2025 CIPP/E Prep Suite Updates
Each year, the IAPP updates the CIPP/E curriculum to reflect the evolving interpretation of the GDPR and new guidance from the European Data Protection Board (EDPB). If you're preparing for the exam on or after 2 September 2025, these updates are important. Fortunately, the 22Academy CIPP/E Prep Suite has already been updated to include all relevant changes.
This article explains what has changed in the curriculum and how we have reflected these changes in the course materials. Whether you're already enrolled or considering certification, you'll find that our training remains both complete and easy to follow.
Curriculum Structure: An Administrative Change
The most visible update in the 2025 curriculum is the division of Domain II (about the GDPR) into three more specific domains:
- Rights and Principles
- Compliance Requirements
- Corporate Application of the GDPR
This change is purely administrative. The actual content covered in the exam remains the same. For this reason, the structure of the Prep Suite has not been altered. You will continue to study the same 9 modules and 21 lessons in the same logical order as before.
So why does this change matter?
From September 2025 onwards, your exam results will show your score per domain, using the new five-domain format instead of the old three. This gives you better insight into which areas are strong and which may need improvement, should you need to retake the exam. That said, we aim to make sure that will not be necessary.
There is also one important clarification about scoring. In the past, it was assumed that you needed to pass each domain individually to pass the overall exam. This is no longer the case. You only need to achieve a total score of 300 out of 500. It does not matter how your score is distributed across the domains.
Lesson 7 – Legitimate Interest
One of the most significant changes in the 2025 CIPP/E curriculum is the inclusion of EDPB Guidelines 1/2024 on the concept of legitimate interest. This lawful basis for processing under Article 6(1)(f) is widely used but often misunderstood.
The new guidance introduces a clear three-part test:
- Legitimate interest must be real, specific, and lawful.
- Necessity requires that the processing is strictly required to achieve that interest.
- Balancing involves weighing the interest against the data subject’s rights and freedoms.
Our course now explains this framework in detail and helps you understand when this basis applies, what documentation is needed, and why certain purposes (such as behavioural advertising) may no longer qualify under this basis without further safeguards.
Tip: a summary of this EDPB Guideline has been added to the EDPB Guidelines Booklet as well.
Lesson 11 – Privacy and Security Incidents
The 2025 update places stronger emphasis on distinguishing between general security incidents and personal data breaches as defined in Article 4(12) GDPR. This distinction matters because only certain breaches trigger notification obligations under Articles 33 and 34.
You’ll now find clearer explanations in the lesson on:
- When controllers must notify the supervisory authority within 72 hours
- When data subjects must be informed
- What the notification must contain
- The processor’s duty to inform the controller without undue delay
- How to document all breaches, even those not subject to notification
This content is important not only for exam success but also for managing incidents in real-life professional settings.
Lesson 12 – Contracts and Processors
With the inclusion of EDPB Opinion 22/2024, the 2025 curriculum adds depth to the responsibilities of controllers and processors under Article 28 GDPR, especially in multi-tiered processing chains.
The opinion clarifies:
- Controllers must authorise or object to the use of sub-processors
- Processors remain fully liable for sub-processor compliance
- Contracts must be updated to reflect chain accountability, including audit rights, DPIA cooperation, and documentation of sub-processing arrangements
- Controllers may not transfer accountability downstream
These updates have been incorporated into the lesson on compliance and contracts, offering practical advice on how to structure agreements and monitor responsibilities across vendor relationships.
Lesson 16 – Main Establishment and the Lead Supervisory Authority
One of the more technical but important additions in the 2025 update comes from EDPB Opinion 04/2024, which explains how organisations must determine their main establishment under the GDPR.
This is critical for identifying the Lead Supervisory Authority (LSA) in cross-border cases. The opinion sets out a three-part test that examines:
- Where decisions on the purposes and means of processing are made
- Whether these decisions are actually implemented at that location
- Whether the organisation can prove this structure through documentation and governance records
A new section has been added to the lesson on supervision and enforcement, helping you understand how the one-stop shop works in practice and what can happen if an organisation claims LSA status without proper justification.
Lesson 21 – AI and GDPR
As artificial intelligence becomes increasingly embedded in business operations, the GDPR’s application to AI systems is receiving more attention.
The updated curriculum now makes clear that:
- All GDPR principles apply to AI, including lawfulness, fairness, transparency, data minimisation, and purpose limitation
- AI systems that involve automated decision-making must be explainable and subject to appropriate oversight
- Data Protection Impact Assessments (DPIAs) are crucial for high-risk use cases
- Human involvement should be designed into the system when decisions have significant legal or personal effects
This lesson now includes guidance on how to align AI development and deployment with GDPR requirements. It also introduces the upcoming EU AI Act and how it complements data protection law.
How Will You Know What Content Has Been Updated?
In each lesson where updated material has been added, you will see a short notice at the top of the section. This notice will tell you:
- Whether the material reflects new guidance (e.g. from the EDPB)
- Whether it applies only to exams from September 2025 onward
- Whether it goes beyond what was required in earlier exams
This allows you to focus your study with confidence, no matter when you take the exam.
Your CIPP/E Preparation is Fully Up to Date
We are committed to ensuring that the 22Academy CIPP/E Prep Suite always reflects the most current interpretations of the GDPR. All new guidance and opinions that are part of the 2025 curriculum have been fully integrated.
There is no need to delay your preparation or wait for new materials to be published. Everything you need is already in the course, and clearly marked where updates apply.
Our goal remains unchanged: to help you pass the CIPP/E exam on your first attempt, with clarity, structure, and support.