Certified Information Privacy Professional/Europe (CIPP/E)

Introduction to European Data Protection

• Origins and Historical Context
• European Regulatory Institutions
• Legislative Framework

European Data Protection Law and Regulation

• Data Protection Concepts
• Application of the Law
• Data Protection Principles
• Legitimate Processing Criteria
• Information Provision Obligations
• Data Subjects Rights
• Confidentiality and Security
• Notification Requirements
• International Data Transfers
• Supervision and enforcement

Compliance with European Data Protection Law and Regulation

• Employment Relationship
• Surveillance Activities
• Marketing Activities
• Internet Technology and Communications
• Outsourcing

I. Introduction to European Data Protection

- Origins and Historical Context

• Rationale for data protection
• Human rights laws
• Early laws and regulations
• The need for a harmonised European approach
• The Treaty of Lisbon

- European Regulatory Institutions

• Council of Europe
• European Court of Human Rights
• European Parliament
• European Commission
• European Council
• European Court of Justice

- Legislative Framework

• The Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data of 1981 (The CoE Convention)
• The EU Data Protection Directive (95/46/EC)
• The EU Directive on Privacy and Electronic Communications (2002/58/EC) – as amended
• The EU Data Retention Directive (2006/24/EC)
• National data protection laws across Europe

II. European Data Protection Law and Regulation

- Data Protection Concepts

• Personal data
• Sensitive personal data
• Processing
• Controller
• Processor
• Data subject

- Application of the Law

• Establishment in the EU
• Non-establishment in the EU

- Data Protection Principles

• Fairness and lawfulness
• Purpose limitation
• Proportionality
• Data quality

- Legitimate Processing Criteria

• Consent
• Contractual necessity
• Legal obligation, vital interests and public interest
• Legitimate interests
• Special categories of processing

- Information Provision Obligations

• Transparency principle
• Privacy notices
• Layered notices

- Data Subjects Rights

• Subject access
• Rectification, erasure or blocking of data
• Right to object
• Automated individual decisions

- Confidentiality and Security

• Appropriate technical and organisational measures
• Breach notification
• Engaging processors

- Notification Requirements

• Contents of notification
• Prior checking
• National registers

- International Data Transfers

• Rationale for prohibition
• Safe jurisdictions
• Safe Harbor
• Model contracts
• Binding Corporate Rules (BCRs)
• Derogations

- Supervision and enforcement

• Supervisory authorities and their powers
• The Article 29 Working Party
• Role of the European Data Protection Supervisor (EDPS)

III. Compliance with European Data Protection Law and Regulation

- Employment Relationship

• Legal basis for processing of employee data
• Storage of personnel records
• Workplace monitoring
• EU Works councils
• Whistleblowing systems

- Surveillance Activities

• Communications
• Closed-circuit television (CCTV)
• Biometric authentication
• Location-based services (LBS)

- Marketing Activities

• Telemarketing
• Direct marketing
• Online behavioural targeting

- Internet Technology and Communications

• Cloud computing
• Web cookies
• Internet Protocol (IP) addresses
• Search engine marketing (SEM)
• Social networking services

- Outsourcing

• Data protection obligations in an outsourcing contract
• Offshoring

The examination blueprint indicates the minimum and maximum number of items that are included on the CIPP/E examination from the major areas of the Body of Knowledge. Questions may be asked from any of the listed topics under each area. You can use this blueprint to guide your preparation for the CIPP/E examination. For example, about 60% of the questions on the CIPP/E examination come from domain II.

• CIPM
• CIPT

• CIPM - Certified Information Privacy Manager