GDPR Study Map for CIPP/E | Law & Learning

How to Use This Map

First pass (2–3 hrs): Read Layers 1–2. Build the mental map—don't memorise yet.
Deep dive (8–10 hrs): Layer 3, Tier 1 articles only. Test yourself: can you explain each without looking?
Application (4–6 hrs): Layer 4 decision trees. Walk through with hypothetical scenarios.
Exam prep (2–3 hrs): Layer 5 patterns. For each, write 2–3 practice questions.
Revision: Return to Layer 2 Golden Rules before each practice exam.

Layer 1

The Spine: Non-Negotiables

Six structural pillars that anchor 80% of CIPP/E questions. Everything else is commentary.

Pillar 1

Processing Principles

The Article 5 principles are not aspirational—they are legally binding obligations with direct enforcement consequences.

Art. 5(1)(a)–(f), 5(2)

Why exam-critical: Every processing scenario question requires you to identify which principle is at issue.

Pillar 2

Lawful Basis Architecture

Processing requires exactly one basis from Article 6(1). Consent is just one option—and often the wrong one.

Art. 6(1)(a)–(f), Art. 7, Art. 9

Why exam-critical: Questions test whether you can select the correct basis and explain why alternatives fail.

Pillar 3

Data Subject Rights

Eight rights with specific trigger conditions, exceptions, and timing requirements. Not all apply in all circumstances.

Art. 12–22

Why exam-critical: Case studies frequently test when rights apply, when they can be refused, and time limits.

Pillar 4

Controller–Processor Mechanics

Controller determines purposes and means. Processor acts on instructions. The distinction drives liability allocation.

Art. 4(7)–(8), Art. 26, Art. 28

Why exam-critical: Role identification questions appear in nearly every case study.

Pillar 5

Accountability Framework

GDPR shifted from "notify and forget" to "demonstrate compliance." Records, DPIAs, DPOs, and breach notification operationalise this.

Art. 24, 25, 30, 32–36, 37–39

Why exam-critical: The exam tests when accountability measures are mandatory vs. advisable.

Pillar 6

Enforcement & Remedies

Two-tier fine structure, supervisory authority powers, and data subject remedies. Know the fine thresholds and triggers.

Art. 58, 77–84

Why exam-critical: Questions test which violations attract €10M/2% vs €20M/4% fines.

Layer 2

Doctrine Clusters

Mental models that match how the exam tests thinking, not how the Regulation is organised.

Lawful Processing Logic

Art. 5, 6, 7, 9, 10 | Recitals 32, 39–47

Core Logic

Every processing activity must satisfy at least one Art. 6(1) basis
Consent requires all four elements: freely given, specific, informed, unambiguous
Legitimate interest requires three-part balancing test
Special category data requires Art. 6 basis + Art. 9(2) exception

Exam Traps

Consent bundled with other terms = not freely given (Art. 7(4))
Pre-ticked boxes = not valid consent (Recital 32)
Public authorities cannot rely on legitimate interest (Art. 6(1) final sentence)
Legitimate interest test is not satisfied by controller simply asserting it

Golden Rule: If you cannot identify the specific legal basis, the processing is unlawful. There is no "general reasonableness" exception.

Rights Trigger Conditions

Art. 12–22 | Recitals 58–73

Core Logic

Access, rectification, restriction: available in all circumstances
Erasure: only when specific Art. 17(1) grounds are met
Portability: only for consent-based or contract-based automated processing
Object: only for Art. 6(1)(e)/(f) processing; absolute for direct marketing
Automated decision-making protection: applies when solely automated + legal/significant effects

Exam Traps

Portability does not apply to legitimate interest processing
Erasure is not absolute—retention may be required for legal claims (Art. 17(3)(e))
"Without undue delay" for access = one month, extendable by two (Art. 12(3))
Right to object to profiling ≠ right against automated decision-making

Golden Rule: Before applying a right, verify: (1) the legal basis, (2) specific trigger conditions, and (3) applicable exceptions.

