
This lecture outlines the practical reasons for enrolling in the course and introduces Dr. David, the instructor. It highlights benefits such as preparing for CIPP/E certification, advancing a privacy-related career, and complementing other professional backgrounds like law or cybersecurity. The course is affordable, self-paced, and designed with no prerequisites, making it accessible for diverse learners. Dr. David brings extensive credentials and teaching experience, offering expert instruction tailored for both beginners and professionals.
This lecture introduces the Certified Information Privacy Professional/Europe (CIPP/E) certification offered by the IAPP. It outlines the exam’s five domains, structure (90 questions, 2.5 hours), and registration process. It also compares other IAPP certifications (CIPP/US, AIGP, CIPM, etc.) and details requirements for maintaining certification, including biannual fees and 20 CPE credits every two years.
This lecture provides an overview of the IAPP, the world’s largest organization for privacy and AI governance professionals. It highlights the IAPP’s mission, global resources, training programs, and local KnowledgeNet chapters that support networking and continuing education.
This lecture explains the professional value of the CIPP/E certification. It demonstrates expertise in GDPR, enhances job prospects, and is increasingly expected across industries. The 2023 IAPP Salary Survey shows certified professionals earn 13–27% more, and 86% report high job satisfaction. Flexible, remote work arrangements are also common in privacy roles.
This lecture defines privacy beyond just “being left alone,” emphasizing its social and contextual dimensions. It introduces four categories of privacy—information, bodily, territorial, and communication—and explains types of personally identifiable information (PII), including sensitive, pseudonymized, and anonymized data. Context and data combination are key factors in determining privacy protections.
This lecture examines the interdisciplinary nature of privacy work, covering roles such as legal advisors, analysts, engineers, and compliance officers. Responsibilities include managing risk, ensuring legal compliance, overseeing data governance, and leading privacy training and awareness initiatives. It provides real-world examples to illustrate how privacy professionals mitigate harm and support organizational accountability.
This lecture introduces the European Union (EU) as a supranational political and economic union of 27 member states. It explores the structure and purpose of the EU, the role of the European Economic Area (EEA), and the functions of the EU’s seven main institutions, providing a foundational understanding of European governance.
This lecture provides a chronological overview of key international instruments that laid the groundwork for modern data protection laws, culminating in the GDPR. It introduces pivotal milestones including the Universal Declaration of Human Rights, the European Convention on Human Rights, OECD Guidelines, Convention 108, the Data Protection Directive, and more.
This lecture examines the Universal Declaration of Human Rights, emphasizing Article 12 (privacy) and Article 19 (freedom of expression). It explores the tensions between these rights—particularly in contexts like journalism and surveillance—and discusses Article 29(2), which allows for limiting rights to respect others’ freedoms.
This lecture explores the European Convention on Human Rights, its origins under the Council of Europe, and its enforcement through the European Court of Human Rights. It focuses on Article 8 (privacy and family life) and Article 10 (freedom of expression), highlighting that these rights are not absolute and may be restricted under specific conditions.
This lecture provides historical context for the OECD Privacy Guidelines. It traces early European efforts like Recommendation 509 and Resolutions 73/22 and 74/29, and examines how these informed the OECD Guidelines (1980, revised 2013) and Convention 108, shaping modern data protection frameworks.
This lecture introduces the Organisation for Economic Co-operation and Development (OECD) and its Guidelines on Privacy and Transborder Data Flows. It explains how the non-binding principles aim to protect privacy and data flows without hindering global trade, forming a basis for national data protection laws.
This lecture outlines the eight foundational privacy principles in the OECD Guidelines, using a mnemonic to aid retention. Principles include Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation, and Accountability—each guiding ethical and legal personal data handling.
This lecture explains responsibilities for cross-border data transfers under the OECD Guidelines. It covers when transfers are permissible, when member states can restrict them, and encourages avoiding overly strict policies that unnecessarily hinder international data flows while ensuring appropriate protection.
This lecture introduces Convention 108, the first legally binding international treaty on data protection, adopted by the Council of Europe in 1981. It explains its global applicability, objectives to harmonize privacy protections, and outlines the Convention’s three main sections on principles, data flows, and mutual assistance.
This lecture contrasts substantive law—which defines legal rights and duties—with procedural law, which governs how those rights are enforced. It explains their functions, sources, and differences in application, highlighting that procedural law evolves more frequently and governs litigation processes.
This lecture dives into Chapter II of Convention 108, detailing conditions for automatic data processing, including fairness, lawfulness, proportionality, and accuracy. It also discusses security safeguards, restrictions on sensitive data, individual rights (e.g., access and erasure), and allowable exceptions based on democratic necessity.
This lecture covers Chapters III and IV of Convention 108, focusing on transborder data flows and mutual assistance. It explains when transfers between signatories are permitted, conditions for derogation, and the 2001 Additional Protocol’s “adequacy” standard for non-signatory countries. It also outlines supervisory authority roles in enforcing compliance and facilitating cooperation.
This lecture explains the rationale behind the 1995 Data Protection Directive. It addresses implementation inconsistencies across EU member states, economic integration needs, and the legal necessity for harmonized and enforceable data protection legislation. The lecture culminates in the proposal for binding EU-level data protection rules.
This lecture contrasts EU directives and regulations. Directives specify outcomes but leave implementation to member states, while regulations are immediately binding across the EU. Usage depends on policy needs—directives suit flexible, gradual alignment, whereas regulations are used for uniformity and urgent, cross-border matters.
This lecture outlines Directive 95/46/EC, the EU’s first comprehensive data protection law. It builds on Convention 108 principles, extends protections to both public and private sectors, and seeks to ensure cross-border data flows. However, challenges remained due to uneven implementation, bureaucratic burdens, and inconsistent enforcement.
This lecture introduces the EU Charter of Fundamental Rights, which became legally binding in 2009. It consolidates rights from various sources and highlights Articles 7 (private life), 8 (personal data protection), and 11 (freedom of expression). The Charter aligns with ECHR principles and includes limitations based on necessity and proportionality.
This lecture examines the Treaty of Lisbon, signed in 2007 and effective from 2009, which amended the foundational EU treaties. It strengthened the EU by promoting core values and introducing a unified legal framework. Article 16(2) of the Treaty on the Functioning of the European Union (TFEU) mandates data protection obligations for EU institutions.
This lecture covers the development and objectives of the GDPR. It explains the shortcomings of the Data Protection Directive, the trilogue process, and the GDPR’s 2016 adoption. The GDPR enhances individual rights, introduces accountability and enforcement mechanisms, and applies extraterritorially while allowing regulatory flexibility in certain sectors.
