Certified Information Privacy Professional/Europe (CIPP/E) Ultimate Cheat Sheet
Your Quick Reference Study Guide
This cheat sheet covers the core concepts, terms, and definitions you need to know for the Certified Information Privacy Professional/Europe (CIPP/E). We've distilled the most important domains, topics, and critical details to help your exam preparation.
💡 Note: While this study guide highlights essential concepts, it's designed to complement—not replace—comprehensiv e learning materials. Use it for quick reviews, last-minute prep, or to identify areas that need deeper study before your exam.
About This Cheat Sheet: This study guide covers core concepts for Certified Information Privacy Professional/Europe (CIPP/E). It highlights key terms, definitions, common mistakes, and frequently confused topics to support your exam preparation.
Use this as a quick reference alongside comprehensive study materials.
Certified Information Privacy Professional/Europe (CIPP/E)
Cheat Sheet •
About This Cheat Sheet: This study guide covers core concepts for Certified Information Privacy Professional/Europe (CIPP/E). It highlights key terms, definitions, common mistakes, and frequently confused topics to support your exam preparation.
Use this as a quick reference alongside comprehensive study materials.
Introduction to European Data Protection
20%Data Protection as a Fundamental Right (ECHR & EU Charter)
Human‑rights foundation (ECHR Art.8; EU Charter Arts.7–8) that drives necessity/proportionality tests for data rules.
Key Insight
GDPR implements these rights — the Charter/ECHR require a separate, fact‑specific necessity and proportionality assessment.
Often Confused With
Common Mistakes
- Treating privacy/data‑protection rights as absolute; ignoring lawful, necessary, proportionate limits.
- Assuming GDPR compliance automatically satisfies Charter/ECHR necessity/proportionality tests.
- Treating the UDHR as an enforceable treaty equivalent to the ECHR.
Internal‑Market Basis & Harmonization (1995 Directive)
1995 Directive used the EU internal‑market competence to approximate national laws and remove barriers to cross‑border数据
Key Insight
The internal‑market basis aimed to prevent trade barriers via transposition — it created approximate harmonization, not instant identical laws.
Often Confused With
Common Mistakes
- Believing the Directive was adopted primarily as a human‑rights measure.
- Expecting identical national laws immediately after transposition.
- Assuming the Directive covered only economic/commercial data processing.
Charter Art 8 — EU Data‑Protection Right
Constitutional right to personal data protection in EU law; underpins GDPR rights (esp. access & rectification) and its/
Key Insight
Art 8 is the constitutional source for GDPR rights — it applies when EU law is engaged and allows lawful, proportionate limits.
Often Confused With
Common Mistakes
- Treating Art 8 as identical to the GDPR; it's the constitutional source, not an operational rule.
- Assuming Art 8 directly binds private actors in all situations; it constrains states when implementing EU law.
- Believing Art 8 is absolute — rights are qualified and subject to lawful, proportionate restrictions.
ECHR Art 8 — Respect for Private & Family Life
Qualified human‑rights protection for 'private life' — limits state interference; triggers when processing meaningfully‑
Key Insight
Not every data processing engages Art 8: there must be a meaningful effect on private life and a proportionality balancing with public interests.
Often Confused With
Common Mistakes
- Assuming any personal data processing automatically engages Article 8.
- Treating Article 8 as absolute — it allows lawful, proportionate interferences for public interest.
- Believing public figures lose all Article 8 protection.
CJEU Case Law — Continuity from Directive to GDPR
CJEU rulings interpret EU data law and bind national courts, guiding GDPR scope, rights and transfers.
Key Insight
Art 267 TFEU preliminary rulings bind national courts; Directive‑era judgments still inform GDPR but must be adapted.
Often Confused With
Common Mistakes
- Treating Directive‑era CJEU rulings as automatically unchanged under the GDPR
- Believing the CJEU creates new data‑protection rules rather than interpreting EU law
- Equating CJEU judgments with ECtHR rulings or with SNA enforcement powers
95/46 → GDPR: Regulation vs Directive
GDPR superseded 95/46: a regulation is directly applicable EU‑wide; a directive required national transposition.
