European Data Protection 3rd ed. · CIPP/E exam prep
CIPP/E - European Data Protection
Free, structured study notes built around active recall and spaced retrieval - 247 topics across the full CIPP/E body of knowledge. Read it free; unlock the 1248-question practice bank and the official 90-question practice exam when you're ready to test yourself.
Core Study Guide
Chapter 312
- Background to European data protection law
- Council of Europe Convention 108
- Data Protection Directive 95/46/EC
- Reform of the EU framework and the road to the GDPR
- The General Data Protection Regulation (GDPR)
- Law Enforcement Directive (LED)
- Privacy and Electronic Communications (ePrivacy) Directive
- Reform of the ePrivacy Directive - ePrivacy Regulation
- NIS Directive and NIS 2
- Proposed EU Artificial Intelligence Regulation
- Data Retention Directive
- Impact on member states - implementation, enforcement, direct effect
Chapter 411
- Introduction to Data Protection Concepts
- Personal Data and Its Four Building Blocks
- 'Relating to' - Content, Purpose and Result
- Identifiability, Anonymisation and Pseudonymisation
- Natural Person, Deceased Persons and PII
- Special Categories of Personal Data
- Controller vs Processor - Roles and Liability
- The Five Building Blocks of 'Controller'
- Joint Controllership
- The Processor and the Article 28 Contract
- Processing and Data Subject
Chapter 56
- Introduction and overview of scope
- Article 3(1): EU-established controllers and processors
- Article 3(2): the targeting and monitoring tests
- Public international law, EU representatives and Brexit
- Material scope: matters outside EU law and the household exemption
- Law enforcement, EU institutions, ePrivacy and E-Commerce
Chapter 712
- Background & the role of consent
- Consent - definition and the four conditions
- Freely given consent - bundling, imbalance, cookie walls
- Specific, informed & unambiguous consent
- Necessity & the contract, legal obligation and vital interests bases
- Public task / official authority basis
- Legitimate interests & the balancing test
- Consent vs legitimate interests - choosing correctly
- Legal obligation & public interest - extra detail; documenting the basis
- Sensitive data - Article 9 framework
- Article 9 exceptions - the ten conditions
- Criminal convictions data (Article 10) & processing without identification (Article 11)
Chapter 88
- Transparency principle
- Article 13 vs Article 14 - what must be provided
- Situations requiring additional information
- When information must be provided (timing)
- How information must be provided (manner and format)
- Exemptions to the obligation to provide information
- Requirements of the ePrivacy Directive
- Fair processing notices and best practice
Chapter 911
- Background - the rights and their Articles
- Modalities - to whom, how, and when
- Transparent communication and the right to information
- Right of access (DSAR)
- Right to rectification
- Right to erasure ('right to be forgotten')
- Right to restriction of processing
- Right to data portability
- Right to object
- Right not to be subject to solely automated decision-making
- Restrictions of data subject rights
Chapter 1010
- Background - why security is an A-list principle
- Security principle and the risk-based approach (Article 32)
- Employees, the insider threat, and the controller-processor relationship
- Risk reporting and the meaning of 'personal data breach'
- Article 33 - notifying the supervisory authority
- Article 34 - communicating the breach to data subjects
- Article 33 vs Article 34 - side-by-side comparison
- Delivering on security - programmes, people, paperwork
- Incident response
- The NIS Directive (and NIS 2)
Chapter 118
- Introduction and background to accountability
- Responsibility of the controller
- Data protection by design and by default
- Documentation and records of processing (Article 30)
- The under-250-employees records exemption
- Data protection impact assessment (DPIA)
- The data protection officer (DPO)
- Binding corporate rules and conclusion
Chapter 1210
- The general restriction on transfers outside the EEA
- Scope of data transfers - what counts as a transfer
- Meaning of an 'adequate level of protection'
- Procedure to designate adequate countries
- The United States - Safe Harbor, Snowden and Schrems I
- The United States - Privacy Shield, Schrems II and the Data Privacy Framework
- Providing adequate safeguards - SCCs and the transfer impact assessment
- Binding corporate rules (BCRs) for intra-group transfers
- Relying on the Article 49 derogations
- Comparing the transfer mechanisms & the future of restrictions
