IAPP CIPP-A Exam Questions

Questions for the CIPP-A were updated on : Nov 21 ,2025

Page 1 out of 6. Viewing questions 1-15 out of 90

Question 1

Cases in which an Indian company is accused of violating provisions of India's IT Act must be heard
by?

  • A. The High Court.
  • B. A Grievance Officer.
  • C. An Adjudicating Officer.
  • D. The Cyber Appellate Tribunal.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://en.wikipedia.org/wiki/Information_Technology_Act,_2000

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 2

According to India's IT Rules 2011, a body corporate operating in India is required to appoint what
kind of authority?

  • A. A Chief Risk Officer.
  • B. A Grievance Officer.
  • C. A Data Protection Officer.
  • D. A Chief Technology Officer.
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://www.mondaq.com/india/privacy-protection/904916/a-review-of-the-
information-technology- rules-2011-

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3

Section 43A was amended by India's IT Rules 2011 to include?

  • A. A definition of what constitutes reasonable security practices.
  • B. A requirement for the creation of a data protection authority.
  • C. A list of cases in which privacy policies are not necessary.
  • D. A clarification regarding the role of non-automated data.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://tahseen.ae/media/3481/india_information-technology-reasonable-security-
practices-and- procedures-and-sensitive-personal-data-or-information-rules-2011.pdf

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4

Which Indian institution is vested with powers under the Credit Information Companies (Regulation)
Act of 2005?

  • A. The Reserve Bank of India.
  • B. The National Housing Bank.
  • C. The Oriental Bank of Commerce.
  • D. The Securities and Exchange Board of India.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
http://www.bareactslive.com/ACA/ACT416.HTM

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5

In June 2011, the Hong Kong Privacy Commissioner determined that data subject consent is NOT
valid if it is what?

  • A. Provided by the data subject solely in verbal form.
  • B. Used for a directly related but separate purpose.
  • C. Bundled with other terms of the agreement.
  • D. Intended for direct marketing purposes.
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://thelawreviews.co.uk/title/the-privacy-data-protection-and-cybersecurity-law-
review/hong- kong

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6

Based on the model contract released by the Privacy Commissioner for Personal Data (PDPC), Hong
Kong, all of the following sections are recommended to be put into a contract to address Ordinance
33 (Data transfer/export) of Hong Kong's Personal Data Privacy Ordinance (PDPO) EXCEPT?

  • A. Liability and indemnity.
  • B. Exemptions and Definitions.
  • C. Termination of the contract.
  • D. Obligations of the Transferee.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7

Which provision of Hong Kong's Personal Data (Privacy) Ordinance (PDPO) strengthens the purpose
limitation principle (DPP3)?

  • A. Notice; because the data subject must be provided with the purpose of the collection.
  • B. Public domain; because the data subjects must agree to the purpose before their information is made publicly available.
  • C. Prescribed consent; because the data subject must give express consent to their personal information being used for additional purposes.
  • D. Finality; because the purpose for collection of personal information from the subject must be directly related to a function of the collector.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8

Which Hong Kong body has recommended legislation that provides for the right of civil action to be
taken when private information is publicly disclosed?

  • A. Hong Kong's Court of Final Appeal.
  • B. Hong Kong Law Reform Commission.
  • C. Office of the Privacy Commissioner for Personal Data.
  • D. Standing Committee of the National People's Congress of the PRC.
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://www.pcpd.org.hk/english/data_privacy_law/ordinance_at_a_Glance/ordinance.html

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

Which of the following is NOT a substantial source of privacy protection for Hong Kong citizens?

  • A. The Communications and Surveillance Ordinance.
  • B. The Universal Declaration of Human Rights.
  • C. The Bill of Rights Ordinance.
  • D. The Basic Law.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

In Singapore, a potential employer can collect all of the following data on an individual in the pre-
employment phase EXCEPT?

  • A. Postings from social media websites.
  • B. Information from a background check.
  • C. Information about the individual's children.
  • D. The individual's university attendance records.
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11

In which situation would a data intermediary based in Singapore be liable for breaches against the
PDPA?

  • A. When it fails to provide an individual access to his or her data.
  • B. When it does not provide anonymous transactions with an individual.
  • C. When it fails to inform an individual it is processing data from a controller.
  • D. When it processes data contrary to the provisions established in the contract.
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Key-
Concepts/Advisory-Guidelines-on-Key-Concepts-in-the-PDPA-1-Feb-2021.pdf?la=en

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 12

Who is NOT potentially liable when an employee in a Singapore corporation or partnership breaches
the PDPA?

  • A. A corporate officer.
  • B. The employee.
  • C. The employer.
  • D. A partner.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 13

Under the PDPO, what are Hong Kong companies that make use of personal data required to do?

  • A. Appoint an official compliance officer.
  • B. Register with the appropriate data authority.
  • C. Honor all data subject requests for correcting personal information.
  • D. Provide contact information of persons handling data access requests.
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14

In Hong Kong, which of the following are exempt from personal data access requests until after the
project to which the data is related has been concluded?

  • A. Hospital administrators.
  • B. Financial institutions.
  • C. News organizations.
  • D. Non-profit groups.
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://www.hutsix.io/are-there-any-exemptions-to-the-data-protection-act/

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15

Which method ensures the greatest security when erasing data that is no longer needed, according
to the Hong Kong Office of the Privacy Commissioner?

  • A. Strip-shredding paper copies of data.
  • B. Crosscut shredding paper copies of data.
  • C. Deleting electronic files containing data.
  • D. Reformatting USB memory devices containing data.
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2