Free IAPP CIPP-A Actual Exam Questions
The questions for this exam were last updated on January 7, 2026
Dumps Box (DumpsBox) offers up-to-date practice exam questions for CIPP-A certification exam which are developed and validated by IAPP subject domain experts certified in IAPP CIPP-A . These practice questions are update regularly as we keep an eye on any recent changes in CIPP-A syllabus, and when there is update our team quickly adjusts the questions. This commitment to providing the best quality exam prep material to certification aspirants is what makes DumpsBox.com the best certification exam prep website. On top of that, our strong, yet strictly moderated, community based feedback keeps the content clean and current. Each question has helpful community discussion that provides it extra perspective and introduces helpful resources for better exam preparation. This also saves students from other outdated practice questions or illicit exam dumps that can have adverse affects on career. Browse through our IAPP CIPP-A exam questions and pass your exam on first try.
Question No. 1
Besides the Personal Data Protection Act (PDPA), which of the following is a potential source of
privacy protection for Singapore citizens?
privacy protection for Singapore citizens?
Select one option, then reveal solution.
Question No. 2
Which of the following countries will continue to enjoy adequacy status under the GDPR, pending
any future European Commission decision to the contrary?
any future European Commission decision to the contrary?
Select one option, then reveal solution.
Question No. 3
In India's IT Rules 2011, which is included in the definition of "sensitive personal data"?
Select all that apply, then reveal solution.
Question No. 4
SCENARIO – Please use the following to answer the next QUESTION:
Singabank is a boutique bank in Singapore. After being notified during the hiring process, Singabank
employees are subject to constant and thorough monitoring and tracking through CCTV cameras,
computer monitoring software and keyboard loggers. Singabank does this to ensure its employees
are complying with Singabank's data security policy. Bigbank is now considering acquiring
Singabank's retail banking division. As part of its due diligence, Bigbank is seeking for Singabank to
disclose to it all of its surveillance material on its employees, whether or not they are part of the
retail banking division. Jimmy works in Singabank's investment banking division.
Assuming the monitoring was legal, can Singabank disclose Jimmy's personal data to Bigbank?
Singabank is a boutique bank in Singapore. After being notified during the hiring process, Singabank
employees are subject to constant and thorough monitoring and tracking through CCTV cameras,
computer monitoring software and keyboard loggers. Singabank does this to ensure its employees
are complying with Singabank's data security policy. Bigbank is now considering acquiring
Singabank's retail banking division. As part of its due diligence, Bigbank is seeking for Singabank to
disclose to it all of its surveillance material on its employees, whether or not they are part of the
retail banking division. Jimmy works in Singabank's investment banking division.
Assuming the monitoring was legal, can Singabank disclose Jimmy's personal data to Bigbank?
Select one option, then reveal solution.
Question No. 5
Which provision of Hong Kong's Personal Data (Privacy) Ordinance (PDPO) strengthens the purpose
limitation principle (DPP3)?
limitation principle (DPP3)?
Select one option, then reveal solution.
Question No. 6
In the Asia-Pacific Economic Cooperation (APEC) Privacy Framework, what exception is allowed to
the Access and Correction principle?
the Access and Correction principle?
Select all that apply, then reveal solution.
Question No. 7
What was the basis for the "TrustSg" mark, which was designed to build confidence in e-commerce
transactions before the PDPA was enacted?
transactions before the PDPA was enacted?
Select one option, then reveal solution.
Question No. 8
Which was NOT listed as an individual right in the 1998 Fair Information Practice Principles (FIPPs)?
Select one option, then reveal solution.
Question No. 9
In which of the following cases would a Singaporean be prevented from accessing information about
herself from an organization?
herself from an organization?
Select one option, then reveal solution.
Question No. 10
SCENARIO – Please use the following to answer the next QUESTION:
Bharat Medicals is an established retail chain selling medical goods, with a presence in a number of
cities throughout Indi
a. Their strategic partnership with major hospitals in these cities helped them capture an impressive
market share over the years. However, with lifestyle and demographic shifts in India, the company
saw a huge opportunity in door-to-door delivery of essential medical products. The need for such a
service was confirmed by an independent consumer survey the firm conducted recently.