Risk & Accountability Loop

Art. 24, 25, 30, 32–36, 37–39 | Recitals 74–91

Core Logic

Risk-based approach: obligations scale with processing risk
Accountability = ability to demonstrate compliance (Art. 5(2))
Privacy by design = technical measures at determination stage (Art. 25(1))
Privacy by default = minimum data by default (Art. 25(2))
DPIA required when "high risk" to rights and freedoms (Art. 35(1))

Exam Traps

Records of processing (Art. 30) required for most organizations—<250 employee exemption has three broad exceptions
DPIA is mandatory for systematic profiling, large-scale special category data, systematic monitoring
Prior consultation (Art. 36) only after DPIA shows residual high risk
DPO appointment is mandatory only in three specific circumstances (Art. 37(1))

Golden Rule: When unsure if a measure is required, default to "yes" if processing involves systematic evaluation of individuals or large-scale special categories.

International Transfers Decision Tree

Art. 44–49 | Recitals 101–116

Core Logic

Any transfer to third country/international org must have valid mechanism
Hierarchy: adequacy decision → appropriate safeguards → derogations
SCCs and BCRs are "appropriate safeguards" not requiring additional authorisation
Derogations (Art. 49) are narrowly construed and require case-by-case justification

Exam Traps

Adequacy decisions are Commission acts—not controller self-assessments
SCCs require assessment of third country legal framework (Schrems II)
Explicit consent for transfer requires genuine choice and information about risks
Contractual necessity derogation applies only to specific contracts, not general operations

Golden Rule: First check adequacy. If no adequacy, require safeguards + supplementary measures assessment. Derogations are last resort.

Enforcement & Remedies Architecture

Art. 51–59, 77–84 | Recitals 117–152

Core Logic

Each Member State has independent supervisory authority
Lead supervisory authority for cross-border processing = main establishment location
Data subjects: complaint to SA, judicial remedy against SA, judicial remedy against controller/processor
Two-tier fines: €10M/2% for procedural violations; €20M/4% for substantive violations

Exam Traps

Main establishment = place of central administration, not largest office
Fine tiers are maximums, not automatic amounts
Data subject can sue in habitual residence OR controller's establishment (Art. 79(2))
Processor liability is limited to processor-specific obligations (Art. 82(2))

Golden Rule: €20M/4% tier = core principles, legal bases, data subject rights, international transfers. €10M/2% tier = everything else.

Layer 3

High-Yield Articles

Tiered by exam frequency and scoring impact. Tier 1 articles appear in 70%+ of exams.

Tier 1 Know Cold

Memorise elements, sub-parts, and inter-relationships. Tested directly and indirectly in nearly every exam.

Art. 4 — Definitions (1–8, 11, 12)

Art. 5 — Processing Principles

Art. 6 — Lawful Basis

Art. 7 — Consent Conditions

Art. 9 — Special Categories

Art. 12 — Transparency

Art. 13 — Info: Direct Collection

Art. 14 — Info: Indirect Collection

Art. 15 — Access

Art. 17 — Erasure

Art. 20 — Portability

Art. 21 — Object

Art. 22 — Automated Decisions

Art. 28 — Processor

Art. 33 — Breach: SA Notification

Art. 34 — Breach: DS Communication

Art. 35 — DPIA

Art. 37 — DPO Designation

Art. 44–46 — Transfers Basis

Art. 83 — Fines

Tier 2 Know Functionally

Understand purpose, key requirements, and relationship to Tier 1. Tested in context.

Art. 3 — Territorial Scope

Art. 8 — Child Consent

Art. 16 — Rectification

Art. 18 — Restriction

Art. 19 — Notification

Art. 24 — Controller Responsibility

Art. 25 — Privacy by Design

Art. 26 — Joint Controllers

Art. 27 — Representatives

Art. 30 — Records

Art. 32 — Security

Art. 36 — Prior Consultation

Art. 38–39 — DPO Position/Tasks

Art. 47 — BCRs

Art. 49 — Derogations

Art. 58 — SA Powers

Art. 77–79 — Remedies

Art. 82 — Compensation

Tier 3 Context Only

Know they exist and general purpose. Rarely tested directly.