Key Insight
Regulation = directly applicable and uniform; directive = result‑binding and allows national variation and opening clauses.
Often Confused With
Common Mistakes
- Thinking a directive never creates enforceable individual rights in national courts
- Assuming a regulation must be implemented by national law before it applies
- Believing the GDPR eliminated all national divergence — harmonisation isn't total
Convention 108 (Council of Europe Data‑Protection Treaty)
Binding Council of Europe treaty (108+) setting data‑protection rules for public and private actors, including law‑enfor
Key Insight
108+ is a binding CoE treaty that explicitly covers public authorities and judicial/law‑enforcement processing; it complements but is distinct from EU
Often Confused With
Common Mistakes
- Assuming 108 only covers the private sector.
- Thinking judicial or law‑enforcement processing is excluded.
- Treating 108+ as mere non‑binding guidance.
GDPR — Principles, Scope & Purpose
EU regulation defining rights, lawful bases, accountability and extraterritorial scope for personal data processing.
Key Insight
Processing is permitted when a lawful basis and safeguards exist; GDPR applies extraterritorially to controllers/processors targeting or monitoring EU
Often Confused With
Common Mistakes
- Thinking GDPR only applies to organisations located in the EU.
- Treating consent as the only lawful basis for processing.
- Assuming the 'right to be forgotten' is absolute.
Data Protection as a Fundamental Right (ECHR & EU Charter)
Human‑rights foundation (ECHR Art.8; EU Charter Arts.7–8) that drives necessity/proportionality tests for data rules.
Key Insight
GDPR implements these rights — the Charter/ECHR require a separate, fact‑specific necessity and proportionality assessment.
Often Confused With
Common Mistakes
- Treating privacy/data‑protection rights as absolute; ignoring lawful, necessary, proportionate limits.
- Assuming GDPR compliance automatically satisfies Charter/ECHR necessity/proportionality tests.
- Treating the UDHR as an enforceable treaty equivalent to the ECHR.
Internal‑Market Basis & Harmonization (1995 Directive)
1995 Directive used the EU internal‑market competence to approximate national laws and remove barriers to cross‑border数据
Key Insight
The internal‑market basis aimed to prevent trade barriers via transposition — it created approximate harmonization, not instant identical laws.
Often Confused With
Common Mistakes
- Believing the Directive was adopted primarily as a human‑rights measure.
- Expecting identical national laws immediately after transposition.
- Assuming the Directive covered only economic/commercial data processing.
Charter Art 8 — EU Data‑Protection Right
Constitutional right to personal data protection in EU law; underpins GDPR rights (esp. access & rectification) and its/
Key Insight
Art 8 is the constitutional source for GDPR rights — it applies when EU law is engaged and allows lawful, proportionate limits.
Often Confused With
Common Mistakes
- Treating Art 8 as identical to the GDPR; it's the constitutional source, not an operational rule.
- Assuming Art 8 directly binds private actors in all situations; it constrains states when implementing EU law.
- Believing Art 8 is absolute — rights are qualified and subject to lawful, proportionate restrictions.
ECHR Art 8 — Respect for Private & Family Life
Qualified human‑rights protection for 'private life' — limits state interference; triggers when processing meaningfully‑
Key Insight
Not every data processing engages Art 8: there must be a meaningful effect on private life and a proportionality balancing with public interests.
Often Confused With
Common Mistakes
- Assuming any personal data processing automatically engages Article 8.
- Treating Article 8 as absolute — it allows lawful, proportionate interferences for public interest.
- Believing public figures lose all Article 8 protection.
CJEU Case Law — Continuity from Directive to GDPR
CJEU rulings interpret EU data law and bind national courts, guiding GDPR scope, rights and transfers.
