IAPP CIPP-C Dumps - Certified Information Privacy Professional/ Canada (CIPP/C) PDF Sample Questions

discount banner
Exam Code:
Exam Name:
Certified Information Privacy Professional/ Canada (CIPP/C)
150 Questions
Last Update Date : 24 February, 2024
PDF + Test Engine
$60 $78
Test Engine Only
$50 $65
PDF Only Demo
$35 $45.5

IAPP CIPP-C This Week Result


They can't be wrong


Score in Real Exam at Testing Centre


Questions came word by word from this dumps

Best IAPP CIPP-C Dumps - pass your exam In First Attempt

Our CIPP-C dumps are better than all other cheap CIPP-C study material.

Only best way to pass your IAPP CIPP-C is that if you will get reliable exam study materials. We ensure you that realexamdumps is one of the most authentic website for IAPP Certified Information Privacy Professional exam question answers. Pass your CIPP-C Certified Information Privacy Professional/ Canada (CIPP/C) with full confidence. You can get free Certified Information Privacy Professional/ Canada (CIPP/C) demo from realexamdumps. We ensure 100% your success in CIPP-C Exam with the help of IAPP Dumps. you will feel proud to become a part of realexamdumps family.

Our success rate from past 5 year very impressive. Our customers are able to build their carrier in IT field.


45000+ Exams


Desire Exam



and pass your exam...

Related Exam

Realexamdumps Providing most updated Certified Information Privacy Professional Question Answers. Here are a few exams:

Sample Questions

Realexamdumps Providing most updated Certified Information Privacy Professional Question Answers. Here are a few sample questions:

IAPP CIPP-C Sample Question 1


Please use the following to answer the next QUESTION:

A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer’s data handling practices.

The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her

withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: “Please act immediately by identifying all personal data received from our company.”

This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup’s rapid market penetration.

As the Company’s data privacy leader, you are sensitive to the criticality of the relationship with the retailer.

Under the General Data Protection Regulation (GDPR), how would the U.S.-based startup company most likely be classified?


A. As a data supervisor
B. As a data processor
C. As a data controller
D. As a data manager

Answer: A Explanation: Reference: [Reference: https://www.i-scoop.eu/gdpr/data-processor-gdpr/, ]

IAPP CIPP-C Sample Question 2


Please use the following to answer the next QUESTION:

Larry has become increasingly dissatisfied with his telemarketing position at SunriseLynx, and particularly with his supervisor, Evan. Just last week, he overheard Evan mocking the state’s Do Not Call list, as well as the people on it. “If they were really serious about not being bothered,” Evan said, “They’d be on the national DNC list. That’s the only one we’re required to follow. At SunriseLynx, we call until they ask us not to.”

Bizarrely, Evan requires telemarketers to keep records of recipients who ask them to call “another time.” This, to Larry, is a clear indication that they don’t want to be called at all. Evan doesn’t see it that way.

Larry believes that Evan’s arrogance also affects the way he treats employees. The U.S. Constitution protects

American workers, and Larry believes that the rights of those at SunriseLynx are violated regularly. At first Evan seemed friendly, even connecting with employees on social media. However, following Evan’s political posts, it became clear to Larry that employees with similar affiliations were the only ones offered promotions.

Further, Larry occasionally has packages containing personal-use items mailed to work. Several times, these have come to him already opened, even though this name was clearly marked. Larry thinks the opening of personal mail is common at SunriseLynx, and that Fourth Amendment rights are being trampled under Evan’s leadership.

Larry has also been dismayed to overhear discussions about his coworker, Sadie. Telemarketing calls are regularly recorded for quality assurance, and although Sadie is always professional during business, her personal conversations sometimes contain sexual comments. This too is something Larry has heard Evan laughing about. When he mentioned this to a coworker, his concern was met with a shrug. It was the coworker’s belief that employees agreed to be monitored when they signed on. Although personal devices are left alone, phone calls, emails and browsing histories are all subject to surveillance. In fact, Larry knows of one case in which an employee was fired after an undercover investigation by an outside firm turned up evidence of misconduct. Although the employee may have stolen from the company, Evan could have simply contacted the authorities when he first suspected something amiss.

Larry wants to take action, but is uncertain how to proceed.

Based on the way he uses social media, Evan is susceptible to a lawsuit based on?


A. Defamation
B. Discrimination
C. Intrusion upon seclusion
D. Publicity given to private life

Answer: C

IAPP CIPP-C Sample Question 3

Under the Telemarketing Sales Rule, what characteristics of consent must be in place for an organization to acquire an exception to the Do-Not-Call rules for a particular consumer?


