C130 - CIP Certification Exam Study Set | 2026/2027
C130 - CIP CERTIFICATION EXAM STUDY SET
2026/2027 | 100 Questions | Verified Solutions
100% Correct | Graded A+
This comprehensive study set has been carefully curated to prepare candidates for the C130 - Critical
Infrastructure Protection (CIP) Certification Exam. It covers the full breadth of topics tested on the
examination, including global privacy regulations, data lifecycle management, privacy governance,
individual rights, cross-border data transfers, incident response, privacy technology, and critical
infrastructure cybersecurity. Each question includes a detailed rationale with references to applicable
laws, frameworks, and industry standards.
Exam Structure:
• Section I: Global Privacy Regulations (15 Questions)
• Section II: Data Lifecycle Management (15 Questions)
• Section III: Privacy Program Governance (15 Questions)
• Section IV: Individual Rights & Request Fulfillment (10 Questions)
• Section V: Cross-Border Data Transfers (10 Questions)
• Section VI: Incident Response & Breach Notification (10 Questions)
• Section VII: Privacy Technology & Engineering (10 Questions)
• Section VIII: Critical Infrastructure Protection & Cybersecurity (15 Questions)
• Total: 100 Questions | 4 Options per Question | Verified Rationales
────────────────────────────────────────────────────────────
Section I: Global Privacy Regulations (Questions 1–15)
1. Under the GDPR, what is the maximum administrative fine that can be imposed for the
most serious violations?
A. EUR 10 million or 2% of annual global turnover
B. EUR 20 million or 4% of annual global turnover
C. EUR 50 million or 5% of annual global turnover
D. EUR 100 million or 10% of annual global turnover
Correct Answer: B. EUR 20 million or 4% of annual global turnover
Rationale: Article 83(5) of the GDPR stipulates that the most serious infringements, such as violating
core principles of processing or failing to obtain valid consent, may result in administrative fines up to
EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever
is higher. This maximum penalty tier applies to violations of data subject rights, international transfer
restrictions, and obligations related to processing under special categories.
Page 1
, C130 - CIP Certification Exam Study Set | 2026/2027
2. Which CCPA/CPRA right allows a California consumer to direct a business not to sell or
share their personal information?
A. Right to Know
B. Right to Delete
C. Right to Opt-Out
D. Right to Correct
Correct Answer: C. Right to Opt-Out
Rationale: The CCPA grants consumers the Right to Opt-Out of the sale or sharing of their personal
information. Under CPRA amendments, this right is expanded to explicitly cover the sharing of personal
information for cross-context behavioral advertising. Businesses must provide a clear and conspicuous
'Do Not Sell or Share My Personal Information' link on their homepages.
3. Under HIPAA, which of the following is NOT a designated use or disclosure of PHI that
requires patient authorization?
A. Treatment, Payment, and Healthcare Operations (TPO)
B. Marketing communications involving the covered entity's products
C. Disclosures to the Secretary of HHS for compliance investigations
D. Sale of PHI to a pharmaceutical company for commercial purposes
Correct Answer: D. Sale of PHI to a pharmaceutical company for commercial purposes
Rationale: Under the HIPAA Privacy Rule, TPO disclosures and disclosures required by law do not
require patient authorization. However, uses and disclosures of PHI for marketing purposes and the sale
of PHI generally require individual authorization. Selling PHI to a third party for commercial purposes is
not a permitted TPO exception and therefore requires explicit written authorization from the patient.
4. Which of the following best describes the 'accountable organization' principle under
PIPEDA?
A. Organizations must appoint a Data Protection Officer for public accountability
B. An organization is responsible for personal information under its control and must designate an
individual accountable for compliance
C. Organizations must publish annual accountability reports to the Privacy Commissioner of Canada
D. Personal information must be retained for a minimum of seven years for accountability purposes
Correct Answer: B. An organization is responsible for personal information under its
control and must designate an individual accountable for compliance
Rationale: Principle 4.1.1 of PIPEDA states that an organization is responsible for personal information
in its possession and custody, including information disclosed to third parties for processing. The
organization must designate one or more individuals who are accountable for the organization's
compliance with all ten principles of PIPEDA, though the organization itself bears ultimate responsibility.
5. Under Brazil's LGPD (Lei Geral de Protecao de Dados), which legal basis is most
analogous to the GDPR's 'legitimate interest'?
A. Consent
B. Legal obligation
C. Legitimate interest
D. Credit protection
Page 2
, C130 - CIP Certification Exam Study Set | 2026/2027
Correct Answer: C. Legitimate interest
Rationale: Article 7 of the LGPD provides ten legal bases for processing personal data, and 'legitimate
interest' (interesse legitimo) is explicitly included as one of them. The LGPD was modeled substantially on
the GDPR, and the legitimate interest basis operates similarly, requiring a balancing test between the
controller's interests and the data subject's fundamental rights and freedoms.