Key Insight
Art 267 TFEU preliminary rulings bind national courts; Directive‑era judgments still inform GDPR but must be adapted.
Often Confused With
Common Mistakes
- Treating Directive‑era CJEU rulings as automatically unchanged under the GDPR
- Believing the CJEU creates new data‑protection rules rather than interpreting EU law
- Equating CJEU judgments with ECtHR rulings or with SNA enforcement powers
95/46 → GDPR: Regulation vs Directive
GDPR superseded 95/46: a regulation is directly applicable EU‑wide; a directive required national transposition.
Key Insight
Regulation = directly applicable and uniform; directive = result‑binding and allows national variation and opening clauses.
Often Confused With
Common Mistakes
- Thinking a directive never creates enforceable individual rights in national courts
- Assuming a regulation must be implemented by national law before it applies
- Believing the GDPR eliminated all national divergence — harmonisation isn't total
Convention 108 (Council of Europe Data‑Protection Treaty)
Binding Council of Europe treaty (108+) setting data‑protection rules for public and private actors, including law‑enfor
Key Insight
108+ is a binding CoE treaty that explicitly covers public authorities and judicial/law‑enforcement processing; it complements but is distinct from EU
Often Confused With
Common Mistakes
- Assuming 108 only covers the private sector.
- Thinking judicial or law‑enforcement processing is excluded.
- Treating 108+ as mere non‑binding guidance.
GDPR — Principles, Scope & Purpose
EU regulation defining rights, lawful bases, accountability and extraterritorial scope for personal data processing.
Key Insight
Processing is permitted when a lawful basis and safeguards exist; GDPR applies extraterritorially to controllers/processors targeting or monitoring EU
Often Confused With
Common Mistakes
- Thinking GDPR only applies to organisations located in the EU.
- Treating consent as the only lawful basis for processing.
- Assuming the 'right to be forgotten' is absolute.
European Data Protection Law and Regulation
20%Personal Data — Identified or Identifiable Info
Any information relating to an identified or identifiable person (names, IP, GPS, bank, medical); defines GDPR scope.
Key Insight
Identifiability is judged by means reasonably likely available — pseudonymised/hashed data usually remains personal; true anonymisation is rare.
Often Confused With
Common Mistakes
- Assuming IP addresses are never personal data.
- Believing pseudonymisation/hashing removes GDPR obligations.
- Thinking aggregated or summarized datasets can never re-identify individuals.
Data Processing — Any Operation on Personal Data
Any operation on personal data (collect, store, use, disclose, erase) that triggers controller/processor duties under EU
Key Insight
Processing is very broad — manual or automated, even a single view or note counts; duties apply regardless of 'private‑life' interference.
Often Confused With
Common Mistakes
- Assuming only automated/computerised acts qualify as 'processing'.
- Treating pseudonymised/hashed data as anonymised and outside GDPR.
- Thinking GDPR only applies when a person's private life is affected.
Anonymisation Limits & Re-ID Risk
GDPR identifiability test — assess direct/indirect identifiers, auxiliary data and 'means reasonably likely to be used'.
Key Insight
Identifiability is contextual: realistic attacker capabilities and auxiliary datasets decide if data remains personal.
Often Confused With
Common Mistakes
- Assuming removing names/direct IDs alone makes data anonymous
- Treating anonymisation as permanently safe despite new datasets or tech
- Believing photos/images are always identifying in every context
Pseudonymisation — Keyed De-identification
Replace identifiers with reversible tokens; stays personal unless keys, access and governance block re‑linking.
Key Insight
Not anonymisation — it's a technical + governance measure: separate key‑management, access controls, logging and retention.
Often Confused With
Common Mistakes
- Treating pseudonymisation as equivalent to anonymisation
- Relying only on technical masking without key‑management or contractual controls
- Storing re‑linking keys with the dataset 'because they're encrypted'
Consent (Lawful Basis) — Granular, Explicit, Withdrawable
Freely given, specific, informed, unambiguous consent; explicit for special‑category data and must be demonstrable.
