CIPP/E cram sheet

Q: What dates do I need to know for the CIPP/E?

The big ones: Convention 108 (1981), Directive 95/46/EC (1995), the Charter becoming binding via Lisbon (2009), and above all the GDPR being adopted in 2016 but applicable from 25 May 2018. Schrems I (2015) and Schrems II (2020) matter for transfers.

Q: What are the GDPR fine amounts?

Two tiers: up to EUR 20 million or 4% of total worldwide annual turnover (whichever is higher) for breaches of principles, lawful basis, rights and transfers; and up to EUR 10 million or 2% for breaches of controller/processor obligations.

Q: When did the GDPR come into force?

It was adopted on 27 April 2016 and became applicable on 25 May 2018. The exam often tests this two-year gap between adoption and application.

Q: What is the breach notification deadline?

Notify the supervisory authority within 72 hours where feasible (Article 33). Notify affected individuals without undue delay only where the breach is likely to result in a high risk to them (Article 34).

Q: How many data protection principles and lawful bases are there?

Seven principles in Article 5 (the seventh, accountability, is overarching) and six lawful bases in Article 6 (consent, contract, legal obligation, vital interests, public task, legitimate interests).

Q: Is the right to be forgotten absolute?

No. Erasure (Article 17) is limited by freedom of expression, legal obligations, public-interest tasks and the establishment or defence of legal claims.

Everything high-yield you need to memorise for the IAPP CIPP/E exam, on one page: the dates, the numbers, the principles, the rights, the obligations, the transfer rules, the cases and the classic traps - curated from the study notes so you can skim it the night before.

Key dates

Year	What happened	Why it matters
1948	Universal Declaration of Human Rights (UDHR)	Non-binding, but seeded the privacy values (Art 12) later built on in Europe.
1950 / 1953	European Convention on Human Rights (ECHR) signed; in force 1953	A Council of Europe treaty (not EU). Article 8 protects private and family life; enforced by the ECtHR in Strasbourg.
1980	OECD Privacy Guidelines	Non-binding; introduced the FIPs-style principles that shaped later law.
1981	Convention 108 (Council of Europe)	The first binding international treaty on data protection. Modernised as Convention 108+ in 2018.
1995	Data Protection Directive 95/46/EC	The GDPR's predecessor. A Directive, so each member state transposed it - hence fragmentation.
2000 / 2009	EU Charter of Fundamental Rights; binding from the Treaty of Lisbon (2009)	Article 7 (private life) and a standalone Article 8 (data protection). Became binding when Lisbon took effect on 1 Dec 2009.
2002	ePrivacy Directive 2002/58/EC	Cookies, e-marketing and confidentiality of communications. Sits alongside the GDPR.
2014	Google Spain (CJEU)	Established the right to be forgotten / de-listing.
2015	Schrems I (CJEU)	Invalidated the Safe Harbor framework.
2016	GDPR adopted (27 April 2016); Law Enforcement Directive (EU) 2016/680	Two-year lead-in begins. The LED is the GDPR's law-enforcement sibling.
2018	GDPR applies from 25 May 2018; Convention 108+	The date everyone must know - adopted 2016 but applicable 2018.
2020	Schrems II (CJEU)	Invalidated Privacy Shield; SCCs survive but require a transfer impact assessment and supplementary measures.
2023	EU-US Data Privacy Framework adequacy decision	The replacement transfer route to the US.

Adopted vs applicable

The GDPR was adopted in April 2016 but only applied from 25 May 2018. Exam questions exploit this two-year gap.

Numbers and thresholds to memorise

Figure	What it is
72 hours	Deadline to notify the supervisory authority of a personal data breach (Article 33), where feasible.
Without undue delay	Notify affected individuals when a breach is likely to result in a high risk to them (Article 34).
EUR 20m or 4%	Higher fining tier (Art 83(5)) - of total worldwide annual turnover, whichever is higher. For breaches of principles, lawful basis, rights and transfers.
EUR 10m or 2%	Lower fining tier (Art 83(4)) - for breaches of controller/processor obligations (records, security, DPO, DPIA).
1 month (+2)	Time to respond to a data subject request; extendable by two further months for complex or numerous requests.
16 (down to 13)	Age of valid consent for information society services; member states may lower it, but not below 13.
< 250 employees	Indicative exemption from keeping records of processing (Art 30) - but not if processing is risky, regular, or involves special-category data.
Every 4 years	The Commission reviews adequacy decisions periodically.

The seven principles (Article 5)

Lawfulness, fairness and transparency
Purpose limitation - collected for specified, explicit, legitimate purposes
Data minimisation - adequate, relevant, limited to what is necessary
Accuracy - kept up to date; inaccurate data erased or rectified
Storage limitation - kept no longer than necessary
Integrity and confidentiality - the security principle
Accountability - the controller must demonstrate compliance (Art 5(2))

Memory hook

Six handling rules in Art 5(1), then Accountability as the overarching seventh in Art 5(2). Accountability is the one the exam loves - it is what turns the rules into a duty to prove compliance.

