DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

CIPP Certification Exam Questions & Answers, Certified International Purchasing Professional | SPOTO

Explore our extensive collection of CIPP Certification Exam Questions & Answers at SPOTO. From comprehensive practice tests to detailed exam practice materials, we offer a wide range of resources to support your preparation journey. Access free tests, online exam questions, sample questions, and exam dumps meticulously curated to enhance your understanding of key concepts. Our mock exams provide valuable insights into the exam format and help you gauge your readiness for the real test. With our latest practice tests, you can effectively prepare to pass the Certified Information Privacy Professional/Europe (CIPP/E) certification exam with confidence. Our exam materials cover essential topics such as European privacy laws, regulations, and legal requirements for the transfer of sensitive personal data across borders. Trust SPOTO to equip you with the knowledge and skills needed to succeed in your certification journey.

Take other online exams

Question #1
In 2014, Google was alleged to have violated the Family Educational Rights and Privacy Act (FERPA) through its Apps for Education suite of tools. For what specific practice did students sue the company?
A. Scanning emails sent to and received by students
B. Making student education records publicly available
C. Relying on verbal consent for a disclosure of education records
D. Disclosing education records without obtaining required consent
View answer
Correct Answer: B

View The Updated CIPP Exam Questions

SPOTO Provides 100% Real CIPP Exam Questions for You to Pass Your CIPP Exam!

