IAPP CIPP/China Sample Questions & Practice Test

Certified Information Privacy Professional/China (CIPP/CN) preparation focuses on China privacy and data-protection concepts, including personal information processing, consent, sensitive personal information, cross-border transfers, governance, and accountability.

Use these 12 original sample questions for initial self-assessment. They are not official IAPP questions and do not reproduce a live exam.

What this route should test

• China privacy vocabulary and personal-information processing concepts
• consent, sensitive personal information, transfer, security, and governance scenarios
• jurisdiction-specific reasoning without treating every CIPP route as interchangeable

Official-source check

Verify current certification names, exam policies, and requirements with the IAPP certification page .

Sample Exam Questions

Question 1

Topic: personal information processing

What should an organization clarify before processing personal information?

• A. Only the application’s color palette
• B. Whether privacy notices can be skipped
• C. Whether all future uses are automatically permitted
• D. Processing purpose, method, scope, retention, recipients, and individual rights handling

Best answer: D

Explanation: China privacy preparation emphasizes purpose, scope, notice, consent or legal basis, retention, security, and rights.

Question 2

Topic: sensitive personal information

Why does sensitive personal information require special care?

• A. Misuse may create greater risk to personal dignity, safety, property, or other interests
• B. It is never personal information
• C. It can always be disclosed publicly
• D. It removes security obligations

Best answer: A

Explanation: Sensitive personal information typically requires stronger safeguards and careful processing justification.

Question 3

Topic: consent

When consent is needed, what makes it more defensible?

• A. Silence treated as consent for all future uses
• B. Consent hidden in unrelated text
• C. Clear notice, specific purpose, voluntary choice, and records showing the decision
• D. No way to withdraw

Best answer: C

Explanation: Consent should be informed, specific, and supportable through records.

Question 4

Topic: cross-border transfer

What should be reviewed before transferring personal information outside China?

• A. only the recipient’s logo
• B. applicable transfer mechanism, notice, consent, contracts, assessment, security, and recipient controls
• C. whether data becomes anonymous at the border
• D. whether the transfer can be undocumented

Best answer: B

Explanation: Cross-border transfer review is a key China privacy topic and may involve multiple safeguards.

Question 5

Topic: data minimization

Which approach best supports minimization?

• A. Collect every identifier just in case
• B. Collect the minimum personal information necessary for a clear purpose
• C. Retain unused personal information indefinitely
• D. Use vague purposes to justify all collection

Best answer: B

Explanation: Minimization limits collection and reduces risk.

Question 6

Topic: automated decision-making

Why should automated decision-making be governed?

• A. It is always outside privacy law
• B. It never uses personal information
• C. It can affect individuals and may require transparency, fairness, and ability to challenge or understand outcomes
• D. It removes all accountability

Best answer: C

Explanation: Automated decisions can create individual impact and need governance, transparency, and control.

Question 7

Topic: rights handling

What should a rights-handling workflow include?

• A. Request intake, identity verification, scope review, exceptions, response timing, and documentation
• B. No privacy contact point
• C. Automatic refusal
• D. Only engineering approval

Best answer: A

Explanation: Individual rights require repeatable operating procedures.

Question 8

Topic: processor oversight

What is a strong control when entrusting processing to a third party?

• A. Permit unlimited secondary use
• B. Avoid contracts
• C. Allow disclosure without oversight
• D. Define processing purpose, duration, method, data categories, safeguards, and supervision duties

Best answer: D

Explanation: Entrusted processing should be controlled through defined scope and safeguards.

Question 9

Topic: security measures

Which control best supports personal-information security?

• A. Access control, encryption where appropriate, logging, incident response, and employee training
• B. Shared passwords
• C. No monitoring
• D. Public database exports

Best answer: A

Explanation: Security is a practical privacy obligation and supports safe processing.

Question 10

Topic: privacy notice

What should a privacy notice help individuals understand?

• A. Only the company slogan
• B. Internal source code
• C. Who processes their information, why, how, retention, sharing, rights, and contact channels
• D. Unrelated employment policies

Best answer: C

Explanation: Transparency helps individuals understand processing and exercise rights.

Question 11

Topic: breach response

A suspected personal-information breach occurs. What is the best first response?

• A. Delete all logs
• B. Wait for media coverage
• C. Ignore the issue unless customers complain
• D. Contain the issue, preserve facts, assess risk, notify responsible teams, and follow the incident process

Best answer: D

Explanation: Breach response requires fact gathering, containment, risk assessment, and documented action.

Question 12

Topic: governance

Which evidence best supports privacy governance maturity?

• A. A statement that privacy is handled informally
• B. Policies, data maps, assessments, contracts, training, incident records, and remediation tracking
• C. No role assignments
• D. A one-time notice with no controls

Best answer: B

Explanation: Governance maturity is shown through repeatable controls and evidence.