This lecture introduces Convention 108+, the 2018 update to the original Convention 108. It modernizes data protection standards to reflect digital advancements, aligns with GDPR concepts, and introduces new obligations like third-country adequacy assessments and implementation monitoring for greater international coherence.
This lecture outlines two directives: the Law Enforcement Directive (2016), which harmonizes data protection in criminal law enforcement, and the ePrivacy Directive (2002), which governs personal data in electronic communications. It also notes the failed attempt to replace the ePrivacy Directive with a regulation, withdrawn in 2025.
This lecture explores the UK’s data protection landscape post-Brexit. While GDPR was retained as UK law, EU institutions were replaced by domestic counterparts like the ICO. The UK’s framework—UK GDPR—continues to rely on GDPR principles, supported by domestic legislation and international agreements like Convention 108.
This lecture explains the concept of an “adequacy decision,” which allows data transfers from the EU to third countries like the UK. It discusses the UK’s adequacy status under both the GDPR and the Law Enforcement Directive, outlines compliance criteria, and notes the sunset clause requiring review by December 2025.
This lecture provides a mnemonic-based overview of the seven main EU institutions: European Parliament, European Council, Council of the European Union, European Commission, Court of Justice of the EU, European Central Bank, and European Court of Auditors. It highlights each institution’s role in EU governance.
This lecture discusses how the Treaty of Lisbon strengthened EU institutions and elevated the Charter of Fundamental Rights to binding legal status. It covers new privacy protections (Articles 7, 8, and 41), good administration rights, and post-Brexit implications under the UK’s European Union Withdrawal Act.
This lecture introduces the responsibilities and legislative roles of the European Parliament. It outlines three legislative procedures (ordinary, consultation, and consent) and describes the Parliament’s oversight functions, including its ability to censure the Commission and approve or reject appointments.
This lecture explores how the European Parliament functions politically and procedurally. It explains election logistics, political group organization, seat allocation by degressive proportionality, and the legislative process from committee work to plenary sessions. It also notes that personal data laws are passed using the ordinary legislative procedure.
This lecture introduces the European Council, composed of heads of state/government and the President of the European Commission. It sets the EU’s political direction and meets quarterly. Decisions are generally made by consensus, but some require qualified majority. The President serves a 2.5-year term, renewable once.
Also known as the Council of Ministers, this lecture covers the Council’s role as a co-legislator with the European Parliament. Ministers from each member state participate in various configurations based on topic areas. It adopts both binding and non-binding instruments, and the presidency rotates every six months among member states.
This lecture describes the European Commission as the EU’s executive arm. It proposes legislation, implements decisions, and ensures law compliance. The College of Commissioners—one from each member state—leads the Commission. It also has authority over data protection adequacy decisions for non-EU countries.
This lecture introduces the CJEU, the EU’s judicial body. It interprets EU law and ensures uniform application across member states. The CJEU includes the Court of Justice (ECJ) and the General Court. The ECJ hears cases on treaty violations, legality of EU acts, and national court referrals.
This lecture reviews major data protection cases decided by the European Court of Justice (ECJ). Key rulings include: Google Spain, Digital Rights Ireland, ANAF, Weltimmo, Schrems I, Schrems II, and Tele2 Sverige and Tom Watson. These cases address fundamental rights to privacy, the legality of data transfers, jurisdictional scope, data retention, and the responsibilities of public authorities and private companies under EU data protection law. Together, they shape the interpretation and enforcement of privacy rights across the European Union, emphasizing the ECJ’s role in upholding data protection standards.
This lecture introduces the European Court of Human Rights (ECtHR), which oversees the European Convention on Human Rights. Founded in 1959, the Court reviews complaints from individuals, NGOs, and companies in its 46 member states. While data protection isn’t explicitly mentioned in the Convention, the ECtHR has interpreted Article 8 to include safeguards against abuses in electronic data processing.
This lecture highlights key privacy-related cases from the ECtHR, including Bouchacourt v. France, MM v. United Kingdom, Copland v. United Kingdom, Gaskin v. United Kingdom, Haralambie v. Romania, and Big Brother Watch v. United Kingdom. These cases address surveillance, data retention, and access to personal records under Article 8 of the ECHR.
This lecture outlines the origins of Directive 95/46/EC, known as the Data Protection Directive (DPD), adopted in 1995 to harmonize inconsistent data protection laws across EU member states. It was intended to remove obstacles to free trade while protecting individual privacy within the internal market.
This lecture explains the structure and legal effect of the DPD, consisting of 34 articles and 72 recitals. It covers the Directive’s flexible, principles-based approach, which led to inconsistent implementation among member states. It also identifies improvements, such as extending protections to manually processed data.
This lecture details the core principles of the DPD: fair and lawful processing, purpose limitation, proportionality, data accuracy, security, and adequacy for international transfers. It defines the Directive’s scope, outlines protections for special categories of data, and introduces the roles of Data Protection Authorities (DPAs) and the Article 29 Working Party (WP29).
This lecture compares the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS). The EDPB is a collective body of national DPA heads that ensures consistent application of the GDPR across the EU/EEA. The EDPS acts as the supervisory authority for EU institutions, monitoring their compliance and advising on data protection matters.
This lecture outlines the reforms that led to the GDPR and the Law Enforcement Directive (LED). It addresses continued inconsistency under the DPD and proposes measures like EU-wide rules, increased accountability, stronger enforcement, and new rights such as data portability and the right to be forgotten. Key dates include the GDPR’s enforceability beginning May 25, 2018.
This lecture presents the structure of the GDPR: 99 articles, 173 recitals, and 11 chapters. It covers chapter themes including general provisions, data subject rights, international transfers, enforcement, specific processing contexts, and delegated acts, highlighting the regulation’s comprehensive scope and legal framework.
This lecture contrasts the DPD and GDPR in terms of scope, extraterritoriality, and consent. The GDPR applies to controllers and processors, including non-EU entities targeting EU data subjects. Consent under GDPR must be freely given, specific, and easy to withdraw, with added protections for minors and clearer standards for valid consent.
This lecture explains how the GDPR expands on DPD-era rights. It introduces new rights such as data portability, restriction of processing, profiling protections, and the right to be forgotten. It also strengthens transparency obligations, mandates plain-language privacy notices, and codifies erasure rights inspired by Google Spain.