The six lawful bases (Article 6)

Basis	When you would rely on it
Consent	Freely given, specific, informed, unambiguous; must be as easy to withdraw as to give.
Contract	Processing necessary to perform a contract with the data subject (or pre-contract steps).
Legal obligation	Required by EU or member-state law.
Vital interests	To protect someone's life - narrow, usually where consent is impossible.
Public task	Carried out in the public interest or official authority.
Legitimate interests	Needs a three-part test (purpose, necessity, balancing). Not available to public authorities for their tasks.

Special-category and criminal data

Article 9 special-category data (health, race, religion, sex life, biometrics for ID, etc.) needs an Art 6 basis and a separate Art 9 condition. Article 10 criminal-offence data is a third, separate regime - do not lump it in with Art 9.

Data subject rights

Right	What it means / nuance
Be informed (Art 13-14)	Privacy notice at collection; different content if data came from a third party.
Access (Art 15)	A copy of their data + supplementary info; the basis of a DSAR.
Rectification (Art 16)	Correct inaccurate or incomplete data.
Erasure / right to be forgotten (Art 17)	Not absolute - limited by freedom of expression, legal obligations, public interest, legal claims.
Restriction (Art 18)	Pause processing while a dispute is resolved.
Data portability (Art 20)	Only for consent or contract basis and automated processing; structured, machine-readable format.
Object (Art 21)	Absolute for direct marketing; otherwise the controller can show compelling legitimate grounds.
Automated decisions (Art 22)	Right not to be subject to solely automated decisions with legal or similarly significant effects.

Rights are not absolute

Only the objection to direct marketing is absolute. Most rights have exemptions, and portability only applies to consent/contract + automated processing.

Controller, processor and the rest

The core distinction

The controller decides the purposes and means; the processor only acts on the controller's documented instructions. Many exam scenarios turn entirely on this.

Joint controllers - jointly determine purposes/means; must agree respective responsibilities (Art 26).
Processor contract (Art 28) - mandatory written terms; sub-processors need the controller's authorisation.
Representative (Art 27) - non-EU controllers/processors caught by Art 3(2) must appoint one in the EU.

Processor vs sub-processor / representative vs DPO

A representative is a local contact point for non-EU organisations; a DPO is an independent adviser. They are different roles - do not swap them.

Accountability toolkit

Records of processing (Art 30) - the <250-employee indicative exemption, with risk caveats.
Data protection by design and by default (Art 25).
Security of processing (Art 32) - appropriate technical and organisational measures.

When is a DPIA required? (Art 35)

When processing is likely to result in a high risk - especially (a) systematic, extensive evaluation/profiling with significant effects; (b) large-scale special-category or criminal data; (c) large-scale systematic monitoring of a publicly accessible area.

When is a DPO mandatory? (Art 37) - three triggers

(1) a public authority; (2) core activities = regular and systematic monitoring of individuals on a large scale; (3) core activities = large-scale processing of special-category (Art 9) or criminal (Art 10) data.

Personal data breaches

Two clocks, two articles

Article 33 - notify the supervisory authority within 72 hours where feasible (unless unlikely to result in a risk). Article 34 - notify affected individuals without undue delay only where there is a high risk to them.

Article 33 vs 34

72 hours is the regulator clock (Art 33). The individuals clock (Art 34) is "without undue delay" and only triggers on high risk. Mixing these up is a classic trap.

International transfers

Route	Detail
Adequacy (Art 45)	Commission decides a country offers essentially equivalent protection.
Appropriate safeguards (Art 46)	SCCs, BCRs, approved codes/certifications, with enforceable rights.
Derogations (Art 49)	Specific situations: explicit consent, contract necessity, important public interest, legal claims, vital interests, public register. Narrow and last-resort.

Schrems II

Schrems II (2020) struck down Privacy Shield but kept SCCs valid - provided you run a transfer impact assessment and add supplementary measures where the destination's laws fall short.

Supervision and enforcement

Supervisory authorities (SAs) - independent national regulators.
One-stop-shop / lead SA - for cross-border processing, a single lead authority (main establishment) coordinates.
EDPB - the European Data Protection Board ensures consistency via the consistency mechanism and binding dispute resolution.

Which tier? (Art 83)

Higher tier (20m / 4%): principles, lawful basis, rights, transfers. Lower tier (10m / 2%): controller/processor obligations such as records, security, DPO and DPIA.

Scope (Articles 2 and 3)

Material (Art 2) - applies to processing by automated means or in a filing system; excludes purely personal/household activity and law-enforcement (the LED) processing.
Territorial (Art 3) - the establishment test (Art 3(1)) and the targeting/monitoring test for non-EU controllers (Art 3(2)).

Targeting test

A US shop with no EU office that offers goods/services to people in the EU (prices in euros, ships to the EU) or monitors their behaviour is caught by Art 3(2).

