Resources

Additional resources are available on the IAPP website, including a searchable glossary of terms.

© International Association of Privacy Professionals 2020, All Rights Reserved CIPP/E Study Guide 5
 CIPP/E Common Body of Knowledge Outline

I. Introduction to European Data Protection

A. Origins and Historical Context of Data Protection Law

1. Rationale for data protection
2. Human rights laws
3. Early laws and regulations
a. OECD Guidelines and the Council of Europe
b. Convention 108
4. The need for a harmonized European approach
5. The Treaty of Lisbon
6. A modernized framework
B. European Union Institutions
1. European Court of Human Rights
2. European Parliament
3. European Commission
4. European Council
5. Court of Justice of the European Union
C. Legislative Framework
1. The Council of Europe Convention for the Protection of Individuals with Regard to the
Automatic Processing of Personal Data of 1981 (The CoE Convention)
2. The EU Data Protection Directive (95/46/EC)
3. The EU Directive on Privacy and Electronic Communications (2002/58/EC) (ePrivacy
Directive)– as amended
4. The EU Directive on Electronic Commerce (2000/31/EC)
5. European data retention regimes
6. The General Data Protection Regulation (GDPR) (EU) 2016/679 and related legislation

II. European Data Protection Law and Regulation

A. Data Protection Concepts

1. Personal data
2. Sensitive personal data
3. Pseudonymous and anonymous data
4. Processing
5. Controller
6. Processor
a. Guidelines 07/2020 on the concepts of controller and processor in the GDPR
7. Data subject
B. Territorial and Material Scope of the General Data Protection Regulation
1. Establishment in the EU
2. Non-establishment in the EU
a. Guidelines 3/2018 on the territorial scope of the GDPR
C. Data Processing Principles
1. Fairness and lawfulness
2. Purpose limitation
3. Proportionality
4. Accuracy
5. Storage limitation (retention)

© International Association of Privacy Professionals 2020, All Rights Reserved CIPP/E Study Guide 6
 6. Integrity and confidentiality
D. Lawful Processing Criteria
1. Consent
2. Contractual necessity
3. Legal obligation, vital interests and public interest
4. Legitimate interests
5. Special categories of processing
E. Information Provision Obligations
1. Transparency principle
2. Privacy notices
3. Layered notices
F. Data Subjects’ Rights
1. Access
2. Rectification
3. Erasure and the right to be forgotten (RTBF)
a. Guidelines 5/2019 on the criteria of the right to be forgotten in the search engines
cases under the GDPR
4. Restriction and objection
5. Consent, including right of withdrawal
6. Automated decision making, including profiling
7. Data portability
8. Restrictions
a. Guidelines 10/2020 on restrictions under the Article 23 GDPR
G. Security of Personal Data
1. Appropriate technical and organizational measures
a. Protection mechanisms (encryption, access controls, etc.)
2. Breach notification
a. Risk reporting requirements
3. Vendor Management
4. Data sharing
H. Accountability Requirements
1. Responsibility of controllers and processors
a. Joint controllers
2. Data protection by design and by default
3. Documentation and cooperation with regulators
4. Data protection impact assessment (DPIA)
a. Established criteria for conducting
5. Mandatory data protection officers
6. Auditing of privacy programs
I. International Data Transfers
1. Rationale for prohibition
a. Guidelines 05/2021 on the Interplay between the application of Article 3 and the
provisions on international transfers as per Chapter V of the GDPR
2. Adequate jurisdictions
3. Safe Harbor and Privacy Shield
4. Standard Contractual Clauses
5. Binding Corporate Rules (BCRs)
6. Codes of Conduct and Certifications
a. Guidelines 04/2021 on codes of conduct as tools for transfers
7. Derogations
a. Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679

