Certified Information Privacy Professional – Asia (CIPP/A) — Question 6

Under the General Data Protection Regulation (GDPR), European Union member states may be allowed to transfer personal data to the United States in some cases.
Which of the following could NOT be used as a legitimate means of doing this?

Answer options

• A. A consent derogation.
• B. A certification mechanism.
• C. Privacy Shield.
• D. Ad-hoc contractual clauses.

Correct answer: C

Explanation

The correct answer is C, as the Privacy Shield framework has been invalidated and is no longer a valid mechanism for transferring personal data to the United States. Options A, B, and D are legitimate means under GDPR for ensuring data protection when transferring data outside the EU.