CIPP/E Domain II: Understanding the GDPR

While Domain I might be the most challenging domain, Domain II in the CIPP/E certification is worth the most points (by a large margin).  

Domain II really focuses on the GDPR, especially Articles 3 – 49. It requires a deep understanding of the legal requirements and practical implementation of the GDPR within an organisational or business context. You need to be super familiar with not only the concepts and terminology but also the actual Article numbers themselves.  

Here’s what you need to know to master Domain II when taking your CIPP/E certification exam.  

The CIPP/E Domain II Body of Knowledge 

Don’t forget – the CIPP/E Body of Knowledge is your main point of reference when you’re looking to learn what you need to know. It is subject to change – and there are some interesting additions coming to the Domain II Body of Knowledge this year.  This is not unexpected with all the enforcement activity, decisions and guidance that is being issued. Don’t forget to stay on top of that as well! 

Here’s the current Body of Knowledge Version 1.3 (valid through to 2 October 2023). But don’t forget, it will be superseded by the CIPPE/E BoK Version 1.3.1 (from 2 October 2023) 

In the table below (scroll to the end), we’ve underlined the content that will be added to the CIPP/E Body of Knowledge in October 2023. We have also included the minimum and maximum number of points allocated to each section in the left-hand column of the table.   

Domain II CIPP/E Exam: Common Challenges 

Some common challenges we see CIPP/E exam takers experience include: 

  • Compliance with Principles: As you will know from Domain I, the GDPR is at its core based on a series of principles, now contained in Article 5.  Understanding these principles and how they apply in real-world scenarios, such as data minimization and purpose limitation, is fundamental to your understanding of the GDPR. 
  • Core concepts: Make sure you’re familiar with core concepts like what is personal data, what is special category data and what is processing. You also need to understand the distinctions and interplay between data controllers, data processors, and data subjects. Clear understanding of the responsibilities and obligations associated with each role is essential, as is being able to identify when an organisation is acting as a controller, processor or joint controller in particular scenarios. 
  • Legal basis for processing: This is such a fundamental part of the GDPR that you need to really be across the 6 legal bases for processing personal data.  You don’t need to have detailed knowledge of the nuance of the circumstances in which you can process special category data, but still important to know the main ones like consent and in the employment context. 
  • Role of the DPO: You must have a really good understanding of the role and responsibilities of the DPO, as well as the skills and capabilities people in the role should have and the need to be able to act independently.  Also, know when an organisation needs to have a DPO. The CIPP/E is a credential aimed at DPOs, so have a strong understanding of that role is key. 
  • Understanding the terminology: Grasping the complex legal language and intricacies of the GDPR can be difficult. There are some common phrases like ‘technical and organisational measures’ and ‘impact on the rights and freedoms of the individual’ that you need to grasp. 
  • Acronyms: There are lots of acronyms in the GDPR – SA, DPO, DPA, DPIA, TIA, ROPA, EDPB etc etc. IAPP makes a Glossary available which is really helpful.  Plus we’ve put together our own – P108 CIPP/E Glossary. You can also make your own flashcards to help get across them.  The more familiar you are with these acronyms the less likely you’ll be to make a mistake under the stress of the exam situation. 
  • International Data Transfers: The rules surrounding international data transfers are an important part of the core material.  Understand adequacy (including which countries have adequacy and the impact of the Schrems decisions on the EU-U.S. Privacy Shield), appropriate safeguards (including mechanisms like Standard Contractual Clauses (SCCs)) and derogations.
  • Practical Implementation:  There will be scenario-based questions that will require you to translate theoretical knowledge of the GDPR into practical application. They may also present different organizational contexts, which may require knowledge of both legal theory and practical business operations.  Try and do as many scenario-based practice questions as you can find to help prepare.  Our tip is to always do a quick read-through of the scenario then read the questions and then go back to the scenario to check the answer.  Unlike most law exams, it does not always pay off to study the detail of the scenario before moving on to the questions.  Sometimes, you might even be able to answer the scenario-related questions without reading the scenario! 
  • Keeping Up with Changes: EU data protection law, including the GDPR, is subject to change and interpretation by regulatory authorities and courts. Staying current with these developments can be a challenge for candidates preparing for the CIPP/E exam.  Make sure that you’ve downloaded all the EDPB and Art 29 Working Party Guidelines referred to in the Body of Knowledge.  These include case studies that are really helpful to understand the application of the theory and may be useful when faced with some of the exam questions. 
  • Enforcement: Finally, don’t forget about enforcement – including the powers of supervisory authorities, how the EDPB works and the different penalties.  Yes, you need to know the different penalty regimes and when they might apply.  Maybe something to read just before you go into the exam … 

How can we help? 

You may find the following posts helpful: 

Not sure if the CIPP/E is for you? 

If you want to check your current knowledge or get a sense of what the CIPP/E exam might cover, try our mini quiz, accessible here. 

Want to test your CIPP/E Domain 1 knowledge? 

Think you’re ready to take on Domain 1 or just want to assess your current understanding, or get a feel for what the exam questions in this area might be like? 