Key Insight
Consent needs an affirmative, granular choice and easy withdrawal; withdrawal stops future processing but doesn't retroactively legalise/illicit past,
Often Confused With
Common Mistakes
- Pre‑ticked boxes, silence or inactivity do NOT constitute valid consent.
- Thinking withdrawal erases prior lawful processing — it stops future processing only.
- Assuming parental consent is uniformly required for <16; Member States may lower the age to 13.
Controller — Who Decides Purposes & Means
Entity that determines purposes and means of processing; bears primary GDPR duties and accountability that can't be law‑
Key Insight
Controller status is a factual test (who decides purposes/means); contract labels don't determine legal responsibility.
Often Confused With
Common Mistakes
- Assuming the party labelled 'controller' in a contract is always the controller.
- Believing a controller can fully delegate or contract away GDPR accountability to a processor.
- Thinking appointing a DPO or keeping policies alone absolves controller accountability.
TOMs — Risk‑Proportionate Security (DPIAs & Vendor Controls)
Proportionate technical and organisational measures (TOMs): DPIAs, vendor controls, contracts, encryption, logging.
Key Insight
TOMs must be risk‑based, documented and proportionate; processors have independent security duties and contracts don't replace DPIAs.
Often Confused With
Common Mistakes
- Believing encryption alone automatically satisfies TOMs in every context.
- Treating TOMs as only technical — ignoring policies, training and contractual controls.
- Assuming one‑size‑fits‑all TOMs; not scaling measures to processing risk.
Art.34 — Data‑Subject Breach Notice (High‑Risk Only)
Controllers must inform data subjects when a breach is likely to create a high risk to rights and freedoms; include rem
Key Insight
Notify subjects only if the breach creates high risk; if notice is disproportionate use public communication and inform the SA; encryption avoids duty
Often Confused With
Common Mistakes
- Assuming every personal data breach requires subject notification (only high‑risk cases do).
- Thinking supervisory authority notification always replaces data‑subject notification.
- Believing encryption always removes the duty to notify (only when data rendered unintelligible).
European Data Processing
20%Purpose Limitation — Article 6(4) Check
Collect for specified, explicit lawful purposes; run an Article 6(4) compatibility check before any secondary use.
Key Insight
Secondary uses are allowed only if Article 6(4) factors pass — purpose link, context, nature, consequences, safeguards; otherwise get a new lawful‑bas
Often Confused With
Common Mistakes
- Thinking every new use needs fresh consent — not if Article 6(4) compatibility holds.
- Treating lawful initial collection as blanket permission for all future uses.
- Believing pseudonymisation equals anonymisation and frees subsequent processing.
Data Minimisation — Necessity & Proportionality
Process only data adequate, relevant and strictly necessary for the purpose; assess necessity and proportionality across
Key Insight
Minimisation targets attributes/fields and lifecycle use (collection, access, sharing, retention) — not just how many records exist.
Often Confused With
Common Mistakes
- Limiting record count only — ignoring unnecessary attributes or fields.
- Thinking minimisation bans personal data rather than requiring necessity and proportionality.
- Treating minimisation as a one‑time check at collection, not ongoing during use and retention.
Art.22 — Automated Decisions & Profiling (GDPR)
Stops solely automated decisions that produce legal or similarly significant effects; demands meaningful safeguards (hum
Key Insight
Art.22 triggers only when a decision is solely automated and has legal/similarly significant effects — any human role must be substantive, not a box‑t
Often Confused With
Common Mistakes
- Assuming Art.22 bans all profiling or any algorithmic use
- Believing explicit consent is always required for profiling
- Treating a nominal 'human review' as adequate human intervention
Legitimate Interests (Art.6(1)(f))
Permits necessary processing for controller/third‑party interests after a documented balancing test (LIA) and rights‑saf
Key Insight
Legitimate interest survives only when a documented LIA shows controller interest outweighs impact on data subjects and reasonable safeguards are in p
Often Confused With
Common Mistakes
- Relying on legitimate interests without performing/recording a balancing test (LIA)
- Assuming LI automatically overrides objections, access or erasure rights
- Using LI to process special‑category data without Article 9 safeguards
Right of Access — Art.15: Verify, Copy, Redact
Right to confirmation and a copy of personal data plus required processing info; deadlines, verification and redaction决定
Key Insight
1‑month deadline (±2 months if complex); verify identity, provide copies, redact third‑party data or lawfully refuse/explain fees.