A. The consent must be in writing, must state the times when calls can be made to the consumer and must be signed
B. The consent must be in writing, must contain the number to which calls can be made and must have an end date
C. The consent must be in writing, must contain the number to which calls can be made and must be signed
D. The consent must be in writing, must have an end data and must state the times when calls can be made

Answer: C

IAPP CIPP-C Sample Question 4

What practice does the USA FREEDOM Act NOT authorize?


A. Emergency exceptions that allows the government to target roamers
B. An increase in the maximum penalty for material support to terrorism
C. An extension of the expiration for roving wiretaps
D. The bulk collection of telephone data and internet metadata

Answer: A Explanation: Reference: [Reference: https://www.rand.org/blog/2015/05/the-usa-freedom-act-the-definition-of-a-compromise.html, ]

IAPP CIPP-C Sample Question 5

Which of the following describes the most likely risk for a company developing a privacy policy with standards that are much higher than its competitors?


A. Being more closely scrutinized for any breaches of policy
B. Getting accused of discriminatory practices
C. Attracting skepticism from auditors
D. Having a security system failure

Answer: B

IAPP CIPP-C Sample Question 6

Acme Student Loan Company has developed an artificial intelligence algorithm that determines whether an individual is likely to pay their bill or default. A person who is determined by the algorithm to be more likely to default will receive frequent payment reminder calls, while those who are less likely to default will not receive payment reminders.

Which of the following most accurately reflects the privacy concerns with Acme Student Loan Company using

artificial intelligence in this manner?


A. If the algorithm uses risk factors that impact the automatic decision engine. Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output.
B. If the algorithm makes automated decisions based on risk factors and public information, Acme need not determine if the algorithm has a disparate impact on protected classes.
C. If the algorithm’s methodology is disclosed to consumers, then it is acceptable for Acme to have a disparate impact on protected classes.
D. If the algorithm uses information about protected classes to make automated decisions, Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output.

Answer: B Explanation: Reference: [Reference: https://www.ftc.gov/news-events/blogs/business-blog/2020/04/using-artificial-intelligence- algorithms, ]

IAPP CIPP-C Sample Question 7


Please use the following to answer the next QUESTION

Otto is preparing a report to his Board of Directors at Filtration Station, where he is responsible for the privacy program. Filtration Station is a U.S. company that sells filters and tubing products to pharmaceutical companies for research use. The company is based in Seattle, Washington, with offices throughout the U.S. and Asia. It sells to business customers across both the U.S. and the Asia-Pacific region. Filtration Station participates in the Cross-Border Privacy Rules system of the APEC Privacy Framework.

Unfortunately, Filtration Station suffered a data breach in the previous quarter. An unknown third party was able to gain access to Filtration Station’s network and was able to steal data relating to employees in the company’s Human Resources database, which is hosted by a third-party cloud provider based in the U.S. The HR data is encrypted. Filtration Station also uses the third-party cloud provider to host its business marketing contact database. The marketing database was not affected by the data breach. It appears that the data breach was caused when a system administrator at the cloud provider stored the encryption keys with the data itself.

The Board has asked Otto to provide information about the data breach and how updates on new developments in privacy laws and regulations apply to Filtration Station. They are particularly concerned about staying up to date on the various U.S. state laws and regulations that have been in the news, especially the California Consumer Privacy Act (CCPA) and breach notification requirements.

What can Otto do to most effectively minimize the privacy risks involved in using a cloud provider for the HR data?


A. Request that the Board sign off in a written document on the choice of cloud provider.
B. Ensure that the cloud provider abides by the contractual requirements by conducting an on-site audit.
C. Obtain express consent from employees for storing the HR data in the cloud and keep a record of the employee consents.
D. Negotiate a Business Associate Agreement with the cloud provider to protect any health-related data employees might share with Filtration Station.

Answer: C

IAPP CIPP-C Sample Question 8

Which of the following best describes an employer’s privacy-related responsibilities to an employee who has left the workplace?


A. An employer has a responsibility to maintain a former employee’s access to computer systems and company data needed to support claims against the company such as discrimination.
B. An employer has a responsibility to permanently delete or expunge all sensitive employment records to minimize privacy risks to both the employer and former employee.
C. An employer may consider any privacy-related responsibilities terminated, as the relationship between employer and employee is considered primarily contractual.
D. An employer has a responsibility to maintain the security and privacy of any sensitive employment records retained for a legitimate business purpose.

Answer: C

IAPP CIPP-C Sample Question 9

Which of the following best describes what a “private right of action” is?


A. The right of individuals to keep their information private.
B. The right of individuals to submit a request to access their information.
C. The right of individuals harmed by data processing to have their information deleted.
D. The right of individuals harmed by a violation of a law to file a lawsuit against the violation.

Answer: D Explanation: Reference: [Reference: https://iapp.org/resources/article/private-right-of-action/, ]

IAPP CIPP-C Sample Question 10

Which of the following became the first state to pass a law specifically regulating the practices of data brokers?


