CIPP/E Body of Knowledge (2024-2025)

Are you thinking about getting CIPP/E certified?

Maybe you've decided to pursue the Certified Information Privacy Professional / Europe (CIPP/E) certification, or you’re simply exploring the idea. Either way, a smart first step is to review the Body of Knowledge (BoK)—the official overview from the International Association of Privacy Professionals (IAPP) that outlines the key topics covered on the exam.

The BoK is updated annually to reflect the ever-changing privacy landscape and to keep the exam relevant and secure. These updates are typically released in late spring or early summer.

But let’s talk about what’s new this year—and how it might affect your study plan.

When do the 2024-2025 changes take effect?

The IAPP gives test-takers ample notice—at least 90 days—before new content is reflected in the exam. This year’s updated BoK becomes effective on September 2, 2024.

Did the format change?

Not this year. While other certifications like the CIPM, CIPT, and AIGP have transitioned to a new “competency and performance indicator” format, the CIPP/E BoK still uses the traditional nested outline. The Exam Blueprint also remains separate, detailing the expected number of questions per topic.

What’s new in the content?

Good news—most of the content remains unchanged. According to the IAPP, annual BoK updates usually introduce no more than 10–15% new material.

The Three Core Domains Stay the Same:

• Domain I: Introduction to European Data Protection

A. Origins and Historical Context of Data Protection Law

B.   European Union Institutions

C.   Legislative Framework

• Domain II: European Data Protection Law and Regulation

A.  Protection Concepts

B.   Territorial and Material Scope of the General Data Protection Regulation

C.   Data Processing Principles

D.   Lawful Processing Criteria

E.   Information Provision Obligations

F.    Data Subjects’ Rights

G.   Security of Personal Data

H.   Accountability Requirements

I.      International Data Transfers

J.    Supervision and enforcement

K.   Consequences for GDPR violations

• Domain III: Compliance with European Data Protection Law and Regulation

A. Employment Relationship

B.  Surveillance Activities

C.   Direct Marketing

D.   Internet Technology and Communications

The structure and main topic areas within each domain are unchanged. However, four new subtopics have been added:

Section I.C.6.a – The EU Data Act and its relationship with the GDPR

Section III.A.7 – Risks in employee data (e.g., social media, AI systems)

Section III.B.5.a – Guidelines on facial recognition in law enforcement (05/2022)

Section III.D.4.a.i – Guidelines on dark patterns in social media interfaces (3/2022)

Additionally, a naming update: the “Trans-Atlantic Privacy Framework” is now referred to as the EU-US Data Privacy Framework.

Two more topics, not explicitly in the BoK but referenced by the IAPP as relevant, include:

• GDPR’s interaction with other global laws (U.S., U.K., Switzerland, Germany)

• Ransomware breach notification protocols

Changes to Exam Question Distribution

There is a shift in the number of questions per domain. Domain I will now include 7–13 questions (up from 4–10), increasing its weight on the exam. This change reduces emphasis on some areas of

Domains II and III, particularly:

• Data processing principles

• Information provision obligations

• Supervision and enforcement

• GDPR violation consequences

• Direct marketing

There are also some areas being more emphasized, which include:

• The historical development of EU data protection

• Legislative framework

• Data subject rights

• Security of personal data