Often Confused With
Common Mistakes
- Assuming instant replies — statutory deadline is one month, extendable two months for complex requests.
- Disclosing third‑party personal data in full instead of redacting or assessing lawful basis.
- Charging routinely for the first copy — only for manifestly unfounded/excessive requests or additional copies.
Right to Erasure — Art.17: Delete or Justify
Conditional right to have personal data erased when legal grounds exist; exams test exemptions and proportionality.
Key Insight
Erasure is not automatic — assess legal grounds vs. exemptions (public interest, legal obligations, freedom of expression) and document refusal.
Often Confused With
Common Mistakes
- Treating erasure as absolute — many exemptions (public interest, legal duties) override deletion.
- Expecting immediate purging of backups — apply reasonable technical measures and retention/restore policies.
- Trying to erase anonymized/aggregated data — anonymised data is not personal data and needn't be removed.
Special Categories (Art.9) & Convictions (Art.10)
Art.9 protects sensitive traits (health, race, beliefs); Art.10 covers criminal‑conviction data — both need specific law
Key Insight
Art.9 forbids sensitive data unless a specific legal ground applies; Art.10 is separate and needs Member‑State rules/safeguards; inferred traits can =
Often Confused With
Common Mistakes
- Relying on explicit consent as the only lawful ground for Art.9 processing
- Treating pseudonymisation or aggregation as eliminating Art.9/Art.10 restrictions
- Applying Art.9 rules to conviction data without checking Article 10 and Member‑State safeguards
DPIA (Art.35) — High‑Risk Gatekeeper
Article 35 requires a DPIA when processing is likely high‑risk (large‑scale, systematic monitoring, special categories,\
Key Insight
DPIA = documented risk assessment + mitigation; it's context‑specific, iterative, may trigger supervisory consultation if residual high risk remains
Often Confused With
Common Mistakes
- Doing a DPIA only after a breach has occurred
- Confusing DPIA with Article 25 'privacy by design' — they overlap but are distinct obligations
- Treating a completed DPIA as a one‑time checkbox that removes ongoing monitoring
Transparency Principle — GDPR Notice Rules
GDPR duty to give clear, timely, accessible notices (identity, purpose, basis, retention, profiling, transfers).
Key Insight
Layered, discoverable notices + actionable controls beat long legalese; must disclose who, why, how long, profiling, transfers and safeguards.
Often Confused With
Common Mistakes
- Assuming a long legal policy posted somewhere satisfies transparency.
- Believing a single banner/icon alone meets notice obligations.
- Thinking processors have no transparency responsibilities at all.
DSR Procedures — Arts.12 (Access, Erasure, Portability)
Operable channels, proportionate ID checks, 1‑month response (±2 months), refusals recorded; fees only for manifestly‑un
Key Insight
Requests need not be written; verify identity proportionately; respond within one month, notify extensions and give legal basis for refusals.
Often Confused With
Common Mistakes
- Skipping identity verification entirely for convenience.
- Charging a fee for routine access requests.
- Insisting requests be written and signed only.
SCCs — EU Standard Contractual Clauses
Pre‑approved EU contract templates that bind exporter/importer to protect personal data sent outside the EEA.