This lecture defines the four criteria used to identify information society services: the service is normally provided for remuneration, at a distance, electronically, and at the request of the recipient. Examples include web hosting, social networks, online marketplaces, search engines, and advertising platforms.
This lecture compares the roles and responsibilities under the DPD and GDPR. It explains the distinction between controllers and processors and introduces the GDPR’s accountability principle. New obligations include record-keeping, DPIAs, appointing DPOs, and requiring processors to implement security, maintain processing records, and obtain consent for subcontracting.
This lecture examines how the GDPR strengthens cross-border data transfer mechanisms, introduces breach notification requirements, and expands enforcement rights. It details adequacy decisions, SCCs, and BCRs. It also outlines GDPR’s enforcement tools, including fines of up to €20 million or 4% of global turnover and judicial remedies for affected individuals.
This lecture introduces the Law Enforcement Directive (LED), which harmonizes data protection rules for criminal justice authorities. It emphasizes necessity, proportionality, and lawfulness when processing personal data—regardless of the individual’s role (e.g., suspect or witness)—and establishes standards for cross-border data exchange and cooperation within and outside the EU.
This lecture outlines the scope and provisions of the ePrivacy Directive (2002/58/EC), which governs data protection in electronic communications. Key provisions include opt-in consent for digital marketing, safeguards for traffic and billing data, anonymization requirements, and user notification obligations. A proposed ePrivacy Regulation was withdrawn in February 2025.
This lecture reviews key amendments to the ePrivacy Directive, including mandatory breach notifications and actions against unsolicited communications. It introduces the concept of cookies, explains their uses (e.g., session management, personalization, tracking), and outlines Article 5(3), which requires clear, informed consent for cookies—interpreted in line with the GDPR since 2018.
This lecture discusses the proposed reform to replace the ePrivacy Directive with a regulation. Key goals include harmonizing rules across the EU and aligning with the GDPR. The reform expands scope, strengthens consent and confidentiality requirements, revises cookie rules, and introduces two tiers of penalties for non-compliance—up to €20 million or 4% of global turnover.
This lecture introduces the NIS Directive, adopted in 2016 as the EU’s first comprehensive cybersecurity law. It requires member states to establish Computer Security Incident Response Teams (CSIRTs) and national authorities, promotes incident reporting and risk management, and applies to Operators of Essential Services and Digital Service Providers.
This lecture introduces the NIS 2 Directive, which replaces the original 2016 NIS Directive to enhance cybersecurity across the EU. It establishes common standards for information system security, incident response, and resilience. Key changes include broader sectoral coverage, new classifications for “essential” and “important” entities, revised breach notification rules, and voluntary vulnerability disclosures. The lecture also explains how NIS 2 interacts with the GDPR—highlighting differing breach reporting timelines and emphasizing cooperation between competent authorities and data protection authorities (DPAs).
This lecture explains the 2006 Data Retention Directive, which aimed to align EU policies on retaining traffic and location data for crime and terrorism prevention. The directive was invalidated in 2014 by the CJEU for violating fundamental rights under the Charter of Fundamental Rights, though individual member states may still legislate under the ePrivacy framework.
This lecture introduces the GDPR definition of personal data as “any information relating to an identified or identifiable natural person.” It breaks the definition into four key components—“any information,” “relating to,” “identified or identifiable,” and “natural person”—drawing on GDPR text and WP29’s 2007 opinion.
This lecture explores the first component of personal data: “any information.” It covers three features—nature (objective or subjective), content, and format. It also explains that personal data includes information processed by automated means or manually if part of a filing system, such as employee records or medical files.
This lecture explains what it means for information to “relate to” a person. Using WP29’s framework, it outlines three qualifying criteria: content (data inherently about someone), purpose (data used to evaluate or affect someone), and result (data processing that impacts someone’s rights, status, or behavior).
This lecture defines when a person is considered “identified or identifiable.” It distinguishes between direct and indirect identifiers, introduces the legal threshold for identifiability (Recital 26), and explains the roles of anonymization, pseudonymization, and data aggregation in determining whether data falls under the GDPR.
This lecture addresses the final component: “natural person.” While the GDPR does not define the term, it is interpreted according to member state laws. Recital 27 clarifies that the GDPR does not apply to deceased individuals.
This lecture covers special categories of personal data under GDPR, including race, ethnicity, political opinions, religion, trade union membership, genetic, biometric, and health data, and sexuality. These categories require heightened protections due to the significant risks they pose to individuals’ rights and freedoms. It also addresses context-specific processing, such as inferring sensitive data using AI, which triggers Article 9 protections.
This lecture introduces the distinction between data controllers and processors. Controllers determine the purpose and means of processing and bear the bulk of GDPR responsibilities. Processors act on behalf of controllers and must ensure compliance with cross-border transfer rules and data security, notifying controllers in the event of a breach.
This lecture unpacks the definition of a data controller, emphasizing that it can be any entity (natural or legal) that determines the purposes and means of processing. It highlights that the factual role, not contractual label, is key in assessing controllership. Real-world examples illustrate how controllers are identified by their role in processing decisions.
This lecture explores joint controllership, the distinction between essential and non-essential means of processing, and the full scope of processing activities. Essential means—like data types and retention periods—are determined by the controller, while non-essential decisions—such as software choice—may be delegated to processors. It provides real-world scenarios involving multiple actors in the data lifecycle.
This lecture examines situations in which two or more entities jointly determine the purposes and means of processing. It introduces the concept of “converging decisions” and illustrates joint controllership through the Fashion ID case. It outlines how to assess joint controllership and offers best practices for allocation of responsibilities and documentation of roles.
This lecture defines a data processor as an entity that processes personal data on behalf of a controller. It distinguishes processors from employees or departments within the controller’s organization and emphasizes that the controller-processor distinction is activity-specific. It also explains when a processor becomes a controller, such as when using data for its own purposes.
This lecture outlines the GDPR’s Article 28 requirements for contracts between controllers and processors. Contracts must specify processing purposes, data types, security measures, and conditions for sub-processing. Processors must act only under the controller’s instructions, assist with data subject rights, and delete or return data upon contract termination.
This lecture explores the requirements of Article 26(1) for joint controllers. It emphasizes the need to clearly allocate responsibilities, ensure compliance coverage, and coordinate on legal bases, data protection principles, breach notifications, and communication with data subjects and supervisory authorities.
This lecture defines data processing as any operation performed on personal data, including collection, storage, use, and deletion. Under Article 2, the GDPR applies when processing is automated or part of a structured filing system. It introduces the idea of the data life cycle as a framework for understanding processing activities.