Art. 1–2 — Subject Matter/Scope

Art. 10 — Criminal Data

Art. 11 — No ID Required

Art. 23 — Restrictions

Art. 29 — Processor Authority

Art. 31 — SA Cooperation

Art. 40–43 — Codes/Certification

Art. 48 — Non-EU Orders

Art. 50 — International Cooperation

Art. 51–57 — SA Establishment

Art. 60–76 — Cooperation/EDPB

Art. 80–81 — Representation

Art. 84–91 — Specific Processing

Layer 4

Cognitive Scaffolds

Memory devices for rapid retrieval under exam pressure. Precision over cleverness.

Decision Tree: Legal Basis Selection

Q1: Is this special category data (Art. 9(1))? YES → Must satisfy BOTH Art. 6(1) basis AND Art. 9(2) exception NO → Continue to Q2 Q2: Is the controller a public authority performing public tasks? YES → Art. 6(1)(e) — public task/official authority [Cannot use legitimate interest] NO → Continue to Q3 Q3: Is there a contract with the data subject requiring this processing? YES → Art. 6(1)(b) — contractual necessity [Must be genuinely necessary, not merely useful] NO → Continue to Q4 Q4: Is processing required by law? YES → Art. 6(1)(c) — legal obligation NO → Continue to Q5 Q5: Does controller have legitimate interest that isn't overridden? YES → Art. 6(1)(f) — legitimate interest [Requires documented balancing test] NO → Continue to Q6 Q6: Can valid consent be obtained? YES → Art. 6(1)(a) — consent [Must be freely given, specific, informed, unambiguous] NO → Processing likely unlawful

Decision Tree: DPIA Requirement

Q1: Is this on the supervisory authority's mandatory DPIA list? YES → DPIA REQUIRED NO → Continue to Q2 Q2: Does processing involve ANY of these Art. 35(3) activities? • Systematic & extensive profiling with significant effects • Large-scale special category data (Art. 9) or criminal data (Art. 10) • Systematic large-scale monitoring of publicly accessible areas YES → DPIA REQUIRED NO → Continue to Q3 Q3: Does processing involve 2+ of these high-risk factors? • Evaluation/scoring • Automated decisions • Systematic monitoring • Sensitive data • Large scale • Dataset matching • Vulnerable subjects • Innovative technology • Transfer blocks YES → DPIA LIKELY REQUIRED NO → DPIA not mandatory (but may be advisable)

Decision Tree: Breach Notification

BREACH DETECTED: Has there been accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data? Step 1: Notify Supervisory Authority? (Art. 33) Default: YES, within 72 hours from awareness Exception: "unlikely to result in a risk to rights and freedoms" → If in doubt, NOTIFY Step 2: Notify Data Subject? (Art. 34) Only if: "likely to result in HIGH risk to rights and freedoms" Exceptions: • Encryption rendered data unintelligible • Subsequent measures eliminated the high risk • Disproportionate effort (then: public communication) → High risk threshold is higher than SA notification threshold KEY TIMING: • SA notification: 72 hours from awareness • Data subject: "without undue delay" • Processor → Controller: "without undue delay" (no 72-hour limit)

Comparison: Controller vs Processor

Criterion	Controller	Processor
Definition	Determines purposes AND means	Processes on behalf of controller
Key Question	"Why and how?"	"As instructed?"
Legal Basis	Must establish	Relies on controller's
Data Subject Rights	Primary responsibility	Assist controller
Records (Art. 30)	Full records required	Categories only
Breach Notification	To SA (72 hrs) + DS if high risk	To controller only
DPIA	Must conduct	Assist controller
Liability (Art. 82)	All infringements	Processor-specific + acting outside instructions

Data Subject Rights by Legal Basis

Right	Consent	Contract	Legal Obl	Public Task	Legit Int
Access (15)	✓	✓	✓	✓	✓
Rectification (16)	✓	✓	✓	✓	✓
Erasure (17)	✓	✓	Limited	Limited	✓
Restriction (18)	✓	✓	✓	✓	✓
Portability (20)	✓	✓	✗	✗	✗
Object (21)	N/A*	N/A*	N/A*	✓	✓

* Right to object only applies to Art. 6(1)(e)/(f). For consent, withdrawal achieves same result.