We’ve created a set of practice exam questions just for Domain 1. 

Enter your details in the form below to access our free history of data privacy practice exam. It is written to help you prepare for the CIPP/E. 

Prepare with us for the CIPP/E Exam 

If you are thinking of taking the CIPP/E certification exam, an instructor-led preparatory course is a great option. The training classes are widely recognised as the best preparatory resource for test takers – and they’re a great resource for helping you learn the history of data privacy. 

Privacy108 runs regular CIPP/E training seminars, either by 4 x 4-hour on-line sessions or 2 days in a classroom. The course covers all of the CIPP/E body of knowledge.  As an authorised IAPP training provider all the course materials are provided by IAPP, and are prepared and regularly updated by the IAPP team of privacy specialists. 

Lead instructor Dr Jodie Siganto is one of Australia’s foremost privacy experts and is a certified IAPP instructor, holding the CIPM, CIPP/E and CIPT certifications (in addition to the CISSP and CISM).    

Exclusive access to additional CIPP/E resources 

To help ensure your success, Privacy 108 has developed additional supporting study material, available exclusively to people who train with Privacy 108.  This includes: 

  • Additional practice exam questions 
  • Study guides for each of the domains 
  • Glossary and flashcards. 

This is in addition to the IAPP course notes comprehensive CIPP/E textbook and a 25-question practice exam, provided by IAPP. 

For more information or to register.  

The CIPP/E Body of Knowledge

Remember, we’ve underlined the content that will be added to the CIPP/E Body of Knowledge in October 2023.

  1. European Data Protection Law and Regulation
Data Protection Concepts 


Minimum Points: 3 

Maximum Points: 6  

1. Personal data  

2. Sensitive personal data  

a. Special categories of personal data  

3. Pseudonymous and anonymous data  

4. Processing 

5. Controller  

6. Processor  

a. Guidelines 07/2020 on the concepts of controller and processor in the GDPR  

7. Data subject 

Territorial and Material Scope of the General Data Protection Regulation 


Minimum Points: 2 

Maximum Points: 4 


1. Establishment in the EU  

2. Non-establishment in the EU  

a. Guidelines 3/2018 on the territorial scope of the GDPR  

Data Processing Principles  


Minimum Points: 4 

Maximum Points: 5 


1. Fairness and lawfulness  

2. Purpose limitation  

3. Proportionality  

4. Accuracy  

5. Storage limitation (retention)  

6. Integrity and confidentiality 


Lawful Processing Criteria 


Minimum Points: 3 

Maximum Points: 5 


1. Consent  

2. Contractual necessity  

3. Legal obligation, vital interests and public interest  

4. Legitimate interests  

5. Special categories of processing  

Information Provision Obligations 


Minimum Points: 5 

Maximum Points: 8 


1. Transparency principle  

2. Privacy notices  

3. Layered notices 

Data Subjects’ Rights 


Minimum Points: 8 

Maximum Points: 11 



1. Access  

a. Guidelines 01/2022 on data subject rights – Right of access  

2. Rectification  

3. Erasure and the right to be forgotten (RTBF)  

a. Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR 

4. Restriction and objection  

5. Consent, including the right of withdrawal  

6. Automated decision-making, including profiling  

7. Data portability  

8. Restrictions  

a. Guideline 10/2020 on restrictions under Article 23 GDPR 


Security of Personal Data 


Minimum Points: 5 

Maximum Points: 9 


1. Appropriate technical and organizational measures  

a. protection mechanisms (encryption, access controls, etc.)  

2. Breach notification  

a. Risk reporting requirements  

b. Guidelines 01/2021 on Examples regarding Personal Data Breach Notification  

c. Guidelines 9/2022 on personal data breach notification under GDPR  

3. Vendor management  

4. Data sharing 

Accountability Requirements 


Minimum Points: 4 

Maximum Points: 7 


1. Responsibility of controllers and processors  

a. joint controllers  

2. Data protection by design and by default  

3. Documentation and cooperation with regulators  

4. Data protection impact assessment (DPIA)  

a. established criteria for conducting  

5. Mandatory data protection officers  

6. Auditing of privacy programs 

International Data Transfers 


Minimum Points: 4 

Maximum Points: 6 


1. Rationale for prohibition  

a. Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR  

2. Adequate jurisdictions  

3. Safe Harbor, Privacy Shield, and the Transatlantic Data Privacy Framework  

a. Schrems decisions, implications of  

4. Standard Contractual Clauses 

5. Binding Corporate Rules (BCRs)  

6. Codes of Conduct and Certifications  

a. Guidelines 04/2021 on codes of conduct as tools for transfers  

7. Derogations a. Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679  

8. Transfer impact assessments (TIAs)  

a. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data 


Supervision and enforcement  1. Supervisory authorities and their powers  

a. Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority  

2. The European Data Protection Board 3. Role of the European Data Protection Supervisor (EDPS) 


Consequences for GDPR violations 


1. Process and procedures  

2. Infringements and fines 

3. Class actions  

4. Data subject compensation 

Train for the CIPP/E With Us

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.