Certified Information Privacy Manager (CIPM) — Question 174

Under the European Data Protection Board, which Processing operation would require a Data Protection Impact Assessment (DPIA)?

Answer options

• A. An online newspaper using its subscriber list to email a daily newsletter.
• B. A healthcare clinic that processes personal data of its patients in its billing system.
• C. A hospital processing patient’s generic and health data in its hospital information system.
• D. An online store displaying advertisements based on items viewed or purchased on its own website.

Correct answer: C

Explanation

Option C is the correct answer because processing sensitive health data requires a DPIA to evaluate risks to individuals' privacy. The other options involve less sensitive information or do not involve extensive processing of personal data that impacts privacy to the same extent as health data does.