International Transfers: Mechanism Hierarchy

LEVEL 1: ADEQUACY DECISION (Art. 45) → Commission determines adequate protection → No additional authorisation required LEVEL 2: APPROPRIATE SAFEGUARDS (Art. 46) No prior SA authorisation: • Standard Contractual Clauses (SCCs) • Binding Corporate Rules (BCRs) • Approved codes of conduct + binding commitments • Approved certification + binding commitments POST-SCHREMS II: Assess effectiveness in light of third country law. Supplementary measures may be required. LEVEL 3: DEROGATIONS (Art. 49) — NARROW, CASE-BY-CASE • Explicit consent (informed of risks) • Contract with/for data subject necessity • Important public interest • Legal claims / Vital interests • Public register • Compelling legitimate interest (residual only, notify SA)

Layer 5

Exam Translation Layer

How doctrine shows up in questions, common distractors, and over-memorisation traps.

Pattern 1: Legal Basis Selection

Scenario presented; asks which legal basis applies. Distractors are bases that seem plausible but fail technically.

Distractor: "Consent" when there's power imbalance (employment) or service dependency.

Distractor: "Legitimate interest" when controller is public authority performing public tasks.

Approach: Systematically eliminate. Public authority? Contract? Legal obligation? Only then consent/legitimate interest.

Pattern 2: Consent Validity

Describes consent mechanism; asks if valid. Tests four cumulative requirements.

Distractor: "Valid because user clicked agree" — ignores pre-ticked boxes, bundled terms, power imbalances.

Distractor: "Valid because opt-out available" — consent requires affirmative action.

Approach: Test all four: Freely given? Specific? Informed? Unambiguous affirmative action?

Pattern 3: Data Subject Rights

Right exercise request; asks whether controller must comply and timing.

Distractor: "Portability applies" when basis is legitimate interest (only consent/contract).

Distractor: "Erasure is absolute" when data needed for legal claims.

Approach: (1) Identify legal basis. (2) Check if right applies. (3) Check exceptions. (4) Apply timing.

Pattern 4: Controller vs Processor

Multi-party arrangement; asks who is controller, processor, joint controller.

Distractor: "Larger company is controller" — size irrelevant; purposes/means decisive.

Distractor: "Cloud provider is joint controller" — infrastructure typically = processor.

Approach: Who decided WHY? Who decided HOW? Jointly = joint controllers. On instructions = processor.

Pattern 5: Breach Notification

Data breach described; asks about notification obligations and timing.

Distractor: "72 hours from breach" — it's 72 hours from awareness.

Distractor: "Always notify data subjects" — only HIGH risk (different from SA threshold).

Approach: SA = default 72 hrs from awareness. DS = only HIGH risk, check exceptions.

Pattern 6: International Transfers

Data flow to third country; asks about valid transfer mechanisms.

Distractor: "Consent covers all transfers" — can't use for systematic transfers.

Distractor: "SCCs always sufficient" — must assess third country law (Schrems II).

Approach: (1) Check adequacy. (2) If none → safeguards + assessment. (3) Derogations narrow.

Pattern 7: Fine Tiers

Violation described; asks maximum fine tier.

Distractor: "All violations = €20M/4%" — procedural violations are lower tier.

Approach: €20M/4% = Art. 5–7, 9, 12–22, 44–49. €10M/2% = Art. 8, 11, 25–39, 42–43.

Over-Memorisation Traps

Where candidates memorise details but miss exam-tested logic.

Trap: Memorising Recital numbers — exam tests doctrine, not citations.

Trap: Memorising complete Article text — exam tests application.

Trap: Memorising every adequacy country — exam tests mechanism hierarchy.

Better: Understand the logic. Why does GDPR require this? When does it apply? What are conditions and exceptions?