This lecture introduces the CIA Triad—Confidentiality, Integrity, and Availability—as the foundation of information security. It contrasts information security with cybersecurity, presents the DAD (Disclosure, Alteration, Destruction) threat model, and categorizes security controls as administrative, technical, or physical.
This lecture defines risk management as the identification, assessment, and mitigation of potential harm. It introduces a standard methodology using a risk score (severity × probability) and distinguishes between risks, threats, and controls. Two illustrative examples are used to show how controls mitigate different risks.
This lecture defines a data subject as an identified or identifiable natural person, per the GDPR. Recital 14 clarifies that the GDPR applies regardless of nationality or residence but does not cover legal persons or deceased individuals—though member states may extend protections posthumously.
This lecture outlines the evolution of US-EU data transfer agreements: Safe Harbor, Privacy Shield, and the current EU-US Data Privacy Framework. It highlights key events like the Snowden revelations, Schrems I and II rulings, and explains transfer mechanisms such as adequacy decisions, SCCs, and derogations.
This lecture explains how organizations can use a risk-based approach to prioritize security investments. It contrasts this with compliance-driven and maturity models, and emphasizes features like tailored controls, ongoing monitoring, and alignment with business objectives to manage resources efficiently and protect critical assets.
This lecture introduces three security domains: Preventative, Incident Detection and Response, and Remedial. It explores potential incidents (e.g., phishing, insider threats), outlines appropriate technical and organizational controls for each domain, and emphasizes the importance of post-incident learning and continuous system improvement.
This lecture explains the controller-processor relationship under GDPR Article 28. It emphasizes the requirement for controllers to select only processors that provide “sufficient guarantees” to implement appropriate technical and organizational measures. It introduces key controls such as contracts, evidence of competence (e.g., certifications), and assurance mechanisms like audits and due diligence.
This lecture outlines the requirements for notifying supervisory authorities of personal data breaches under Articles 33 and 34. It defines a breach, identifies notification triggers, and stresses timely reporting (within 72 hours). WP29 and EDPB guidelines are presented to help assess risk severity based on breach type, data sensitivity, and identifiability.
This lecture expands on breach notification procedures, detailing what must be reported: nature and scope of the breach, categories and volume of data, DPO contact info, likely consequences, and mitigation measures. It also explains that processors must report incidents to controllers, who are then responsible for assessing risk and notifying authorities.
This lecture explains when controllers must notify individuals of a data breach—specifically when it poses a “high risk” to their rights and freedoms. It outlines three exceptions to this requirement and gives examples of high-risk scenarios. It also presents key assessment factors like data sensitivity, identifiability, and impact on vulnerable groups.
This lecture introduces risk assessments as structured processes to identify, evaluate, and prioritize threats. It references NIST CSF 2.0 and the IAPP’s privacy operational life cycle (Assess, Protect, Sustain, Respond). It explains how to begin an assessment, including data mapping, inventory creation, legal basis documentation, and cataloging controls.
This lecture emphasizes the importance of a strong security culture supported by leadership, cross-functional teams, and employee lifecycle policies. It explains the layered approach to governance—policy (high-level rules), process (implementation steps), and procedure (detailed tasks)—and contrasts policy-based versus operations-based regulatory models.
This lecture explores the controller’s responsibility to engage reliable processors and manage supply chain risks. It covers processor selection, pre-contract due diligence, and contract requirements such as system security plans, risk assessments, data handling terms, and breach response obligations. Continuous monitoring and assurance mechanisms are also discussed.
This lecture introduces the structure of an effective incident response plan, including stakeholder roles, reporting thresholds, training, tabletop exercises, metrics, and a codified playbook. It also outlines key requirements: executive approval, organization-wide buy-in, and regular review and updates.
This lecture outlines the rights granted to data subjects under the GDPR—such as access, rectification, erasure, portability, and objection—and the process for submitting Data Subject Requests (DSRs). It also covers identity verification requirements and details the expected content of a proper DSR.
This lecture covers GDPR deadlines and formats for responding to DSRs. Controllers must confirm receipt and respond within one month, with a possible two-month extension for complex cases. Electronic communication is preferred, though reasonable requests for alternative formats (e.g., hard copy) must be accommodated.
This lecture explains individuals’ right under data protection law to access their personal data from data controllers. It outlines the types of information that must be provided, such as processing purposes and data categories, and emphasizes operational best practices for responding to data subject requests (DSRs) efficiently and securely.
This lecture reviews the EDPB’s guidance on transparency in targeted advertising. It emphasizes the need for individuals to identify who is targeting them, understand the data used for profiling, and access the profiles created about them—especially on social media platforms.
This lecture covers individuals’ right to correct inaccurate personal data. It defines what constitutes “inaccurate” data, outlines the acceptable request formats, required response timelines, grounds for rejecting requests, and the obligation to inform third parties when corrections are made.
This lecture explores the “right to be forgotten” under GDPR. It details when individuals can request deletion of their personal data, exceptions to this right, responsibilities for notifying third-party controllers, implications for backup systems, and guidelines for search engine delisting and refusal.
This lecture discusses two key data subject rights: restricting processing and data portability. It explains when processing may be limited and what that entails, and outlines how individuals can request their data in portable, machine-readable formats for transfer between service providers.
This lecture outlines the right of individuals to object to data processing, including procedures for submitting objections and operational responses. It also covers the right not to be subject to automated decision-making (ADM), detailing when ADM is permissible and what safeguards must be in place to protect data subjects.
This lecture examines EDPB Opinion 22/2024, which clarifies a controller’s responsibilities when relying on processors and sub-processors. It emphasizes that controllers remain ultimately accountable, must know the identities and contact details of all processors and sub-processors, and must verify sufficient guarantees regardless of risk level. Controllers do not need to systematically review sub-processing contracts but may assess this case-by-case. For third-country transfers between sub-processors, controllers must ensure appropriate documentation exists. Contracts should ensure processors only act on documented instructions, and the EDPB recommends—but does not mandate—adding this language to reinforce GDPR compliance.
This lecture introduces the foundational principles of data protection under GDPR Article 5. It covers key principles such as lawfulness, fairness, transparency, purpose limitation, and data minimization, and discusses how the GDPR enhances accountability and compliance requirements compared to earlier frameworks.
This lecture explores two core data processing principles: lawfulness and fairness. It explains the six legal bases for processing, how fairness ensures transparency and informed consent, and provides real-world examples of lawful and unlawful practices, including justified instances of negative impact on data subjects.