Key CJEU cases

Case	What it established
Google Spain (2014)	The right to be forgotten / de-listing from search results.
Schrems I (2015)	Invalidated Safe Harbor.
Schrems II (2020)	Invalidated Privacy Shield; upheld SCCs subject to supplementary measures.
Google v CNIL (2019)	De-listing is not global by default - generally EU-wide only.
Digital Rights Ireland (2014)	Struck down the Data Retention Directive.

Easily confused - know the difference

This	Not this
Regulation - directly applicable in all member states (the GDPR)	Directive - binding as to result but transposed into national law (95/46/EC, the LED, ePrivacy)
ECHR / ECtHR - a Council of Europe treaty and its Strasbourg court	EU Charter / CJEU - an EU instrument and its Luxembourg court. Convention 108 is a third, separate Council of Europe instrument
Council of the EU (Council of Ministers) - co-legislator	European Council (heads of state) and the Council of Europe (a separate non-EU body) - neither is the co-legislator
Controller - decides purposes and means	Processor - acts only on instructions
Pseudonymisation - still personal data (reversible with a key)	Anonymisation - no longer personal data (irreversible) - outside the GDPR
DPO - independent adviser (Art 37-39)	EU representative - a contact point for non-EU orgs (Art 27)
Article 33 - breach to the SA in 72 hours	Article 34 - breach to individuals, without undue delay, only if high risk

Tricky terms worth a last look

Personal data: Any information relating to an identified or identifiable natural person.
Special-category data: Race, ethnicity, political opinions, religion, trade-union membership, genetics, biometrics for ID, health, sex life/orientation (Art 9).
Pseudonymisation: Processing so data can no longer be attributed without separate, secured key information - still personal data.
Profiling: Automated processing to evaluate personal aspects (performance, health, behaviour, location...).
Filing system: A structured set of personal data accessible by specific criteria - brings manual records into scope.
Legitimate interests assessment: The three-part test: legitimate purpose, necessity, balancing against the individual's rights.
Main establishment: Where the central administration / decisions on purposes are - sets the lead SA.
Consistency mechanism: EDPB process to keep SAs aligned, including binding dispute resolution.
Binding corporate rules: Internal group-wide transfer rules approved by an SA (Art 47).
Standard contractual clauses: Commission-approved transfer contract terms (Art 46).
Adequacy decision: A Commission finding that a third country protects data adequately (Art 45).
Data protection by design and by default: Build in protection from the outset and default to the most privacy-protective settings (Art 25).
Joint controllers: Two or more controllers jointly determining purposes and means (Art 26).
Restriction of processing: Marking stored data to limit future processing (Art 18).
Law Enforcement Directive: Directive (EU) 2016/680 - the GDPR's sibling for police/justice processing.
Convention 108+: The 2018 modernised Council of Europe data-protection treaty.
Vital interests: Protecting someone's life - a narrow lawful basis.
Public task: Processing in the public interest or under official authority.
One-stop-shop: Single lead SA for cross-border processing.
ePrivacy: 2002/58/EC - cookies, e-marketing, confidentiality of communications; lex specialis to the GDPR.

Memory hooks

Lawful bases - "Consent, Contract, Compliance, Vital, Public, Legitimate"

Six bases (Art 6). Remember that public authorities cannot use legitimate interests for their tasks, and consent must be as easy to withdraw as to give.

Two breach clocks

33 = 72 to the regulator; 34 = individuals, high risk only.

Two fine tiers

4% for the big stuff (principles, bases, rights, transfers); 2% for the admin stuff (records, security, DPO, DPIA).

Next: how to pass the CIPP/E, the free study notes, and the practice exam.

Frequently asked questions

What dates do I need to know for the CIPP/E?

The big ones: Convention 108 (1981), Directive 95/46/EC (1995), the Charter becoming binding via Lisbon (2009), and above all the GDPR being adopted in 2016 but applicable from 25 May 2018. Schrems I (2015) and Schrems II (2020) matter for transfers.

What are the GDPR fine amounts?

Two tiers: up to EUR 20 million or 4% of total worldwide annual turnover (whichever is higher) for breaches of principles, lawful basis, rights and transfers; and up to EUR 10 million or 2% for breaches of controller/processor obligations.

When did the GDPR come into force?

It was adopted on 27 April 2016 and became applicable on 25 May 2018. The exam often tests this two-year gap between adoption and application.

What is the breach notification deadline?

Notify the supervisory authority within 72 hours where feasible (Article 33). Notify affected individuals without undue delay only where the breach is likely to result in a high risk to them (Article 34).

How many data protection principles and lawful bases are there?

Seven principles in Article 5 (the seventh, accountability, is overarching) and six lawful bases in Article 6 (consent, contract, legal obligation, vital interests, public task, legitimate interests).

Is the right to be forgotten absolute?

No. Erasure (Article 17) is limited by freedom of expression, legal obligations, public-interest tasks and the establishment or defence of legal claims.