Certified Information Privacy Manager (CIPM) — Question 110

Under the General Data Protection Regulation (GDPR), which of the following situations would LEAST likely require a controller to notify a data subject?

Answer options

• A. An encrypted USB key with sensitive personal data is stolen
• B. A direct marketing email is sent with recipients visible in the ‘cc’ field
• C. Personal data of a group of individuals is erroneously sent to the wrong mailing list
• D. A hacker publishes usernames, phone numbers and purchase history online after a cyber-attack

Correct answer: A

Explanation

Option A is the least likely to require notification because if the USB key is encrypted, the data may not be accessible without the encryption key, reducing the risk to the data subjects. In contrast, options B, C, and D involve scenarios where personal data is exposed or mismanaged, which would typically necessitate notifying affected individuals under GDPR.