This lecture emphasizes the importance of clear, open, and understandable communication from data controllers to data subjects. It discusses when and how information should be provided, and outlines exceptions to notification requirements, such as for legal privilege or disproportionate effort.
This lecture focuses on the requirement that data be collected for specific, explicit, and legitimate purposes. It details how secondary processing must align with the original purpose, the criteria for determining compatibility, and includes practical examples of both lawful and unlawful further processing.
This lecture covers the principle that only data which is relevant, adequate, and necessary for a stated purpose should be collected and processed. It introduces the concepts of necessity and proportionality, using examples to illustrate how to limit data collection to what is truly required.
This lecture emphasizes the obligation of data controllers to maintain accurate, complete, and current personal data. It covers the importance of verifying data during collection, evaluating source reliability, correcting errors, and maintaining records of those corrections throughout the data life cycle.
This lecture explains the principle that personal data should only be retained as long as necessary for its intended purpose. It discusses statutory retention periods, the role of internal policies, and the importance of secure deletion practices, especially when working with IT and third-party vendors.
This lecture outlines how organizations must preserve the integrity and confidentiality of personal data. It covers safeguards such as pseudonymization, encryption, and adherence to international security standards to ensure data remains accurate, unaltered, and protected from unauthorized access or disclosure.
This lecture introduces the six lawful bases for processing personal data under the GDPR: consent, contract, vital interest, legal obligation, public interest, and legitimate interest. It also includes guidance from the UK ICO, including a three-part test for using legitimate interest as a lawful basis.
This lecture provides a detailed look at consent as a legal basis for processing. It defines consent and outlines its key requirements—freely given, specific, informed, and unambiguous. The lecture contrasts good and bad examples to clarify what valid consent looks like in practice.
This lecture expands on the elements of valid consent under the GDPR. It details the requirements for consent to be freely given, specific, informed, and unambiguous. It also explains the importance of clear presentation, how consent must be distinguishable from other terms, and why opt-out mechanisms do not meet legal standards.
This lecture addresses additional factors impacting the validity and management of consent. It explains how to demonstrate evidence of consent, identifies situations where consent may be invalid (such as under coercion or with vulnerable populations), outlines rules for children’s consent, and discusses consent renewal timelines.
This lecture introduces special categories of personal data—such as health, genetics, political views, and biometrics—and explains that processing them is generally prohibited unless specific exceptions apply. It emphasizes the need to meet both Article 6 and Article 9 GDPR requirements when processing sensitive data.
This lecture examines the first five exceptions allowing the processing of special category data: explicit consent, employment law, vital interests, not-for-profit bodies, and public disclosure. It explains the conditions for each exception and highlights the need for specificity and clarity when relying on consent.
This lecture covers the remaining exceptions to processing sensitive data: legal claims, substantial public interest, health and social care, public health, and archiving or research. It discusses legal definitions, member state guidance, and the requirement for safeguards like pseudonymization when processing under these exceptions.
This lecture explores two niche areas of GDPR: data related to criminal offenses and penalties, and scenarios where identification of the data subject is unnecessary. It covers Articles 10 and 11, explaining how these provisions support data minimization and reduce operational burdens for controllers.
This lecture reinforces the importance of transparency in data processing. It explains how fair processing information supports valid consent and lawful processing, outlines what data subjects should be told, and highlights the connection between transparency and the legitimate interest legal basis.
This lecture reviews the GDPR’s notice requirements when collecting personal data directly (Article 13) or indirectly (Article 14). It outlines the specific information that must be provided, the rights of data subjects, and additional requirements for automated decision-making and international data transfers.
This lecture compares the nuances between Articles 13 and 14, emphasizing differences in timing, required content, and conditions under which certain information can be omitted. It also discusses when additional notice is required, such as during secondary processing or in joint controller arrangements.
This lecture focuses on the qualities and delivery of privacy notices. It explains what makes a notice effective—such as clarity, accessibility, and plain language—and the acceptable mediums for delivery, including visuals and multimedia. It also addresses cost considerations and formatting rules for bundled disclosures.
This lecture explains when organizations may be exempt from providing fair processing information under Articles 13, 14, and 23 of the GDPR. It discusses conditions like impossibility, disproportionate effort, and the risk of frustrating legal or investigative objectives. It also outlines broader national security and public interest exemptions under Article 23.
This lecture covers the ePrivacy Directive’s requirements for disclosing the use of cookies and similar technologies. It defines “similar technology,” outlines user consent requirements, and emphasizes the need for full transparency in explaining tracking tools such as pixels, fingerprinting, and IP tracking.
This lecture highlights how effective privacy notices can benefit organizations by building trust and reducing complaints. It presents different notice formats—layered, just-in-time, and dashboards—and discusses creative strategies for emerging technologies like wearables and drones to ensure data subjects are informed.
This lecture outlines the responsibilities and competencies required of a Data Protection Officer (DPO) under GDPR. It explains the DPO’s independence, reporting structure, and duties such as advising on compliance, monitoring practices, and acting as the point of contact with supervisory authorities.
This lecture explains GDPR’s limitations on transferring personal data outside the EU/EEA. It details the required conditions—such as adequacy decisions, safeguards, and exceptions—and notes the impact on global organizations, many of which align with GDPR standards to facilitate international operations.
This lecture distinguishes between “data transfer” and “transit” in the context of GDPR, even though neither term is formally defined. It explains that transfers involve intentional accessibility to third countries, while transit involves passive routing through infrastructure without access—thus not triggering cross-border transfer requirements.
This lecture explains adequacy decisions as a mechanism for legal cross-border data transfers. It covers the criteria used by the European Commission—rule of law, supervisory authorities, and international commitments—and the step-by-step process for designating a country or organization as offering adequate protection.
This lecture recounts the origins and collapse of the Safe Harbor framework, highlighting events like the Snowden revelations and the Schrems I decision. It illustrates how concerns about U.S. surveillance and insufficient protections led to the invalidation of the EU-U.S. data transfer agreement in 2015.
This lecture continues the EU-U.S. data transfer timeline, examining the Privacy Shield framework, its shortcomings, and the Schrems II ruling that invalidated it. It concludes with the EU-U.S. Data Privacy Framework and Executive Order 14086, which aim to address surveillance concerns and restore lawful data flows.
This lecture introduces Standard Contractual Clauses (SCCs) as a key tool for cross-border data transfers. It explains modular SCC formats based on the roles of parties, and emphasizes the importance of conducting a Transfer Impact Assessment (TIA) to evaluate legal risks and adopt supplementary measures when needed.
