CIPP-E Exam Dumps : Certified Information Privacy Professional/Europe (CIPP/E)

According to the Article 29 Working Party, a just-in-time notice is a type of privacy notice that provides processing information at specific points of data collection, such as when the user clicks on a certain feature or enters personal data1. This kind of notice is commonly recommended for AI-based technologies because it allows the user to receive relevant and timely information about the processing of their data, without being overwhelmed by lengthy and complex privacy statements1. A just-in-time notice can also be combined with other types of notices, such as layered notices or privacy dashboards, to provide a more comprehensive and user-friendly transparency framework1. Therefore, option C is the correct answer. Option A is incorrect because a privacy dashboard notice is a type of notice that provides the user with a centralised and interactive overview of the processing of their data, and allows them to manage their privacy settings and preferences1. Option B is incorrect because a visualization notice is a type of notice that uses graphical elements, such as icons, symbols, colours, or animations, to convey the processing information in a more intuitive and engaging way1. Option D is incorrect because a layered notice is a type of notice that provides the processing information in a hierarchical and modular way, starting with the most essential information and allowing the user to access more details if they wish1. References:

What’s new in WP29’s final guidelines on transparency?

A Data Protection Impact Assessment (DPIA) is required under Article 35 of the GDPR when data processing is likely to result in a high risk to individuals' rights and freedoms. This includes processing involving new technologies, systematic monitoring, or the large-scale processing of sensitive data​.

When should a DPIA be conducted?

Before implementing a new high-risk processing activity (e.g., a biometric access system).

Whenever a significant change in risk occurs (e.g., security updates, regulatory changes, new threats).

Regularly to reassess and mitigate emerging risks​.

Why is B the correct answer?

DPIAs are not a one-time process; they must be reviewed periodically to assess new risks​.

Why are other answers incorrect?

A (After the complaint) → A DPIA is a proactive measure, not something done only after a complaint.

C (At the end of the season) → GDPR does not require assessments to be tied to event cycles.

D (After regulatory notification) → DPIAs must be done before investigations, not as a response.

Conclusion: DPIAs should be conducted periodically when new risks arise, making B the correct answer​.

 A dynamic IP address is a unique numerical label for a device on the internet that changes every time the device connects to the internet. A dynamic IP address by itself is not personal data, as it does not directly identify the person who owns or uses the device. However, a dynamic IP address can become personal data when it is combined with other data held by the controller, such as the web pages accessed by the device, the time and duration of the visit, the location of the device, or the user’s preferences and interests. In this case, the controller can use the additional data to identify the data subject, either directly or indirectly, by linking the dynamic IP address to a specific person or a profile. This was confirmed by the Court of Justice of the European Union (CJEU) in the case of Breyer v Bundesrepublik Deutschland, where the CJEU ruled that a dynamic IP address registered by a website provider constitutes personal data in relation to that provider, where the latter has the legal means to obtain the identity of the data subject from the internet service provider (ISP) that assigned the dynamic IP address. Therefore, option B is the correct answer. References: Directive 95/46/EC, Directive 2002/58/EC, Breyer v Bundesrepublik Deutschland, Case C-582/14, Dynamic IP Addresses can be Personal Data