A. Washington.
B. California.
C. New York.
D. Vermont.

Answer: D Explanation: Reference: [Reference: https://www.natlawreview.com/article/ringing-2019-new-state-privacy-and-data-security-laws- impacting-data-brokers-and, ]

IAPP CIPP-C Sample Question 11

All of the following are tasks in the “Discover” phase of building an information management program EXCEPT?


A. Facilitating participation across departments and levels
B. Developing a process for review and update of privacy policies
C. Deciding how aggressive to be in the use of personal information
D. Understanding the laws that regulate a company’s collection of information

Answer: E

IAPP CIPP-C Sample Question 12

When developing a company privacy program, which of the following relationships will most help a privacy professional develop useful guidance for the organization?


A. Relationships with individuals within the privacy professional community who are able to share expertise and leading practices for different industries.
B. Relationships with clients, vendors, and customers whose data will be primarily collected and used throughout the organizational program.
C. Relationships with company leaders responsible for approving, implementing, and periodically reviewing the corporate privacy program.
D. Relationships with individuals across company departments and at different levels in the organization’s hierarchy.

Answer: D

IAPP CIPP-C Sample Question 13


Please use the following to answer the next QUESTION:

Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customer’s privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.

Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.

After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer’s personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worry Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.

Janice understood Cheryl’s concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company’s day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.

Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.

What is the main problem with Cheryl’s suggested method of communicating the new privacy policy?


A. The policy would not be considered valid if not communicated in full.
B. The policy might not be implemented consistency across departments.
C. Employees would not be comfortable with a policy that is put into action over time.
D. Employees might not understand how the documents relate to the policy as a whole.

Answer: C

IAPP CIPP-C Sample Question 14

A law enforcement subpoenas the ACME telecommunications company for access to text message records of a person suspected of planning a terrorist attack. The company had previously encrypted its text message records so that only the suspect could access this data.

What law did ACME violate by designing the service to prevent access to the information by a law enforcement agency?


D. USA Freedom Act

Answer: C Explanation: Reference: [Reference: https://www.nap.edu/read/11896/chapter/11#283, ]

IAPP CIPP-C Sample Question 15

A large online bookseller decides to contract with a vendor to manage Personal Information (PI). What is the

least important factor for the company to consider when selecting the vendor?


A. The vendor’s reputation
B. The vendor’s financial health
C. The vendor’s employee retention rates
D. The vendor’s employee training program

Answer: C

IAPP CIPP-C Sample Question 16

Which federal agency plays a role in privacy policy, but does NOT have regulatory authority?


A. The Office of the Comptroller of the Currency.
B. The Federal Communications Commission.
C. The Department of Transportation.
D. The Department of Commerce.

Answer: D

IAPP CIPP-C Sample Question 17

According to Section 5 of the FTC Act, self-regulation primarily involves a company’s right to do what?


A. Determine which bodies will be involved in adjudication
B. Decide if any enforcement actions are justified
C. Adhere to its industry’s code of conduct
D. Appeal decisions made against it

Answer: A Explanation: Reference: [Reference: https://www.ftc.gov/about-ftc/what-we-do/enforcement-authority, ]

IAPP CIPP-C Sample Question 18


Please use the following to answer the next QUESTION:

Matt went into his son’s bedroom one evening and found him stretched out on his bed typing on his laptop. “Doing your network?” Matt asked hopefully.

“No,” the boy said. “I’m filling out a survey.”

Matt looked over his son’s shoulder at his computer screen. “What kind of survey?” “It’s asking Questions about my opinions.”

“Let me see,” Matt said, and began reading the list of Questions that his son had already answered. “It’s asking your opinions about the government and citizenship. That’s a little odd. You’re only ten.”

Matt wondered how the web link to the survey had ended up in his son’s email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.

To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer Questions about his favorite games and toys.

Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son’s inbox, and he decided it was time to report the incident to the proper authorities.

How could the marketer have best changed its privacy management program to meet COPPA “Safe Harbor” requirements?


A. By receiving FTC approval for the content of its emails
B. By making a COPPA privacy notice available on website
C. By participating in an approved self-regulatory program
D. By regularly assessing the security risks to consumer privacy

Answer: A Explanation: Reference: [Reference: https://www.ftc.gov/system/files/2012-31341.pdf, ]

IAPP CIPP-C Sample Question 19

The Family Educational Rights and Privacy Act (FERPA) requires schools to do all of the following EXCEPT?


A. Verify the identity of students who make requests for access to their records.
B. Provide students with access to their records within a specified amount of time.
C. Respond to all reasonable student requests regarding explanation of their records.
D. Obtain student authorization before releasing directory information in their records.

Answer: B Explanation: Reference: [Reference: https://www2.ed.gov/policy/gen/guid/fpco/pdf/ferpa-disaster-guidance.pdf, ]

and so much more...