- The CIPP/E exam tests five named domains, from foundational European data protection history through to hands-on compliance practice.
- Questions are scenario-based: they describe a real-world situation and ask which legal basis, obligation, or control applies.
- Domain 3 (Compliance) and Domain 5 (Practice) carry the heaviest applied-knowledge weighting and deserve the most preparation time.
- Special category data under Article 9 appears across multiple domains - mastering it pays dividends throughout the entire exam.
What the CIPP/E Exam Actually Tests
The Certified Information Privacy Professional/Europe (CIPP/E) is the leading privacy certification for professionals working within the European regulatory landscape. Awarded by the International Association of Privacy Professionals (IAPP), it signals that a candidate can navigate the General Data Protection Regulation (GDPR), related EU directives, and the supervisory structures that enforce them - not just in theory, but in the kind of nuanced, judgment-driven situations that arise in real organisations.
What separates the CIPP/E from a general data protection course is its emphasis on applied reasoning. The exam does not reward memorisation of statutory text. It rewards the ability to read a scenario - a multinational's data transfer arrangement, a controller's response to a subject access request, a processor's contractual obligations - and identify the legally correct course of action. That distinction shapes everything: how the exam is structured, how questions are worded, and how you should prepare.
Exam Structure: Format, Timing, and Scoring
The Basics
The CIPP/E is a computer-based, closed-book examination. Candidates work through a set of multiple-choice questions within a fixed time window. The exam is administered through Pearson VUE testing centres globally, as well as via online proctoring - giving candidates flexibility in how and where they sit the exam.
The exam is scored on a scaled basis. There is a defined passing threshold, and candidates who fall below it receive a detailed score report indicating their performance across domains. This score report is genuinely useful: it tells you exactly which of the five domains you need to revisit before a retake, rather than leaving you guessing.
Registration and Credential Maintenance
To register, candidates create an account through the IAPP, select a testing window, and pay the applicable examination fee. IAPP membership can reduce the fee, so it is worth reviewing current membership options before registering. Once earned, the CIPP/E credential requires ongoing CPE (Continuing Privacy Education) credits to maintain - reflecting the fact that European data protection law continues to evolve through regulatory guidance, court rulings, and new legislation.
Question Types and How They Are Worded
Multiple-Choice, But Not Straightforward
Every question on the CIPP/E is multiple-choice with four answer options. That sounds simple - until you encounter questions where two or three options look plausible at first read. The IAPP deliberately constructs distractors that represent common misconceptions, partial applications of the law, or answers that would be correct under a slightly different set of facts.
Understanding this design is critical to your preparation. The goal is never to trick you with wordplay - it is to distinguish candidates who understand why a rule exists and how it applies, from those who have only a surface familiarity with the text.
The Anatomy of a CIPP/E Question
A typical CIPP/E question follows this pattern:
- A scenario stem: A paragraph describing an organisation, its data processing activity, and a specific situation or decision point. The scenario will contain legally relevant facts - sometimes subtly embedded.
- A question prompt: Usually framed as "Which of the following is most appropriate?", "What must the controller do?", or "Which legal basis applies in this situation?"
- Four answer options: At least two will be partially correct or reflect real legal concepts misapplied to the scenario. One will be clearly wrong, and one will be the best answer.
The word "most" appears frequently - "most appropriate," "most likely," "most accurately describes." This framing signals that you are being asked for the best available answer, not a perfect one. Train yourself to evaluate all four options before selecting, rather than stopping at the first plausible answer.
Topics That Generate Difficult Questions
Certain subjects reliably produce the most challenging questions on the CIPP/E. These include: the conditions for lawful processing under Article 6; the additional requirements for special category data under Article 9; the conditions for international data transfers post-Schrems II; the respective obligations of controllers versus processors; and the rights of data subjects, particularly the boundaries of those rights. Questions in these areas almost always involve a scenario with competing considerations, making them the areas where thorough preparation yields the greatest return.
The Five Exam Domains Dissected
The CIPP/E blueprint is divided into five domains. The IAPP publishes the relative weight of each domain in the exam blueprint, and understanding what each domain actually covers - not just its name - is the foundation of effective preparation.