6. South Africa's POPIA requires a responsible party to process personal information in
accordance with how many conditions for the lawful processing of personal information?
A. 6 conditions
B. 7 conditions
C. 8 conditions
D. 10 conditions
Correct Answer: C. 8 conditions
Rationale: Section 8 of the Protection of Personal Information Act (POPIA) sets out eight conditions for
the lawful processing of personal information: accountability, processing limitation, purpose
specification, further processing limitation, information quality, openness, security safeguards, and data
subject participation. These eight conditions form the foundational framework for data protection
compliance under South African law.
7. Under the GDPR, which of the following constitutes 'special categories' of personal data
requiring additional protection?
A. Name, address, and phone number
B. Racial or ethnic origin, political opinions, and health data
C. IP address, device identifier, and cookie data
D. Financial records, credit scores, and employment history
Correct Answer: B. Racial or ethnic origin, political opinions, and health data
Rationale: Article 9(1) of the GDPR defines special categories of personal data as revealing racial or
ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data,
biometric data for uniquely identifying a person, data concerning health, or data concerning a person's
sex life or sexual orientation. Processing of these categories is generally prohibited unless a specific Article
9(2) exception applies.
8. Which enforcement action under the GDPR resulted in the largest fine issued as of 2025?
A. Google fine by CNIL (EUR 50 million)
B. British Airways fine by ICO (GBP 183 million, later reduced)
C. Meta fine by Irish DPC for GDPR violations (EUR 1.2 billion)
D. WhatsApp fine by Irish DPC (EUR 225 million)
Correct Answer: C. Meta fine by Irish DPC for GDPR violations (EUR 1.2 billion)
Rationale: In May 2023, the Irish Data Protection Commission issued a EUR 1.2 billion fine to Meta
Platforms Ireland Limited for violating GDPR provisions related to the transfer of EU user data to the
United States. This landmark enforcement action, stemming from the Schrems II decision, is the largest
GDPR fine issued to date and ordered Meta to suspend future data transfers to the U.S. within specified
timeframes.
Page 3
, C130 - CIP Certification Exam Study Set | 2026/2027
9. Under the CCPA as amended by CPRA, what is the maximum statutory damages a
consumer may recover in a private right of action for a data breach?
A. $100 per violation, up to $500 per incident
B. $750 per violation per consumer
C. $1,000 per violation, up to $10,000 per incident
D. $2,500 per consumer regardless of the number of violations
Correct Answer: B. $750 per violation per consumer
Rationale: Under CCPA Section 1798.150, any consumer whose nonencrypted and nonredacted personal
information is subject to unauthorized access and exfiltration, theft, or disclosure may bring a private
right of action. Consumers may recover statutory damages of not less than $100 and not more than $750
per consumer per incident, or actual damages if greater, as well as injunctive or declaratory relief.
10. Under HIPAA, what is the maximum number of days a covered entity has to provide an
individual with access to their PHI upon request?
A. 15 days
B. 30 days
C. 45 days
D. 60 days
Correct Answer: B. 30 days
Rationale: Under 45 CFR 164.524(b)(2), a covered entity must act on an individual's request for access
to PHI no later than 30 days after receiving the request. If the covered entity is unable to provide access
within this timeframe, it may extend the deadline by no more than 30 additional days, provided it notifies
the individual of the delay and the reasons for it within the initial 30-day period.
11. Under the GDPR, a Data Protection Impact Assessment (DPIA) must be conducted when
processing is likely to result in which of the following?
A. Processing of any personal data involving more than 50 data subjects
B. High risk to the rights and freedoms of natural persons
C. Any processing activity conducted by a public authority
D. Processing involving the collection of email addresses for a newsletter
Correct Answer: B. High risk to the rights and freedoms of natural persons
Rationale: Article 35(1) of the GDPR requires a DPIA where a type of processing, in particular using
new technologies, is likely to result in a high risk to the rights and freedoms of natural persons. The GDPR
provides indicative criteria in Article 35(3) and the Article 29 Working Party (now EDPB) has published
guidelines identifying nine categories of processing operations that require a DPIA, including systematic
monitoring, large-scale processing, and innovative technology use.
12. Which of the following statements about Japan's Act on the Protection of Personal
Information (APPI) as amended in 2022 is correct?