Key Insight
SCCs impose contractual safeguards but do NOT override foreign surveillance laws — use a Transfer Impact Assessment and binding supplementary measures
Often Confused With
Common Mistakes
- Assuming SCCs alone cure legality despite intrusive foreign surveillance laws
- Freely altering SCC text — material changes can invalidate them
- Believing a signed SCC removes the need for a Transfer Impact Assessment
Adequacy Decisions — 'Essentially Equivalent' Status
EU Commission finding that a country/sector offers protection essentially equivalent to the GDPR, allowing transfers w/o
Key Insight
Adequacy removes the need for Article 46 safeguards only where applied; it can be limited, suspended or revoked and may exclude law‑enforcement flows—
Often Confused With
Common Mistakes
- Assuming adequacy automatically covers law‑enforcement / public‑authority access
- Thinking adequacy is permanent and cannot be suspended or revoked
- Believing exporters need no ongoing monitoring after an adequacy decision
European Data Protection: Scope and Accountability
20%Territorial Scope — Establishment vs Non‑Establishment
GDPR applies if a controller is 'established' in the EU, offers goods/services to EU data subjects, or monitors EU-based
Key Insight
Establishment = real, stable EU base for decision‑making; single contacts or one‑off emails won't create it; offering needs targeting, monitoring = EU
Often Confused With
Common Mistakes
- Assuming any processing of EU resident data automatically creates EU 'establishment'.
- Treating a single customer contact or occasional marketing email as EU establishment.
- Equating 'habitual residence' with short‑term presence or tourism.
Joint Controllership (Art.26) — Allocation & Shared Liability
When two+ parties jointly determine purposes/means they must allocate transparency, subject‑request handling and breach/
Key Insight
A written Art.26 allocation clarifies who does what but does NOT remove shared liability or stop supervisory competence being asserted where real控制
Often Confused With
Common Mistakes
- Believing a joint‑controller agreement can fully absolve one party from liability.
- Assuming joint controllers always share liability equally regardless of allocated roles.
- Thinking processors can never communicate with data subjects or have any duties.
Privacy by Design & Default (PbD/PbDf)
Embed privacy from the design stage: minimisation, access controls, pseudonymisation plus organisational safeguards (Art
Key Insight
Pseudonymisation reduces identifiability but isn't anonymisation — GDPR still applies; combine technical + organisational measures and DPIAs.
Often Confused With
Common Mistakes
- Treating pseudonymisation as full anonymisation — GDPR still applies and re‑identification risk remains.
- Believing Article 25 needs only technical fixes or applies to processors — controllers hold primary duties.
- Assuming a one‑off pseudonymisation removes need for DPIAs or ongoing safeguards.
Privacy by Default (Art.25 GDPR)
Set defaults so only personal data strictly necessary for each purpose are processed; require technical and org measures
Key Insight
Defaults are the legal baseline — controllers must limit processing to what is necessary per purpose and document those choices; consent is not the唯一
Often Confused With
Common Mistakes
- Equating 'default' to 'no processing without consent' — lawful bases beyond consent still valid.
- Using only UI toggles as proof of compliance — you need processes and organisational measures too.
- Blaming processors for default settings — controllers hold primary responsibility and must document choices.
Lawful Basis Matrix (Art.6 & Art.9)
Select, justify and record the GDPR lawful basis (Art.6) and Art.9 conditions for each processing activity.
Key Insight
Each processing purpose needs its own lawful basis; legitimate interests require a documented LIA and balancing test.
Often Confused With
Common Mistakes
- Assuming one lawful basis chosen at collection covers all future uses
- Relying on legitimate interests without a documented LIA and balancing evidence
- Treating a contract or blanket privacy notice as automatic, granular proof of consent
Cross‑Border Transfers: SCCs, BCRs & TIAs
Use adequacy, SCCs, BCRs or narrow derogations — plus Schrems II transfer‑impact assessments and documented safeguards.
Key Insight
SCCs/BCRs are not self‑sufficient: perform a risk‑based TIA, assess local law, and add technical/organizational supplementary measures.