Chapter 139
- Introduction: the toolkit of supervision and enforcement
- Self-regulation: accountability, DPOs, codes and certification
- Regulation by the citizen: rights, remedies, representation and compensation
- Independent national regulators and their tasks (Articles 51–57, 59)
- Regulators' powers under Article 58: investigatory, corrective, authorisation/advisory
- Competence, the one-stop shop and the lead supervisory authority
- Cooperation, consistency and the EDPB (Articles 60–66, 68–71)
- Administrative fines: the two tiers and how they are set (Article 83)
- Setting fines, guidelines and the Law Enforcement Directive
Chapter 1413
- Employee data
- Legal basis for processing employee personal data
- Why consent is problematic at work
- Processing sensitive employee data
- Providing notice
- Storage of personnel records
- Workplace monitoring: principles, background checks, DLP
- Necessity and the DPIA
- Legitimacy and proportionality of monitoring
- Transparency, AUPs and covert monitoring
- Works councils
- Whistleblowing schemes
- Bring your own device (BYOD)
Chapter 1612
- Data protection and direct marketing
- Right to opt out of direct marketing
- ePrivacy laws: unsolicited messages and cookies
- Online behavioural advertising (OBA)
- OBA, cookies and ePrivacy (Article 5(3))
- The ePrivacy Regulation (proposal)
- Channel-by-channel rules: the consent matrix
- Postal marketing
- Marketing by electronic mail and the soft opt-in
- Telephone marketing
- Location-based marketing
- Enforcement and conclusion
Chapter 1718
- Introduction and scope
- Cloud computing: models and applicable law
- Cloud: controllership issues
- Cloud service contracts (Article 28)
- Cloud: international data transfers
- EU Cloud Code of Conduct
- Cookies and similar technologies
- ePrivacy consent and cookie controllership
- Cookie scrutiny, third-party cookie demise, ePrivacy Regulation
- IP addresses as personal data (Breyer)
- Search engines and the right to be forgotten
- Social media: roles, joint controllership, transparency
- Social media: legal basis, special category data, children
- Targeted online advertising: ecosystem and law
- Adtech legal basis and automated decisions
- Applications on mobile devices
- Internet of Things (IoT)
- Artificial Intelligence and the EU AI Act
Chapter 188
- Introduction to outsourcing
- Roles of the parties: controller and processor
- Suppliers as controllers, AI, and chains of processors
- Mandatory Article 28(3) contract terms
- Subcontracting conditions
- Offshoring and international transfers
- Binding corporate rules for processors
- Conclusion: recalibrating responsibilities
Official Training
Training Module 47
- Module 4 · The data processing life cycle
- Module 4 · Data processing principles (OECD + Article 5)
- Module 4 · Territorial and material scope
- Module 4 · The six Article 6 lawful bases
- Module 4 · Consent - the four conditions and children
- Module 4 · Legitimate interests and the balancing test
- Module 4 · Special-category data and Article 9 exceptions
Training Module 56
- Module 5 · Access and rectification (Articles 15 & 16)
- Module 5 · Data portability (Article 20)
- Module 5 · Erasure / right to be forgotten (Article 17)
- Module 5 · Restriction of processing (Article 18)
- Module 5 · Right to object (Article 21)
- Module 5 · Automated decision-making and profiling (Article 22)
Training Module 812
- Module 8 · Employee data - legal layers, works councils & legal bases
- Module 8 · Sensitive employee data, record retention & BYOD
- Module 8 · Lawful employee monitoring & whistleblowing
- Module 8 · Surveillance framework - Article 23, content vs metadata
- Module 8 · CCTV / video surveillance & Guidelines 3/2019
- Module 8 · ePrivacy Directive, location data & biometric data
- Module 8 · Direct marketing - GDPR vs ePrivacy & the absolute right to object
- Module 8 · Direct marketing channel rules & the soft opt-in
- Module 8 · Online behavioural advertising (OBA) & cloud computing
- Module 8 · Web cookies, Article 5(3) & the Planet49 ruling
- Module 8 · Search engines, Google Spain & social media targeting
- Module 8 · Dark patterns (Guidelines 03/2022), AI & the EU AI Act
Training Module 107
- Module 10 · Accountability defined (Article 24)
- Module 10 · Data protection by design and by default (Article 25)
- Module 10 · Data protection impact assessment (DPIA, Articles 35 and 36)
- Module 10 · Data protection policy (Article 24(2))
- Module 10 · Records of processing (Article 30)
- Module 10 · The data protection officer (DPO, Articles 37–39)
- Module 10 · The EU representative (Article 27)