© International Association of Privacy Professionals 2020, All Rights Reserved CIPP/E Study Guide 7
 8. Transfer impact assessments (TIAs)
a. Recommendations 01/2020 on measures that supplement transfer tools to ensure
compliance with the EU level of protection of personal data
J. Supervision and Enforcement
1. Supervisory authorities and their powers
2. The European Data Protection Board
3. Role of the European Data Protection Supervisor (EDPS)
K. Consequences for GDPR violations
1. Process and procedures
2. Infringements and fines
3. Class actions
4. Data subject compensation

III. Compliance with European Data Protection Law and Regulation

A. Employment Relationship
1. Legal basis for processing of employee data
2. Storage of personnel records
3. Workplace monitoring and data loss prevention
4. EU Works councils
5. Whistleblowing systems
6. ‘Bring your own device’ (BYOD) programs
B. Surveillance Activities
1. Surveillance by public authorities
2. Interception of communications
3. Closed-circuit television (CCTV)
a. Guidelines 3/2019 on processing of personal data through video devices
4. Geolocation
5. Biometrics / facial recognition
C. Direct Marketing
1. Telemarketing
2. Direct marketing
3. Online behavioural targeting
a. Guidelines 8/2020 on the targeting of social media users
D. Internet Technology and Communications
1. Cloud computing
2. Web cookies
3. Search engine marketing (SEM)
4. Social networking services
5. Artificial Intelligence (AI)
a. Machine learning
b. Ethical issues

© International Association of Privacy Professionals 2020, All Rights Reserved CIPP/E Study Guide 8
 CIPP/E Exam Format
The CIPP/E is a 2.5 hour exam comprised of 90 multiple choice items (questions). Some of the
multiple choice items are associated with scenarios. There are no essay questions. Each correct answer is
worth one point.

Exam Blueprint

The exam blueprint indicates the minimum and maximum number of items included on the CIPP/E
exam from the major areas of the body of knowledge. Questions may be asked from any of the topics
listed under each area. You can use this blueprint to guide your preparation.

Min Max
I. Introduction to European Data Protection 4 10

A. Origins and Historical Context of Data Protection Law 0 1
Rationale for data protection, human rights laws, early laws and
regulations, the need for a harmonised European approach, the
Treaty of Lisbon; a modernized framework

B. European Union Institutions 1 2

Council of Europe, European Court of Human Rights, European
Parliament, European Commission, European Council, Court of
Justice of the European Union

C. Legislative Framework 3 7
The Council of Europe Convention for the Protection of
Individuals with Regard to the Automatic Processing of Personal
Data of 1981 (the CoE Convention), the EU Data Protection
Directive (95/46/EC), The EU Directive on Privacy and Electronic
Communications (2002/58/EC) (ePrivacy Directive) - as amended,
the EU Directive on Electronic Commerce (2000/31/EC),
European data retention regimes, The General Data Protection
Regulation (GDPR) (EU) 2016/679 and related legislation
II. European Data Protection Law and Regulation 42 69

A. Data Protection Concepts 3 6

Personal data, sensitive personal data, pseudonymous and anonymous
data, processing, controller, processor, data subject

B. Territorial and Material Scope of the GDPR 2 4

Establishment in the EU, non-establishment in the EU

C. Data Processing Principles 4 5

Fairness and lawfulness, purpose limitation, proportionality,
accuracy, storage limitation (retention), integrity and confidentiality

© International Association of Privacy Professionals 2020, All Rights Reserved CIPP/E Study Guide 9
 Min Max

D. Lawful Processing Criteria 3 5

Consent, contractual necessity, legal obligation, vital interests and
public interest, legitimate interests, special categories of processing

E. Information Provision Obligations 5 8

Transparency principle, privacy notices, layered notices

F. Data Subjects’ Rights 8 11

Access, rectification, erasure and the right to be forgotten, restriction
and objection, consent (and withdrawal of), automated decision
making, including profiling, data portability, restrictions

G. Security of Personal Data 5 9

Appropriate technical and organisational measures, breach
notification, vendor management, data sharing