Domain 1: Introduction to European Data Protection
This domain establishes the historical and institutional context of European data protection. It is primarily conceptual and sets the stage for the more applied domains that follow.
- The evolution of European data protection from the Council of Europe's Convention 108 through to the GDPR
- The role of EU institutions: Parliament, Council, Commission, and the Court of Justice of the EU
- The relationship between EU law, national law, and international frameworks
- The structure and enforcement role of supervisory authorities and the EDPB
Domain 2: European Data Protection Law and Regulation
This is where the substantive GDPR content lives. Candidates must understand the regulation's core provisions in detail, including definitions, principles, legal bases, and data subject rights.
- Key definitions: personal data, processing, controller, processor, data subject
- The six lawfulness conditions under Article 6
- Special categories of personal data and criminal conviction data (Articles 9 and 10)
- Data subject rights: access, rectification, erasure, restriction, portability, and objection
- Obligations around transparency, purpose limitation, and data minimisation
Domain 3: Compliance with European Data Protection Law and Regulation
Domain 3 shifts from "what does the law say" to "how does an organisation implement it." This domain carries significant weight and demands operational understanding.
- Data Protection Impact Assessments (DPIAs): when required, how conducted
- Records of processing activities under Article 30
- Data Protection Officers: appointment criteria, tasks, and independence requirements
- Privacy by design and by default under Article 25
- Personal data breach notification obligations (Articles 33 and 34)
- Controller-processor agreements and the requirements of Article 28
Domain 4: Territorial and Material Scope, and Accountability
This domain addresses one of the most nuanced aspects of the GDPR: determining whether it applies to a given organisation or processing activity, and the accountability mechanisms that flow from that determination.
- Establishment and targeting criteria under Article 3
- The concept of "offering goods or services" to EU data subjects
- International data transfers: adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules, and derogations
- Post-Schrems II requirements for transfer impact assessments
- The accountability principle and how it is demonstrated in practice
Domain 5: European Data Protection in Practice
The most applied domain, Domain 5 tests whether candidates can recognise and resolve real-world data protection issues across a range of industry and operational contexts.
- Employment and HR data processing considerations
- Direct marketing and the interplay of GDPR with ePrivacy rules
- Data protection in the context of cloud computing and third-party service providers
- Children's data and age verification
- Responding to regulatory investigations and supervisory authority inquiries
High-Value Topics Within Each Domain
Not all content within a domain carries equal weight on the exam. Experience with CIPP/E-style questions reveals which topics appear most frequently and in the most demanding scenarios.
| Domain | Highest-Frequency Topics | Question Style |
|---|---|---|
| Domain 1 | Supervisory authority roles, EDPB functions, Convention 108 | Conceptual, definitional |
| Domain 2 | Article 6 legal bases, Article 9 special categories, data subject rights | Scenario: identify correct legal basis or right |
| Domain 3 | DPIA triggers, breach notification timelines, DPO independence | Scenario: identify compliance obligation or gap |
| Domain 4 | Article 3 scope criteria, SCCs post-Schrems II, BCRs | Scenario: determine if GDPR applies; identify transfer mechanism |
| Domain 5 | HR data, direct marketing consent, ePrivacy, cloud processor relationships | Complex scenario: multiple issues, identify priority action |
Article 9 special category data is worth emphasising separately. It intersects with Domains 2, 3, and 5 - appearing in questions about legal bases, DPIA requirements, and operational contexts like health data in employment. A thorough understanding of how the CIPP/E treats Article 9 special category data will help you across a wide range of questions, not just those explicitly labelled as Domain 2 content.
Key Takeaway
International data transfers - particularly the post-Schrems II requirement to conduct transfer impact assessments alongside Standard Contractual Clauses - are among the most consistently tested and most frequently misunderstood topics. Candidates who can confidently work through the layered analysis (adequacy? SCCs? TIA needed?) are well-positioned for Domain 4 questions.
A Domain-Driven Scheduling Approach
Generic study advice rarely translates well to the CIPP/E because the domains are not equal in complexity or applied difficulty. The following timeline is built around the actual structure of the exam, not a one-size-fits-all template. Adjust based on your existing background: practitioners who already work in GDPR compliance may compress Domains 1 and 2, while those newer to EU data protection law should give them full attention.