A. The APPI only applies to domestic organizations and does not govern cross-border transfers
B. Individuals have the right to request cessation of the use of personal information
C. The APPI does not require organizations to designate a Data Protection Officer
D. Japan has not adopted any framework for mutual adequacy with other jurisdictions
Page 4
C130 - CIP CERTIFICATION EXAM STUDY SET
2026/2027 | 100 Questions | Verified Solutions
100% Correct | Graded A+
This comprehensive study set has been carefully curated to prepare candidates for the C130 - Critical
Infrastructure Protection (CIP) Certification Exam. It covers the full breadth of topics tested on the
examination, including global privacy regulations, data lifecycle management, privacy governance,
individual rights, cross-border data transfers, incident response, privacy technology, and critical
infrastructure cybersecurity. Each question includes a detailed rationale with references to applicable
laws, frameworks, and industry standards.
Exam Structure:
• Section I: Global Privacy Regulations (15 Questions)
• Section II: Data Lifecycle Management (15 Questions)
• Section III: Privacy Program Governance (15 Questions)
• Section IV: Individual Rights & Request Fulfillment (10 Questions)
• Section V: Cross-Border Data Transfers (10 Questions)
• Section VI: Incident Response & Breach Notification (10 Questions)
• Section VII: Privacy Technology & Engineering (10 Questions)
• Section VIII: Critical Infrastructure Protection & Cybersecurity (15 Questions)
• Total: 100 Questions | 4 Options per Question | Verified Rationales
────────────────────────────────────────────────────────────
Section I: Global Privacy Regulations (Questions 1–15)
1. Under the GDPR, what is the maximum administrative fine that can be imposed for the
most serious violations?
A. EUR 10 million or 2% of annual global turnover
B. EUR 20 million or 4% of annual global turnover
C. EUR 50 million or 5% of annual global turnover
D. EUR 100 million or 10% of annual global turnover
Correct Answer: B. EUR 20 million or 4% of annual global turnover
Rationale: Article 83(5) of the GDPR stipulates that the most serious infringements, such as violating
core principles of processing or failing to obtain valid consent, may result in administrative fines up to
EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever
is higher. This maximum penalty tier applies to violations of data subject rights, international transfer
restrictions, and obligations related to processing under special categories.
Page 1
, C130 - CIP Certification Exam Study Set | 2026/2027
2. Which CCPA/CPRA right allows a California consumer to direct a business not to sell or
share their personal information?
A. Right to Know
B. Right to Delete
C. Right to Opt-Out
D. Right to Correct
Correct Answer: C. Right to Opt-Out
Rationale: The CCPA grants consumers the Right to Opt-Out of the sale or sharing of their personal
information. Under CPRA amendments, this right is expanded to explicitly cover the sharing of personal
information for cross-context behavioral advertising. Businesses must provide a clear and conspicuous
'Do Not Sell or Share My Personal Information' link on their homepages.
3. Under HIPAA, which of the following is NOT a designated use or disclosure of PHI that
requires patient authorization?
A. Treatment, Payment, and Healthcare Operations (TPO)
B. Marketing communications involving the covered entity's products
C. Disclosures to the Secretary of HHS for compliance investigations
D. Sale of PHI to a pharmaceutical company for commercial purposes
Correct Answer: D. Sale of PHI to a pharmaceutical company for commercial purposes
Rationale: Under the HIPAA Privacy Rule, TPO disclosures and disclosures required by law do not
require patient authorization. However, uses and disclosures of PHI for marketing purposes and the sale
of PHI generally require individual authorization. Selling PHI to a third party for commercial purposes is
not a permitted TPO exception and therefore requires explicit written authorization from the patient.
4. Which of the following best describes the 'accountable organization' principle under
PIPEDA?
A. Organizations must appoint a Data Protection Officer for public accountability
B. An organization is responsible for personal information under its control and must designate an
individual accountable for compliance
C. Organizations must publish annual accountability reports to the Privacy Commissioner of Canada
D. Personal information must be retained for a minimum of seven years for accountability purposes
Correct Answer: B. An organization is responsible for personal information under its
control and must designate an individual accountable for compliance
Rationale: Principle 4.1.1 of PIPEDA states that an organization is responsible for personal information
in its possession and custody, including information disclosed to third parties for processing. The
organization must designate one or more individuals who are accountable for the organization's
compliance with all ten principles of PIPEDA, though the organization itself bears ultimate responsibility.
5. Under Brazil's LGPD (Lei Geral de Protecao de Dados), which legal basis is most
analogous to the GDPR's 'legitimate interest'?
A. Consent
B. Legal obligation
C. Legitimate interest
D. Credit protection
Page 2
, C130 - CIP Certification Exam Study Set | 2026/2027
Correct Answer: C. Legitimate interest
Rationale: Article 7 of the LGPD provides ten legal bases for processing personal data, and 'legitimate
interest' (interesse legitimo) is explicitly included as one of them. The LGPD was modeled substantially on
the GDPR, and the legitimate interest basis operates similarly, requiring a balancing test between the
controller's interests and the data subject's fundamental rights and freedoms.
