Академический Документы
Профессиональный Документы
Культура Документы
Study Guide
The IAPP currently offers three certification programmes: The Certified Information Privacy
Professional (CIPP), the Certified Information Privacy Manager (CIPM) and the Certified Information
Privacy Technologist (CIPT).
The CIPP is the what of privacy. Earning this designation demonstrates your mastery of a
principles-based framework in information privacy in a legal or practical specialisation. Within the CIPP,
there are five concentrations:
Asian privacy (CIPP/A)
Canadian privacy (CIPP/G)
European privacy (CIPP/E)
U.S. government privacy (CIPP/G)
U.S. private-sector privacy (CIPP/US)
The CIPM is the how of privacy operations. Earning this designation shows you understand how to
manage privacy in an organization through process and technology.
The CIPT is the how of technology. Earning this designation shows you understand how to manage
a privacy program across all stages of its lifecycle.
There are no concentrations within the CIPM or CIPTthey cross all jurisdictions and industries.
OR
2. You can become a member of the IAPPwith access to numerous benefits like discounts,
networking opportunities, members-only resources and morefor just $250 USD, which includes
your annual maintenance fee.
More information about IAPP membership, including levels, benefits and rates, is available on the IAPP
website at iapp.org/join.
The Certified Information Privacy Professional/Europe (CIPP/E) programme is the first professional
credential specific to European data protection professionals that is part of a comprehensive
principles-based framework and knowledge base in information privacy. The CIPP/E encompasses
pan-European and national data protection laws, the European model for privacy enforcement, key
privacy terminology, and practical concepts concerning the protection of personal data and trans-border
data flows.
The content of European data protection law: origins, institutions and legislative framework
Data protection concepts, principles and application, processing criteria, obligations, data
subject rights, confidentiality and security, notification requirements, international data transfers,
and supervision and enforcement
European data protection practices related to employment, surveillance, direct marketing and
outsourcing
In general, the IAPP recommends that you plan for a minimum of 20 hours of study time in advance of
your exam date; however, you might need more or fewer hours depending on your personal choices
and professional experience.
A. Employment Relationship
1. Legal basis for processing of employee data
2. Storage of personnel records
3. Workplace monitoring and data loss prevention
4. EU Works councils
5. Whistleblowing systems
6. Bring your own device (BYOD) programs
CIPP/E Study Guide 7
B. Surveillance Activities
1. Surveillance by public authorities
2. Interception of communications
3. Closed-circuit television (CCTV)
4. Geolocation
C. Marketing Activities
1. Telemarketing
2. Direct marketing
3. Online behavioural targeting
D. Internet Technology and Communications
1. Cloud computing
2. Web cookies
3. Search engine marketing (SEM)
4. Social networking services
Exam Blueprint
The exam blueprint indicates the minimum and maximum number of items included on the CIPP/E
exam from the major areas of the body of knowledge. Questions may be asked from any of the topics
listed under each area. You can use this blueprint to guide your preparation.
Min Max
I. Introduction to European Data Protection 4 10
A. Origins and Historical Context 1 2
Rationale for data protection, human rights laws, early laws and
regulations, the need for a harmonised European approach, the
Treaty of Lisbon; a modernized framework
B. European Regulatory Institutions 1 3
Council of Europe, European Court of Human Rights, European
Parliament, European Commission, European Council, European
Court of Justice
C. Legislative Framework 2 4
The Council of Europe Convention for the Protection of
Individuals with Regard to the Automatic Processing of Personal
Data of 1981 (the CoE Convention), the EU Data Protection
Directive (95/46/EC), the EU Directive on Privacy and Electronic
Communications (2000/31/EC), European data retention regimes,
The General Data Protection Regulation (GDPR) and related
legislation
II. European Data Protection Law and Regulation 40 66
H. Accountability Requirements 3 5
Responsibility of controllers and processors, data protection by
design and by default, documentation and cooperation with
regulators, data protection impact assessments, mandatory data
protection officers
I. Cross-Border Data Transfers 7 11
Rationale for prohibition, safe jurisdictions, Safe Harbor and Privacy
Shield, model contracts, Binding Corporate Rules (BCRs), codes of
conduct and certifications, derogations
C. Marketing Activities 3 7
Telemarketing, direct marketing, online behavioural targeting
2. In addition to GDPR compliance, what benefit does pseudonymising data offer data controllers?
A. It ensures that it is impossible to re-identify the data.
B. It eliminates the responsibility to report data breaches.
C. It allows for further use of the data for research purposes.
D. It eliminates the need for a policy specifying subject access rights.
3. When would a data subject have the right to require the erasure of his or her data without
undue delay?
A. When erasure is in the public interest.
B. When the controller is a public authority.
C. When the processing is carried out by automated means.
D. When the data is no longer necessary for its original purpose.
The IAPP also offers testing at our major annual conferences. Event-based testing is paper-pencil format.
You can find detailed information about how to register for exams, as well as exam-day instructions in
the IAPP Certification Information Candidate Handbook, on our website at iapp.org/certify.
Questions?
The IAPP recognizes that privacy certification is an important professional development effort requiring
commitment and preparation. We thank you for choosing to pursue certification, and we welcome your
questions and comments regarding our certification program.
2. In addition to GDPR compliance, what benefit does pseudonymising data offer data controllers?
A. It ensures that it is impossible to re-identify the data.
B. It eliminates the responsibility to report data breaches.
C. It allows for further use of the data for research purposes.
D. It eliminates the need for a policy specifying subject access rights.
3. When would a data subject have the right to require the erasure of his or her data without
undue delay?
A. When erasure is in the public interest.
B. When the controller is a public authority.
C. When the processing is carried out by automated means.
D. When the data is no longer necessary for its original purpose.