Often Confused With
Common Mistakes
- Assuming SCCs alone make a transfer lawful without a TIA or supplementary measures
- Treating pseudonymised data as anonymous and outside transfer rules
- Believing an adequacy decision removes the need to document specific transfers or risk assessments
DPIA — Risk First, Design Always
Pre-deployment process to identify, score (likelihood×impact) and mitigate high privacy risks; records residual risk and
Key Insight
Required before high‑risk processing; scoring is semi‑quantitative — only a residual high risk forces prior consultation.
Often Confused With
Common Mistakes
- Assuming a completed DPIA removes controller/processor legal liability.
- Doing the DPIA after deployment rather than before launching processing.
- Treating likelihood×impact as an objective, universally comparable score.
RoPA — Processing Inventory (Art.30 Evidence)
Mandatory register of processing activities (purpose, legal basis, categories, recipients, transfers, retention, and saf
Key Insight
RoPA is living compliance evidence — keep it updated, use it to spot DPIA triggers, and provide it to the supervisory authority on request.
Often Confused With
Common Mistakes
- Believing a DPO must be appointed for every processing activity.
- Notifying the EDPS or SA after processing starts instead of before required prior checks.
- Expecting the RoPA must be published publicly (it's for the SA, not automatic public disclosure).
Supervisory Architecture & One‑Stop‑Shop (OSS)
How national DPAs, the EDPB and the OSS divide cross‑border GDPR oversight; main‑establishment picks lead DPA.
Key Insight
Lead authority = DPA of the controller/processor’s EU main establishment; OSS applies when processing substantially affects multiple Member States, so
Often Confused With
Common Mistakes
- Assuming the lead DPA’s decision is automatically final and uncontested.
- Thinking any transfer outside the EU equals cross‑border processing under OSS rules.
- Believing multi‑site cloud data storage always creates cross‑border processing.
European Data Protection Board (EDPB): Guidance vs Binding
EDPB coordinates DPAs; guidelines/recommendations persuade, formal consistency decisions can be legally binding.
Key Insight
EDPB guidance guides interpretation but only formal consistency decisions/opinions (and CJEU rulings) impose binding legal obligations.
Often Confused With
Common Mistakes
- Equating EDPB guidelines with GDPR text or CJEU rulings.
- Assuming EDPB guidance automatically overrides a national DPA’s enforcement choice.
- Treating EDPB opinions as having the same legal force as CJEU judgments.
Compliance with European Data Protection Law and Regulation
20%Art.9(2) Employment Derogation — Special‑Category Data
GDPR exception: employers may process special‑category data if strictly necessary and authorised by national law or a/GA
Key Insight
Processing only allowed when strictly necessary for employment rights/obligations, authorised by national law/collective agreement and limited by firm
Often Confused With
Common Mistakes
- Treating employee consent as freely given — usually invalid due to power imbalance
- Assuming collective agreements automatically permit broad processing across all Member States
- Believing pseudonymisation converts special‑category data into non‑personal data
DPIA: Necessity & Proportionality Test
DPIA core test: prove no less‑intrusive means (necessity) and that the intrusion is proportionate given purpose plus saf
Key Insight
Necessity = no reasonably less‑intrusive alternative; proportionality = benefits justify intrusion and safeguards reduce risk — both must be shown and
Often Confused With
Common Mistakes
- Equating 'necessary' with merely useful or convenient
- Treating necessity and proportionality as the same test
- Assuming pseudonymisation/encryption alone makes processing proportionate
Law‑Enforcement Data — LED (Directive 2016/680)
EU rules for personal‑data processing by competent law‑enforcement authorities; distinct legal bases, restricted rights,
Key Insight
LED (not the GDPR) governs police/criminal processing — national law provides legal bases; necessity, proportionality and formal MLAT/Europol/Eurojust
Often Confused With
Common Mistakes
- Treating the LED as identical to the GDPR
- Assuming ‘free movement’ => unrestricted intra‑EU transfers
- Believing a foreign warrant can be served directly without domestic review
Comms Data — Content vs Metadata (ePrivacy + GDPR)
Content = message body (high confidentiality); metadata = timestamps, IPs, IMSI, location — different legal tests, both可
Key Insight
Metadata can identify people and reveal networks/behaviour; ePrivacy traffic‑data rules and GDPR often both apply; pseudonymisation ≠ anonymisation
Often Confused With
Common Mistakes
- Assuming metadata is non‑sensitive or outside data‑protection rules
- Thinking metadata never reveals communication substance
- Believing aggregation/pseudonymisation fully prevents re‑identification
Data Subject Rights (GDPR) — Surveillance
Who counts as a data subject and what controllers must do for access, rectification, erasure, restriction, objection and
Key Insight
Rights are qualified, not absolute — lawful exemptions, overriding legitimate grounds and strict deadlines (1 month) shape responses in surveillance.