This lecture introduces voluntary tools organizations can use to demonstrate GDPR compliance. It explains how sector-specific Codes of Conduct are developed, approved, and monitored, and outlines the certification process, including eligibility requirements and well-known schemes like EuroPriSe and Europrivacy.
This lecture covers Binding Corporate Rules (BCRs) as a mechanism for multinational organizations to lawfully transfer personal data within their corporate group. It describes the “consistency mechanism” for approval by data protection authorities and details the comprehensive requirements for BCR content and governance.
This lecture explains the limited exceptions, or derogations, that permit cross-border data transfers without adequacy decisions or safeguards. It outlines permissible conditions—such as explicit consent, contract performance, legal claims, and non-repetitive transfers—and emphasizes that derogations should only be used in exceptional, case-specific circumstances.
This lecture covers EDPB Guidelines 1/2024, which clarify how to use legitimate interest as a lawful basis for processing personal data. It outlines the three key conditions: (1) the existence of a legitimate interest, (2) necessity of processing to achieve that interest, and (3) no overriding interests or rights of the data subject. The lecture explains factors for balancing tests, including the nature of the interest, the data subject’s expectations, and safeguards to minimize risk. Practical examples include fraud prevention, direct marketing, and ensuring information security.
This lecture defines what constitutes an “establishment” under GDPR Article 3(1). It explains how even minimal but stable business activity in the EU can trigger GDPR applicability, regardless of legal form. The lecture draws on EDPB guidance and CJEU rulings to emphasize the importance of context and intended audience.
This lecture clarifies when data processing is considered to occur “in the context of” an EU establishment’s activities. It outlines a two-part test and explains applicability regardless of data subject nationality or residence. It also distinguishes controller and processor responsibilities in cross-border setups.
This lecture focuses on Article 3(2) and when non-EU organizations become subject to the GDPR due to targeting. It defines targeting as the intentional offering of goods or services to individuals in the EU and discusses the importance of clear intent versus incidental access.
This lecture explores the GDPR’s applicability to monitoring behaviors of individuals in the EU under Article 3(2)(b). It defines monitoring broadly, covering both online (e.g., cookies, tracking) and offline (e.g., interviews, health assessments) activities, and notes that intentionality is not required for applicability.
This lecture explains GDPR’s extraterritorial application via public international law—covering entities like embassies, consulates, ships, and planes. It also outlines how UK data protection law mirrors the GDPR post-Brexit, affecting non-UK organizations that target or monitor UK residents.
This lecture explains the GDPR’s material scope—i.e., the types of data processing it covers. It includes both automated and manual processing of personal data and outlines exceptions such as public security, defense, national security, and foreign policy-related activities, which fall outside Union law.
This lecture expands on the material scope exemptions, including the household exemption (purely personal use), crime-related exemptions for competent authorities, and the exclusion of EU institutions from GDPR coverage. It also introduces the applicable legal frameworks that fill these gaps, such as the Law Enforcement Directive and Regulation 2018/1725.
This lecture explores how the GDPR intersects with the ePrivacy and E-Commerce Directives. It explains how these legal frameworks coexist, emphasizing the GDPR’s focus on personal data, while the others govern electronic communications and online services. Overlaps are highlighted through real-world examples like social media and web hosting.
This lecture defines accountability as both compliance with legal obligations and the ability to demonstrate that compliance through evidence. It covers Articles 5 and 24, emphasizing internal governance, training, and high-risk processing, and encourages a risk management culture to meet regulatory expectations.
This lecture outlines what organizations should include in an internal privacy policy. It explains how to define scope, articulate a policy statement, and assign responsibilities to both employees and management. It also details protocols for incident reporting and consequences for non-compliance.
This lecture focuses on how organizations should assign privacy-related responsibilities and train staff. It highlights the importance of documenting internal privacy program structures and describes how role-specific training helps employees understand and apply privacy policies and procedures effectively.
This lecture explains the concept of embedding privacy protections into the development and operation of systems and services. It covers the legal obligation under Article 25 of the GDPR and outlines controls such as data minimization, pseudonymization, and default privacy settings that limit unnecessary data processing.
This lecture outlines GDPR’s requirements for maintaining Records of Processing Activities (RoPA) under Articles 30 and 31. It distinguishes between controller and processor obligations, details required documentation, and notes exemptions for small organizations—except when high-risk or sensitive data is involved.
This lecture covers DPIAs as a tool for identifying and mitigating privacy risks in projects involving high-risk data processing. It explains when DPIAs are required, the elements they must include, and the obligation to consult the DPA if residual risks remain after mitigations are applied.
This lecture explains when a Data Protection Officer (DPO) must be appointed, particularly in cases involving public authorities or large-scale, systematic data processing. It defines key terms like “core activity” and “systematic monitoring” and describes criteria for designating a group-wide DPO.
This lecture explores self-regulation as a means of GDPR compliance, emphasizing internal enforcement, accountability, and the role of Data Protection Officers (DPOs). It also highlights key GDPR provisions—including Articles 28, 33–35—that reinforce a risk-based approach and clarify controller–processor relationships.
This lecture introduces voluntary codes of conduct as tools for demonstrating GDPR compliance. It outlines their benefits—such as trust-building and sector-specific guidance—and details the drafting and approval process, ongoing monitoring, and the supervisory authority’s role in oversight.
This lecture continues the discussion by explaining how certification schemes function similarly to codes of conduct but offer visible seals or marks. It introduces the consistency mechanism, outlines accreditation requirements, and explains how to identify the most appropriate DPA for transnational assessments.
This lecture highlights how data subjects act as informal regulators by exercising their rights under GDPR. It discusses mechanisms like complaints, group litigation, and compensation claims, and explains the process for taking action against data controllers, processors, or even supervisory authorities.
This lecture examines the role of national supervisory authorities (DPAs) as the official enforcers of GDPR. It covers their independence, involvement in lawmaking, and wide-ranging responsibilities—from investigating complaints to evaluating DPIAs, codes of conduct, and international data transfer mechanisms.
This lecture outlines the three types of powers granted to national supervisory authorities (DPAs): investigatory, corrective, and advisory/authorization. It covers how DPAs access evidence, issue corrective actions, advise on codes and international transfers, and enforce compliance through litigation if necessary.
This lecture explains how to determine which DPA has legal authority (competence) to supervise or enforce GDPR provisions. It discusses domestic versus cross-border competence and the importance of cooperation and consistency mechanisms under Articles 57, 60, and 63.