Question #2
A large online bookseller decides to contract with a vendor to manage Personal Information (PI). What is the least important factor for the company to consider when selecting the vendor?
A. The vendor’s reputation
B. The vendor’s financial health
C. The vendor’s employee retention rates
D. The vendor’s employee training program
View answer
Correct Answer: B
Question #3
What was the basis for the "TrustSg" mark, which was designed to build confidence in e-commerce transactions before the PDPA was enacted?
A. The Fair Information Practice Principles
B. The Model Data Protection Code
C. The Electronic Transactions Act
D. The 1995 European Directive
View answer
Correct Answer: A
Question #4
What does NOT need to be considered when determining the retention schedule for sensitive personal data?
A. Business needs
B. Amount of data
C. Storage capacity
D. Regulatory requirements
View answer
Correct Answer: A
Question #5
Which provision of Hong Kong's Personal Data (Privacy) Ordinance (PDPO) strengthens the purpose limitation principle (DPP3)?
A. Notice; because the data subject must be provided with the purpose of the collection
B. Public domain; because the data subjects must agree to the purpose before their information is made publicly available
C. Prescribed consent; because the data subject must give express consent to their personal information being used for additional purposes
D. Finality; because the purpose for collection of personal information from the subject must be directly related to a function of the collector
View answer
Correct Answer: A
Question #6
Which of the following federal agencies does NOT enforce the Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA)?
A. The Office of the Comptroller of the Currency
B. The Consumer Financial Protection Bureau
C. The Department of Health and Human Services
D. The Federal Trade Commission
View answer
Correct Answer: C
Question #7
Under India's IT Rules 2011, data subjects have the right to correct inaccuracies in personal information collected about them only if? D.
A. They are also the providers of the information
B. They confirm their consent to maintain the information
C. They are able to prove the legitimacy of the corrections
D. They request the corrections within a specified amount of time
View answer
Correct Answer: A
Question #8
SCENARIO – Please use the following to answer the next question: Bharat Medicals is an established retail chain selling medical goods, with a presence in a number of cities throughout India. Their strategic partnership with major hospitals in these cities helped them capture an impressive market share over the years. However, with lifestyle and demographic shifts in India, the company saw a huge opportunity in door-to-door delivery of essential medical products. The need for such a service was confirmed by
A. Prescription details
B. Location data
C. Nationality
D. Religion
View answer
Correct Answer: D
Question #9
Both Sections 72 and 72A of India's IT Act 2000 involve unauthorized access of personal information. One main difference between the sections is that 72A does what?
A. Stipulates that disclosure has to have occurred
B. Specifies imprisonment as a possible penalty
C. Adds a provision about wrongful loss or gain
D. Includes the concept of consent
View answer
Correct Answer: C
Question #10
SCENARIO – Please use the following to answer the next question: Dracarys Inc. is a large multinational company with headquarters in Seattle, Washington, U.S.A. Dracarys began as a small company making and selling women's clothing, but rapidly grew through its early innovative use of online platforms to sell its products. Dracarys is now one of the biggest names in the industry, and employs staff across the globe, and in Asia has employees located in both Singapore and Hong Kong. Due to recent management re
A. That the vendor submits for approval from Dracarys a privacy notice explaining how personal data will be protected under the Indian Information Technology Act
B. That the vendor files requests for transfer of personal data out of India through the offices of the privacy commissioners of Hong Kong and Singapore
C. That the vendor is bound by legally enforceable obligations to provide the personal data a standard of protection that is at least comparable to the protection under the Singapore PDPA
D. That the vendor adheres to the same sector privacy rules followed by Dracarys headquarters based in Seattle regarding the transfer of personal data
View answer
Correct Answer: B
Question #11
Which of the following is NOT excluded from the scope of Singapore's Do Not Call registry?
A. Messages that promote investment opportunities
B. Messages that conduct market research
D. Messages from political candidates
View answer
Correct Answer: B
Question #12
SCENARIO – Please use the following to answer the next question: Bharat Medicals is an established retail chain selling medical goods, with a presence in a number of cities throughout India. Their strategic partnership with major hospitals in these cities helped them capture an impressive market share over the years. However, with lifestyle and demographic shifts in India, the company saw a huge opportunity in door-to-door delivery of essential medical products. The need for such a service was confirmed by
A. It must have a privacy policy on its website describing its data processing practices
B. It must obtain consent from Bharat Medicals consumers before processing their data
C. It must process Bharat Medicals' consumer data only according to agreed contractual terms
D. It must protect any unauthorized access any of Bharat Medicals consumer data that it obtained
View answer
Correct Answer: C
Question #13
In Hong Kong's revised Breach Guidance Note of 2015, what course of action did the Commissioner recommend that companies take immediately after experiencing a breach?
A. Proceed under the assumption that the breach is a threat to personal safety
B. Enlist the aid of law enforcement to determine the cause of the breach
C. Quickly issue a notification to the data subjects affected by the breach
D. Immediately gather essential information in relation to the breach
View answer
Correct Answer: A
Question #14
How are the scope of Singapore's Personal Data Protection Act and the scope of India's IT Rules similar?
A. They only apply to the private sector
B. They allow exemptions for military personnel
C. They apply to controllers and processors alike
D. They impose obligations on individuals acting in a domestic capacity
View answer
Correct Answer: D
Question #15
Which jurisdiction must courts have in order to hear a particular case?
A. Subject matter jurisdiction and regulatory jurisdiction
B. Subject matter jurisdiction and professional jurisdiction
C. Personal jurisdiction and subject matter jurisdiction
D. Personal jurisdiction and professional jurisdiction
View answer
Correct Answer: C
Question #16
In June 2011, the Hong Kong Privacy Commissioner determined that data subject consent is NOT valid if it is what?
A. Provided by the data subject solely in verbal form
B. Used for a directly related but separate purpose
C. Bundled with other terms of the agreement
D. Intended for direct marketing purposes
View answer
Correct Answer: A
Question #17
What emerged as the main reason for creating a comprehensive data protection law when Singapore ministers met between 2005 and 2011?
A. To control increasing technological threats
B. To raise Singapore's human rights standing
C. To limit the scope of governmental surveillance
D. To enhance Singapore's economic competitiveness
View answer
Correct Answer: D
Question #18
In Hong Kong, which of the following are exempt from personal data access requests until after the project to which the data is related has been concluded?
A. Hospital administrators
B. Financial institutions
C. News organizations
D. Non-profit groups
View answer
Correct Answer: C
Question #19
Which of the following describes the most likely risk for a company developing a privacy policy with standards that are much higher than its competitors?
A. Being more closely scrutinized for any breaches of policy
B. Getting accused of discriminatory practices
C. Attracting skepticism from auditors
D. Having a security system failure