H. Accountability Requirements 4 7
Responsibility of controllers and processors, data protection by
design and by default, documentation and cooperation with
regulators, data protection impact assessments (DPIAs), mandatory
data protection officers, auditing of privacy programs
I. International Data Transfers 4 6
Rationale for prohibition, adequate jurisdictions, Safe Harbor and
Privacy Shield, Standard Contractual Clauses, Binding Corporate
Rules (BCRs), codes of conduct and certifications, derogations,
transfer impact assessments (TIAs)
2 4
J. Supervision and Enforcement
Supervisory authorities and their powers, the European Data
Protection Board, role of the European Data Protection Supervisor
(EDPS)
2 4
K. Consequences for GDPR Violations
Process and procedures, infringement and fines, data subject
compensation

© International Association of Privacy Professionals 2020, All Rights Reserved CIPP/E Study Guide 10
 Min Max

III. Compliance with European Data Protection Law and Regulation 9 18

A. Employment Relationships 3 5
Legal basis for processing of employee data, storage of personnel
records, workplace monitoring and data loss prevention, EU Works
councils, whistleblowing systems, ‘Bring your own device’ (BYOD)
programs

B. Surveillance Activities 1 4
Surveillance by public authorities, interception of communications,
closed-circuit television (CCTV), geolocation, biometrics/facial
recognition

C. Direct Marketing 3 5
Telemarketing, direct marketing, online behavioural targeting

D. Internet Technologies and Communications 2 4

Cloud computing, web cookies, search engine marketing (SEM),
social networking services, Artificial Intelligence (AI)

© International Association of Privacy Professionals 2020, All Rights Reserved CIPP/E Study Guide 11
 Example Questions
1. According to the Treaty of Lisbon, the majority of EU legislation cannot be adopted without the
approval of which two European Institutions?
A. European Council and European Parliament.
B. European Commission and European Parliament.
C. European Parliament and Council of the European Union.
D. European Commission and the Court of Justice of the European Union.

2. When would a data subject have the right to require the erasure of his or her data without
undue delay?
A. When erasure is in the public interest.
B. When the controller is a public authority.
C. When the processing is carried out by automated means.
D. When the data is no longer necessary for its original purpose.

3. In which case should a data subject’s consent be regarded as freely given under the GDPR?
A. If the data subject is able to withdraw consent without detriment.
B. If the data subject is informed that opting out requires an affirmative action.
C. If the data subject has been given a sufficient deadline for providing consent.
D. If the data subject has been offered a consent agreement tailored to his situation.

© International Association of Privacy Professionals 2020, All Rights Reserved CIPP/E Study Guide 12
 General Exam Information
The IAPP offers testing via computer-based delivery at over 6,000 testing centers worldwide. Or take
your certification exam from home with online proctoring.

You can find detailed information about how to register for exams, as well as exam-day instructions in
the IAPP Certification Information Candidate Handbook, on our website at iapp.org/certify.

Questions?
The IAPP recognizes that privacy certification is an important professional development effort requiring
commitment and preparation. We thank you for choosing to pursue certification, and we welcome your
questions and comments regarding our certification program.

Please don’t hesitate to contact us.

© International Association of Privacy Professionals 2020, All Rights Reserved CIPP/E Study Guide 13
 Example Questions: Answers
1. According to the Treaty of Lisbon, the majority of EU legislation cannot be adopted without the
approval of which two European Institutions?
A. European Council and European Parliament.
B. European Commission and European Parliament.
C. European Parliament and Council of the European Union.
D. European Commission and the Court of Justice of the European Union.

2. When would a data subject have the right to require the erasure of his or her data without
undue delay?
A. When erasure is in the public interest.
B. When the controller is a public authority.
C. When the processing is carried out by automated means.
D. When the data is no longer necessary for its original purpose.

3. In which case should a data subject’s consent be regarded as freely given under the GDPR?
A. If the data subject is able to withdraw consent without detriment.
B. If the data subject is informed that opting out requires an affirmative action.
C. If the data subject has been given a sufficient deadline for providing consent.
D. If the data subject has been offered a consent agreement tailored to his situation.

© International Association of Privacy Professionals 2020, All Rights Reserved CIPP/E Study Guide 14