Certified Information Privacy Professional – Europe (CIPP/E) — Question 109

According to guidance from the European Data Protection Board, in which of the following cases would a controller established outside of the EU not be subject to the GDPR?

Answer options

• A. If the controller monitors the behavior of persons on the territory of the Republic of Switzerland.
• B. If the controller has a fully-owned branch office in the EU overseeing all its European operations, including marketing and advertising.
• C. If the controller has its some of its offices and servers based in the EU without having a legal branch or subsidiary in any EU Member State.
• D. If the controller uses the services of an EU-based processor without offering goods or services to persons on EU territory or monitoring their behavior.

Correct answer: A

Explanation

The correct answer is A because monitoring behavior in Switzerland does not fall under the scope of GDPR, which applies to EU territories. Options B and C would subject the controller to GDPR due to their presence and operations in the EU. Option D is incorrect as it implies that using an EU-based processor while not engaging with EU individuals would exempt the controller from GDPR compliance.