Often Confused With
Common Mistakes
- Assuming rights are absolute; ignoring lawful exceptions and public‑interest overrides.
- Treating erasure as mandatory even when retention is required by law or for compelling grounds.
- Thinking controllers have unlimited time — most requests due within one month; extensions are limited.
Surveillance: Data Minimisation & Retention Limits (GDPR)
Limit camera scope, resolution, retention and access to only what is strictly necessary for the stated surveillance aim.
Key Insight
Security or tech fixes don't replace necessity — purpose and proportionality drive resolution, coverage, retention and access controls.
Often Confused With
Common Mistakes
- Collecting high‑res or broad footage to 'decide later' — post hoc justification is invalid.
- Assuming pseudonymisation/encryption removes minimisation or purpose obligations.
- Setting retention by convenience or policy inertia rather than necessary purpose and review dates.
Controller vs Processor (EDPB Rules)
Who decides purposes/means (controller), who follows instructions (processor) — who bears accountability and liability.
Key Insight
Liability follows decision‑making: controllers set purposes/means; processors have direct GDPR duties and can be fined or sued.
Often Confused With
Common Mistakes
- Thinking processors only have contractual duties — GDPR gives them direct legal obligations.
- Believing only controllers can be fined or face claims; processors can incur fines and direct liability.
- Assuming joint controllers share equal liability regardless of each party's role or fault.
Notices & Pre‑tracking: Articles 12–14
Layered notices: required content, delivered at point‑of‑collection (or pre‑tracking) and across channels in ad flows.
Key Insight
Article 13 = data collected from the subject; Article 14 = data obtained elsewhere — pre‑tracking notice required before cookies/fingerprinting.
Often Confused With
Common Mistakes
- Treating Article 13 and Article 14 as interchangeable.
- Relying on a short banner alone; full layered content must be available and discoverable at collection.
- Using icons or a distant privacy policy to satisfy timing and disclosure requirements.
Breach Notifications — Art.33/34 (Risk‑Based, 72‑hr)
Notify the supervisory authority (SA) within 72 hours if a breach risks rights/freedoms; notify data subjects without un
Key Insight
72‑hour is for SA notification 'where feasible' and only when breach is likely to risk rights/freedoms; processors notify controllers without undue d
Often Confused With
Common Mistakes
- Treat 72‑hours as absolute — it applies 'where feasible' and only if the risk threshold is met.
- Let processors report to the SA directly — processors must notify the controller without undue delay.
- Assume encryption always removes the duty — only when data is rendered unintelligible are obligations negated.
Art.28 DPA — Mandatory Clauses & Sub‑processor Controls
DPA must include Art.28 terms (instructions, security, sub‑processor authorisation/register, audits, deletion/assistance
Key Insight
Controller remains accountable; processors may appoint sub‑processors only as contract authorisation permits and must flow‑down obligations; contracts
Often Confused With
Common Mistakes
- Assume processors can appoint any sub‑processor after mere notice — explicit contract authorisation is needed.
- Think a controller loses accountability after authorising a sub‑processor — accountability continues.
- Believe a controller–processor contract alone binds sub‑processors — sub‑processors need binding flow‑downs or direct obligations.