This lecture details how DPAs collaborate on cross-border processing cases through the “one-stop-shop” model. It explains how a Lead Supervisory Authority (LSA) is chosen based on the controller’s main establishment and describes how non-lead authorities participate when local impacts arise.
This lecture outlines formal cooperation channels between DPAs—mutual assistance and joint operations—and describes how draft decisions are shared, iterated upon, and finalized. It explains how disputes are resolved collaboratively to ensure consistent application of the GDPR across member states.
This lecture introduces the European Data Protection Board (EDPB) and its central role in enforcing consistent GDPR interpretation. It details the EDPB’s authority to issue opinions, resolve disputes, initiate urgency procedures, and publish guidance in accordance with Article 70.
This lecture examines the GDPR’s tiered fine structure under Articles 83(4) and 83(5), with penalties reaching up to €20 million or 4% of global turnover. It also reviews the EDPB’s five-step method for calculating fines, considering factors like gravity, intent, and cooperation with authorities.
This lecture reviews EDPB Opinion 04/2024, which clarifies when a controller qualifies for a “main establishment” in the EU, determining eligibility for the one-stop-shop mechanism. To qualify, the location must decide on the purpose and means of processing and have the authority to implement those decisions. If key decisions occur outside the EU, no main establishment exists and the one-stop-shop does not apply. Controllers bear the burden of proof and must cooperate with supervisory authorities. Authorities may challenge a controller’s claim based on objective facts.
This lecture introduces the types of personal data collected throughout the employee life cycle—from hiring to separation—and outlines typical personnel records. It highlights member state-specific rules under Article 88 and reviews legal bases for processing employee data, including contract, legal obligation, and legitimate interest.
This lecture explores the most commonly used legal bases for processing employee data, such as contract, legal obligation, and legitimate interest. It clarifies why consent is typically invalid in the employment context due to power imbalance and emphasizes the importance of directing employees to transparent notices instead.
This lecture focuses on the handling of sensitive employee data under Article 9. It explains when such data may be lawfully processed, outlines notice requirements regardless of legal basis, and discusses proper storage practices—including varying retention timelines and access controls, particularly after employment ends.
This lecture addresses how to balance an employee’s right to privacy with an employer’s need to protect business assets. It covers background checks, data loss prevention, and the principles of necessity, legitimacy, proportionality, and transparency. It also explains when DPIAs and employee notice are required.
This lecture summarizes guidance from the Article 29 Working Party on employer monitoring practices. It outlines best practices for email and internet usage policies, employee rights, and oversight by unions or works councils. It emphasizes fair procedures when investigating misuse and accessing employee communications.
This lecture explains the role of works councils in representing employees at the organizational level. It distinguishes works councils from trade unions, outlines their legally mandated responsibilities, and highlights their involvement in data processing decisions, workplace changes, and codetermination procedures.
This lecture explores whistleblowing policies and legal obligations under both U.S. (e.g., Sarbanes-Oxley) and EU frameworks. It discusses conflicts with GDPR, the importance of DPIAs, international data transfer risks, and best practices for designing transparent, compliant whistleblower programs.
This lecture examines the privacy and security challenges of BYOD (Bring Your Own Device) programs. It covers the dual-use nature of personal devices, employer obligations as data controllers, and the critical elements of a BYOD policy, including mobile device management and remote data deletion.
This lecture introduces key surveillance principles, including the concept of surveillance capitalism. It explores how organizations, governments, and individuals monitor communications, biometrics, and locations—balancing privacy rights with public interest through regulation and case law.
This lecture focuses on surveillance through modern technologies and devices. It reviews data collected by IoT tools like smartphones, voice assistants, and wearables, and explains how this data is used for profiling, behavioral targeting, and social network analysis.
This lecture explores how surveillance is regulated under EU law, focusing on fundamental rights (CFR and ECHR), case law, and key frameworks like the Law Enforcement Directive and ePrivacy Directive. It introduces EDPB 02/2020, which outlines proportionality standards and safeguards for surveillance, and explains how Article 23 allows member states to restrict data subject rights under strict conditions.
This lecture categorizes types of communications data, including traditional forms (e.g., postal mail, spies) and telecommunications (e.g., digital messages, internet activity). It breaks down content and metadata types, such as traffic, location, and subscriber data, and explains how each is generated, transmitted, and analyzed.
This lecture reviews the conditions under which communications data may be retained. It discusses the invalidation of the Data Retention Directive by the CJEU, outlines limited exceptions where retention is still allowed, and summarizes ECtHR rulings that require end-to-end safeguards and proportionality assessments.
This lecture explains how video surveillance may rely on the “legitimate interest” legal basis. It introduces biometric data concepts, outlines lawful surveillance practices like CCTV, and describes how to conduct a Legitimate Interest Assessment (LIA) using a structured three-part test: purpose, necessity, and balancing of rights.
This lecture examines when DPIAs are required for video surveillance and how Privacy by Design (PbD) principles apply to technical setup, retention, and data handling. It also emphasizes transparency and layered notice techniques, like public signage with QR codes, to support data subject rights.
This lecture introduces biometric data and its use in identification and authentication systems. It covers forms of biometric data—including fingerprints, facial geometry, and iris scans—and distinguishes between raw formats and biometric templates. It also explores real-world applications like access control and tools such as the Worldcoin Orb.
This lecture explores location-based services (LBS) and the types of technologies that generate location data, including GPS, mobile networks, and chip-card transactions. It explains how location data is treated under the GDPR, potential sensitivities it can reveal, and its use in applications like contact tracing and driver tracking.
This lecture defines direct marketing as communication directed to specific individuals for promotional purposes. It outlines key characteristics, provides real-world examples, and distinguishes marketing from general notifications. The lecture also examines the regulatory complexity of using different channels and data sources across jurisdictions.
This lecture focuses on GDPR and ePrivacy Directive requirements for digital and non-digital marketing. It explains individuals’ right to opt out, controller responsibilities for processing opt-out requests, and the use of suppression lists to honor marketing preferences without erasing opt-out data. It also introduces “Robinson Lists” for country-level global opt-outs.
This lecture explains how personalized digital ads are delivered through first- and third-party tracking. It outlines how third-party advertising works—tracking online behavior, profiling users with cookies, and serving targeted ads—and highlights key players like advertisers, publishers, and ad networks such as Google Ads.