6. South Africa's POPIA requires a responsible party to process personal information in
accordance with how many conditions for the lawful processing of personal information?
A. 6 conditions
B. 7 conditions
C. 8 conditions
D. 10 conditions
Correct Answer: C. 8 conditions
Rationale: Section 8 of the Protection of Personal Information Act (POPIA) sets out eight conditions for
the lawful processing of personal information: accountability, processing limitation, purpose
specification, further processing limitation, information quality, openness, security safeguards, and data
subject participation. These eight conditions form the foundational framework for data protection
compliance under South African law.
7. Under the GDPR, which of the following constitutes 'special categories' of personal data
requiring additional protection?
A. Name, address, and phone number
B. Racial or ethnic origin, political opinions, and health data
C. IP address, device identifier, and cookie data
D. Financial records, credit scores, and employment history
Correct Answer: B. Racial or ethnic origin, political opinions, and health data
Rationale: Article 9(1) of the GDPR defines special categories of personal data as revealing racial or
ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data,
biometric data for uniquely identifying a person, data concerning health, or data concerning a person's
sex life or sexual orientation. Processing of these categories is generally prohibited unless a specific Article
9(2) exception applies.
8. Which enforcement action under the GDPR resulted in the largest fine issued as of 2025?
A. Google fine by CNIL (EUR 50 million)
B. British Airways fine by ICO (GBP 183 million, later reduced)
C. Meta fine by Irish DPC for GDPR violations (EUR 1.2 billion)
D. WhatsApp fine by Irish DPC (EUR 225 million)
Correct Answer: C. Meta fine by Irish DPC for GDPR violations (EUR 1.2 billion)
Rationale: In May 2023, the Irish Data Protection Commission issued a EUR 1.2 billion fine to Meta
Platforms Ireland Limited for violating GDPR provisions related to the transfer of EU user data to the
United States. This landmark enforcement action, stemming from the Schrems II decision, is the largest
GDPR fine issued to date and ordered Meta to suspend future data transfers to the U.S. within specified
timeframes.
Page 3
, C130 - CIP Certification Exam Study Set | 2026/2027
9. Under the CCPA as amended by CPRA, what is the maximum statutory damages a
consumer may recover in a private right of action for a data breach?
A. $100 per violation, up to $500 per incident
B. $750 per violation per consumer
C. $1,000 per violation, up to $10,000 per incident
D. $2,500 per consumer regardless of the number of violations
Correct Answer: B. $750 per violation per consumer
Rationale: Under CCPA Section 1798.150, any consumer whose nonencrypted and nonredacted personal
information is subject to unauthorized access and exfiltration, theft, or disclosure may bring a private
right of action. Consumers may recover statutory damages of not less than $100 and not more than $750
per consumer per incident, or actual damages if greater, as well as injunctive or declaratory relief.
10. Under HIPAA, what is the maximum number of days a covered entity has to provide an
individual with access to their PHI upon request?
A. 15 days
B. 30 days
C. 45 days
D. 60 days
Correct Answer: B. 30 days
Rationale: Under 45 CFR 164.524(b)(2), a covered entity must act on an individual's request for access
to PHI no later than 30 days after receiving the request. If the covered entity is unable to provide access
within this timeframe, it may extend the deadline by no more than 30 additional days, provided it notifies
the individual of the delay and the reasons for it within the initial 30-day period.
11. Under the GDPR, a Data Protection Impact Assessment (DPIA) must be conducted when
processing is likely to result in which of the following?
A. Processing of any personal data involving more than 50 data subjects
B. High risk to the rights and freedoms of natural persons
C. Any processing activity conducted by a public authority
D. Processing involving the collection of email addresses for a newsletter
Correct Answer: B. High risk to the rights and freedoms of natural persons
Rationale: Article 35(1) of the GDPR requires a DPIA where a type of processing, in particular using
new technologies, is likely to result in a high risk to the rights and freedoms of natural persons. The GDPR
provides indicative criteria in Article 35(3) and the Article 29 Working Party (now EDPB) has published
guidelines identifying nine categories of processing operations that require a DPIA, including systematic
monitoring, large-scale processing, and innovative technology use.
12. Which of the following statements about Japan's Act on the Protection of Personal
Information (APPI) as amended in 2022 is correct?
A. The APPI only applies to domestic organizations and does not govern cross-border transfers
B. Individuals have the right to request cessation of the use of personal information
C. The APPI does not require organizations to designate a Data Protection Officer
D. Japan has not adopted any framework for mutual adequacy with other jurisdictions
Page 4
