Certified Information Privacy Professional – Europe (CIPP/E) — Question 116

According to the European Data Protection Board, controllers responding to a data subject access request can refuse to provide a copy of personal data under certain conditions. Which of the following is NOT one of these conditions?

Answer options

• A. If the data subject access request was sent to an employee that is not involved in the processing of such requests.
• B. If there is such a large amount of data that the controller cannot identify the data subject of the request.
• C. If the controller is unable to use end-to-end encrypted emails for responding to such requests.
• D. If the personal data was processed in the past but is no longer at the controller’s disposal at the time of the request.

Correct answer: C

Explanation

Option C is incorrect because the ability to use end-to-end encrypted emails is not a valid reason for refusing to fulfill a data subject access request. Options A, B, and D are legitimate reasons for refusal, as they pertain to the processing and availability of the data in question.