Domains 1 and 2 - Legal Foundation
- Work through the historical development of EU data protection law; understand the institutional architecture
- Map all six Article 6 conditions and practice identifying which applies to a given scenario
- Study Article 9 in full: the categories, the additional conditions for processing, and the Article 10 extension to criminal data
- Review all data subject rights and the response obligations (timelines, exemptions, extensions)
- Take a baseline practice test on CIPPE Exam Prep to identify your weakest Domain 2 topics
Domain 3 - Compliance Mechanics
- Study DPIA requirements: when mandatory, what a DPIA must contain, when to consult the supervisory authority
- Memorise breach notification timelines (72-hour rule to supervisory authority; communication to data subjects without undue delay)
- Work through DPO appointment criteria, tasks, and the independence safeguards that protect the role
- Review Article 28 processor agreement requirements in detail - a frequent exam topic
- Practice Domain 3 scenario questions using spaced repetition: revisit missed questions after 24 hours and again after 48 hours to consolidate understanding
Domains 4 and 5 - Scope, Transfers, and Applied Practice
- Master the Article 3 territorial scope analysis: establishment test vs. targeting test
- Study international transfer mechanisms in sequence: adequacy → SCCs → BCRs → derogations; understand the Schrems II implications for each
- Work through Domain 5 topics by industry context: HR, marketing, cloud, children's data
- Take two or three full-length timed practice exams on the CIPPE Exam Prep platform and analyse your domain-level score breakdown
- Focus final revision on any domain where your practice scores remain below your target threshold
The value of this domain-sequenced approach is that it mirrors the logical architecture of the exam itself. Domain 1 provides context for Domain 2's substantive rules; Domain 2 underpins the compliance obligations in Domain 3; Domain 4 adds the jurisdictional and transfer layer; and Domain 5 asks you to apply everything in operational scenarios. Preparing in this order means each week builds on the last, rather than treating the domains as isolated topics.
For a more detailed breakdown of the exam format itself, the article CIPP/E Exam Format and Question Types Explained provides additional context on how questions are structured and scored that can inform how you approach your practice sessions.
Frequently Asked Questions
The CIPP/E exam consists of multiple-choice questions delivered within a fixed time limit. The IAPP publishes the exact question count and duration in its official candidate materials. The time allocation is generally sufficient for candidates who have prepared well, but managing pace matters - complex scenario questions can consume more time than straightforward definitional ones.
No. The CIPP/E is designed for privacy practitioners across a range of roles: privacy officers, compliance managers, IT professionals, HR leaders, and consultants all sit and pass the exam. What matters is familiarity with how European data protection law operates in practice, not formal legal training. The exam tests applied judgment, which professionals from operational backgrounds often demonstrate very well.
Domain 3 (Compliance) and Domain 5 (Practice) are consistently the most challenging for candidates because they require applied, judgment-based reasoning rather than recall. Domain 4 (Territorial and Material Scope) also generates difficult questions, particularly around post-Schrems II transfer mechanisms and the conditions for using Standard Contractual Clauses with supplementary measures. Candidates who score weakly in these domains on practice tests should prioritise them in their final revision week.
Practice questions are most effective when used analytically, not just as a scoring exercise. For every question you answer incorrectly, identify whether you misunderstood the legal rule, misread the scenario, or were misled by a distractor. This diagnostic approach reveals specific knowledge gaps far more efficiently than re-reading study materials cover to cover. Using a platform like CIPPE Exam Prep that mirrors the scenario-based format of the actual exam helps you build the reasoning habits the exam rewards.
Yes - and its importance extends well beyond Domain 2 questions explicitly labelled as covering Article 9. Special category data appears in DPIA questions (Domain 3), in international transfer scenarios (Domain 4), and in operational contexts like health data in HR and direct marketing (Domain 5). A thorough understanding of the Article 9 conditions, the explicit consent requirement, and the interaction with national law derogations will improve your performance across the entire exam, not just in one domain.