The company has launched their e-commerce platform in three metro cities, and plans to expand to
the rest of the country in the future. Consumers need to register on the company website before
they can make purchases. They are required to enter details such as name, age, address, telephone
number, sex, date of birth and nationality – information that is stored on the company's servers.
(Consumers also have the option of keeping their credit card number on file, so that it does not have
to be entered every time they make payment.) If ordered items require a prescription, that
authorization needs to be uploaded as well. The privacy notice explicitly requires that the consumer
confirm that he or she is either the patient or has consent of the patient for uploading the health
information. After creating a unique user ID and password, the consumer's registration will be
confirmed through a text message sent to their listed mobile number.
To remain focused on their core business, Bharat outsourced the packaging, product dispatch and
delivery activities to a third party firm, Maurya Logistics Ltd., with which it has a contractual
agreement. It shares with Maurya Logistics the consumer name, address and other product-related
details at the time of every purchase.
If consumers underwent medical treatment at one of the partner hospitals and consented to having
their data transferred, their order requirement will be sent to their Bharat Medicals account directly,
thereby doing away with the need to manually place an order for the medications.
Bharat Medicals takes regulatory compliance seriously; to ensure data privacy, it displays a privacy
notice at the time of registration, and includes all the information that it collects. At this stage of
their business, the company plans to store consumer information indefinitely, since the percentage
of repeat customers and the frequency of orders per customer is still uncertain.
If a patient withdraws consent provided to one of the partner hospitals regarding the transfer of their
data, which of the following would be true?
Bharat Medicals is an established retail chain selling medical goods, with a presence in a number of
cities throughout Indi
a. Their strategic partnership with major hospitals in these cities helped them capture an impressive
market share over the years. However, with lifestyle and demographic shifts in India, the company
saw a huge opportunity in door-to-door delivery of essential medical products. The need for such a
service was confirmed by an independent consumer survey the firm conducted recently.
The company has launched their e-commerce platform in three metro cities, and plans to expand to
the rest of the country in the future. Consumers need to register on the company website before
they can make purchases. They are required to enter details such as name, age, address, telephone
number, sex, date of birth and nationality – information that is stored on the company's servers.
(Consumers also have the option of keeping their credit card number on file, so that it does not have
to be entered every time they make payment.) If ordered items require a prescription, that
authorization needs to be uploaded as well. The privacy notice explicitly requires that the consumer
confirm that he or she is either the patient or has consent of the patient for uploading the health
information. After creating a unique user ID and password, the consumer's registration will be
confirmed through a text message sent to their listed mobile number.
To remain focused on their core business, Bharat outsourced the packaging, product dispatch and
delivery activities to a third party firm, Maurya Logistics Ltd., with which it has a contractual
agreement. It shares with Maurya Logistics the consumer name, address and other product-related
details at the time of every purchase.
If consumers underwent medical treatment at one of the partner hospitals and consented to having
their data transferred, their order requirement will be sent to their Bharat Medicals account directly,
thereby doing away with the need to manually place an order for the medications.
Bharat Medicals takes regulatory compliance seriously; to ensure data privacy, it displays a privacy
notice at the time of registration, and includes all the information that it collects. At this stage of
their business, the company plans to store consumer information indefinitely, since the percentage
of repeat customers and the frequency of orders per customer is still uncertain.
If a patient withdraws consent provided to one of the partner hospitals regarding the transfer of their
data, which of the following would be true?
Select one option, then reveal solution.
Question No. 11
Cases in which an Indian company is accused of violating provisions of India's IT Act must be heard
by?
by?
Select one option, then reveal solution.
Question No. 12
In India, the obligation to appoint a Grievance Officer applies ONLY to companies that?
Select one option, then reveal solution.
Question No. 13
Under the General Data Protection Regulation (GDPR), European Union member states may be
allowed to transfer personal data to the United States in some cases.
Which of the following could NOT be used as a legitimate means of doing this?
allowed to transfer personal data to the United States in some cases.
Which of the following could NOT be used as a legitimate means of doing this?
Select one option, then reveal solution.
Question No. 14
All of the following are exempt from Section 43A of India's IT Rules 2011 EXCEPT?
Select one option, then reveal solution.
Question No. 15
Which of the following is NOT a way that the Singapore government can monitor its citizens?
Select one option, then reveal solution.