This lecture explains how Online Behavioral Advertising (OBA) falls under the GDPR due to its reliance on personal data like cookies and profiling. It highlights key ECJ rulings and EDPB guidelines on joint controllership between social media providers and advertisers, emphasizing the need for each party to establish its own lawful basis for processing.
This lecture outlines how the ePrivacy Directive regulates direct marketing and OBA. It covers the consent requirements under Article 5(3) for using cookies and explains how ePrivacy consent standards mirror GDPR. It also discusses the Directive’s fragmented enforcement across member states and the stalled ePrivacy Regulation proposal.
This lecture addresses direct marketing via physical mail. It clarifies that while not subject to ePrivacy laws, postal marketing still involves personal data and thus must comply with the GDPR. Consent is not always required, but the use of legitimate interest demands a balancing test considering factors like prior relationships and customer expectations.
This lecture examines rules governing business-to-business (B2B) and business-to-consumer (B2C) telemarketing. It explains that while person-to-person calls generally don’t require consent under the ePrivacy Directive, automated calls do. Member states regulate unsolicited calls and must ensure recipients can easily opt out.
This lecture discusses how digital communications like email, SMS, and MMS are regulated as “electronic mail” under ePrivacy law. It explains the opt-in consent rule and the “soft opt-in” exception for existing customer relationships. It also highlights transparency requirements, such as clearly identifying the sender and the promotional nature of messages.
This lecture explains fax marketing as the use of fax machines to send unsolicited advertising or promotional messages. Like email and SMS, it requires opt-in consent and a fair processing notice. Both GDPR and the ePrivacy Directive apply, with variations between B2B and B2C contexts and additional rules set by member states.
This lecture defines location data and how it’s used in marketing to target users based on geographic position. It covers the legal basis under GDPR and ePrivacy, the requirement for explicit, informed opt-in consent, and the obligation to allow simple and ongoing consent withdrawal, particularly when users re-enter a monitored location.
This lecture introduces cloud computing as the use of third-party infrastructure for on-demand services. It describes three models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Benefits include scalability, cost-efficiency, and ease of management, with analogies drawn to leasing versus owning resources.
This lecture applies GDPR to cloud computing. It explains territorial scope (Articles 3(1) and 3(2)), the roles of controllers and processors, and the distinction between essential and non-essential means of processing. “Establishment” is defined as a stable, real, and effective presence—regardless of whether processing takes place inside the EU.
This lecture outlines GDPR-compliant cloud contracts and cross-border transfer mechanisms. It specifies contract elements like breach notification, DSR support, audit rights, and data deletion. For international transfers, it discusses SCCs, BCRs, certifications, and the EU Cloud Code of Conduct, which is limited to B2B processor services and excludes third-country transfers.
This lecture explains cookie and tracking technology rules under Article 5(3) of the ePrivacy Directive. It covers types of technologies (cookies, pixels, device fingerprinting), consent requirements, and distinctions between first- and third-party cookies. Consent must be informed, prior, and freely given—pre-checked boxes or implied consent (e.g., scrolling) are invalid.
This lecture introduces IP addresses as unique numerical labels for devices on a network. It distinguishes between static and dynamic IPs and explains how IP addresses can become personal data when linked with other identifiers. Aggregated logs (e.g., IP + email) may reveal an individual’s identity and online behavior.
This lecture defines search engines and details the types of data they process: IP addresses, cookies, search history, and indexed content. WP29 concerns include excessive data retention, vague purposes for processing, cross-service aggregation (e.g., Google ecosystem), and application of data subject rights—even for unregistered users.
This lecture defines social media and explores data controllership among platforms, third parties, and advertisers. It explains limits of the GDPR’s household exemption, stresses layered and interactive notice requirements, and discusses joint controllership, requiring parties to clearly define shared responsibilities and inform users of the arrangement.
This lecture addresses the legal basis for processing on social media platforms, including Article 9(2)(e) for manifestly public data. It discusses data subject access, third-party data (e.g., tagging non-users), and special protections for children’s data under Article 8 and the UK’s Age-Appropriate Design Code.
This lecture explains how targeted ads use behavioral profiling and data aggregation to predict user needs and preferences. It explores the adtech ecosystem, legal bases under GDPR, and challenges with providing notice—especially where no direct relationship exists. It also addresses risk mitigation and Article 22 obligations concerning automated decision-making.
This lecture addresses the privacy implications of mobile apps, including the use of device sensors, location data, and fingerprinting techniques to track users. It outlines the roles of app ecosystem participants, notice design for small screens, and challenges in obtaining valid consent due to the sensitive and multifaceted nature of app-based data processing.
This lecture defines the IoT as a network of physical objects that collect and share data via sensors and connectivity. It highlights legal issues under GDPR and the ePrivacy Directive, especially around terminal equipment. It also covers challenges in providing notice and securing IoT devices, which often lack interfaces and are difficult to patch.
This lecture introduces AI concepts and regulatory frameworks. It explains how AI systems function via machine learning, the applicability of GDPR and ePrivacy, and legal bases for AI training and personalization. It also discusses special categories of data, Article 22 on automated decisions, and the EU AI Act’s risk-based regulatory approach enacted in 2024.
* Fully updated and comprehensive coverage of version 1.3.3 of the CIPP/E Body of Knowledge (July 2026). *
Welcome to the CIPP/E Certification Masterclass. My name is Dr. Kyle David. I'm here to help you pass your CIPP/E certification exam.
Getting your CIPP/E certification is an excellent career move.
The CIPP/E certification is the gold standard for data privacy and data protection.
Demand for qualified privacy professional's worldwide is BOOMING.
The average salary for privacy professionals is USD $146,000.
This CIPP/E course covers all 5 domains in comprehensive detail. The 5 domains are:
Introduction to European Data Protection
European Data Protection Law and Regulation
European Data Processing
European Data Protection: Scope & Accountability
Compliance with European Data Protection Law and Regulation
This course includes:
17+ hours of CIPP/E video lectures: Comprehensive coverage of all 5 domains.
400 scenario-based practice questions. Test your comprehension as you progress through the course.
Free downloadable CIPP/E study guides: Made from my lecture slides.
Access to Dr. David's Discord channel: To get live support from me and others as you prepare for the CIPP/E exam.
CIPP/E Mnemonics: To help you remember key details for the exam.
An automatic certificate of completion: To flex on your friends, family, and colleagues.
30-day no questions asked, money-back guarantee.
Offline video viewing on the Udemy mobile app.
Start your CIPP/E certification journey today and let me help YOU get certified!