View answer
Correct Answer: B
Question #20
According to Section 5 of the FTC Act, self-regulation primarily involves a company’s right to do what?
A. Determine which bodies will be involved in adjudication
B. Decide if any enforcement actions are justified
C. Adhere to its industry’s code of conduct
D. Appeal decisions made against it
View answer
Correct Answer: B
Question #21
What important action should a health care provider take if the she wants to qualify for funds under the Health Information Technology for Economic and Clinical Health Act (HITECH)?
A. Make electronic health records (EHRs) part of regular care
B. Bill the majority of patients electronically for their health care
C. Send health information and appointment reminders to patients electronically
D. Keep electronic updates about the Health Insurance Portability and Accountability Act
View answer
Correct Answer: A
Question #22
Which Hong Kong body has recommended legislation that provides for the right of civil action to be taken when private information is publicly disclosed?
A. Hong Kong's Court of Final Appeal
B. Hong Kong Law Reform Commission
C. Office of the Privacy Commissioner for Personal Data
D. Standing Committee of the National People's Congress of the PRC
View answer
Correct Answer: C
Question #23
SCENARIO – Please use the following to answer the next question: Dracarys Inc. is a large multinational company with headquarters in Seattle, Washington, U.S.A. Dracarys began as a small company making and selling women's clothing, but rapidly grew through its early innovative use of online platforms to sell its products. Dracarys is now one of the biggest names in the industry, and employs staff across the globe, and in Asia has employees located in both Singapore and Hong Kong. Due to recent management re
A. The Indian Information Technology Act of 2000
B. The Hong Kong guide to monitoring personal data privacy at work
C. The Hong Kong Code of Practice on Human Resource Management
View answer
Correct Answer: C
Question #24
In which situation would a policy of “no consumer choice” or “no option” be expected?
A. When a job applicant’s credit report is provided to an employer
B. When a customer’s financial information is requested by the government
C. When a patient’s health record is made available to a pharmaceutical company
D. When a customer’s street address is shared with a shipping company
View answer
Correct Answer: B
Question #25
The “Consumer Privacy Bill of Rights” presented in a 2012 Obama administration report is generally based on?
A. The 1974 Privacy Act
B. Common law principles
C. European Union Directive
D. Traditional fair information practices
View answer
Correct Answer: A
Question #26
Which European-influenced safeguard was NOT included in Hong Kong or Singapore's personal data protection acts, but was subsequently adopted as a consideration in regulatory guidelines?
A. Controls on automated decision making
B. Additional protection for sensitive personal data
C. Legitimate interest as a legal basis for processing
D. Notice requirements when data is collected from third parties
View answer
Correct Answer: D
Question #27
SCENARIO – Please use the following to answer the next question: Bharat Medicals is an established retail chain selling medical goods, with a presence in a number of cities throughout India. Their strategic partnership with major hospitals in these cities helped them capture an impressive market share over the years. However, with lifestyle and demographic shifts in India, the company saw a huge opportunity in door-to-door delivery of essential medical products. The need for such a service was confirmed by
A. The patient cannot purchase medications from Bharat Medicals
B. The hospital has the right to refuse withdrawal of consent since it has a partnership with Bharat Medicals
C. The hospital will obtain the necessary medications from Bharat Medicals and provide them directly to patient
D. The patient can buy medications from Bharat Medicals by uploading prescription to the Bharat Medicals website
View answer
Correct Answer: A
Question #28
In Singapore, a potential employer can collect all of the following data on an individual in the pre-employment phase EXCEPT?
A. Postings from social media websites
B. Information from a background check
C. Information about the individual's children
D. The individual's university attendance records
View answer
Correct Answer: A
Question #29
What is the main reason some supporters of the European approach to privacy are skeptical about self-regulation of privacy practices?
A. A large amount of money may have to be sent on improved technology and security
B. Industries may not be strict enough in the creation and enforcement of rules
C. A new business owner may not understand the regulations
D. Human rights may be disregarded for the sake of privacy
View answer
Correct Answer: A
Question #30
In addition to adhering to the data export principle of section 43A of India's IT Act 2000, data exporters in India must also follow principles of?
A. Privity of contract
B. Disclosure limitation
C. Mandatory registration
D. Third party assessment
View answer
Correct Answer: D
Question #31
Based on the model contract released by the Privacy Commissioner for Personal Data (PDPC), Hong Kong, all of the following sections are recommended to be put into a contract to address Ordinance 33 (Data transfer/export) of Hong Kong's Personal Data Privacy Ordinance (PDPO) EXCEPT?
A. Liability and indemnity
B. Exemptions and Definitions
C. Termination of the contract
D. Obligations of the Transferee
View answer
Correct Answer: A
Question #32
All of the following organizations are specified as covered entities under the Health Insurance Portability and Accountability Act (HIPAA) EXCEPT?
A. Healthcare information clearinghouses
B. Pharmaceutical companies
C. Healthcare providers
D. Health plans
View answer
Correct Answer: B
Question #33
SCENARIO – Please use the following to answer the next question: Dracarys Inc. is a large multinational company with headquarters in Seattle, Washington, U.S.A. Dracarys began as a small company making and selling women's clothing, but rapidly grew through its early innovative use of online platforms to sell its products. Dracarys is now one of the biggest names in the industry, and employs staff across the globe, and in Asia has employees located in both Singapore and Hong Kong. Due to recent management re
D. Dracarys will have employees on the ground in India managing the systems for the functions listed above
A. Breach notification
B. Data retention periods
C. Employee recruitment process
D. Data subject consent provisions
View answer
Correct Answer: C
Question #34
What is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party called?
A. A consent decree
B. Stare decisis decree
C. A judgment rider
D. Common law judgment
View answer
Correct Answer: A
Question #35
Under the General Data Protection Regulation (GDPR), European Union member states may be allowed to transfer personal data to the United States in some cases. Which of the following could NOT be used as a legitimate means of doing this?
A. A consent derogation
B. A certification mechanism
C. The Safe Harbor Framework
D. Binding Corporate Rules (BCR)
View answer
Correct Answer: C
Question #36
All of the following are tasks in the “Discover” phase of building an information management program EXCEPT?
A. Facilitating participation across departments and levels
B. Developing a process for review and update of privacy policies
C. Deciding how aggressive to be in the use of personal information
D. Understanding the laws that regulate a company’s collection of information
View answer
Correct Answer: C
Question #37
SCENARIO Please use the following to answer the next question: A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer’s data handling practices. The complainant accuses the retailer of improperly disclosing her personal data, without consent, to par
A. As a data supervisor
B. As a data processor
C. As a data controller
D. As a data manager
View answer
Correct Answer: A

View The Updated IAPP Exam Questions

SPOTO Provides 100% Real IAPP Exam Questions for You to Pass Your IAPP Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: