Certified Information Privacy Professional – Europe (CIPP/E) — Question 122

SCENARIO -
Please use the following to answer the next question:
T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.
T-Craze also opened various office locations throughout Europe to help expand its business. While Germany continued to host T-Craze’s headquarters and main product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T-Craze, though with much less success.
The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.
What is the best option for the lead regulator when responding to the Spanish supervisory authority’s notice that it plans to take action regarding Sofia’s complaint?

Answer options

• A. Accept, because it did not receive any complaints.
• B. Accept, because GDPR permits non-lead authorities to take action for such complaints.
• C. Reject, because Right Target’s processing was conducted throughout Europe.
• D. Reject, because GDPR does not allow other supervisory authorities to take action if there is a lead authority.

Correct answer: D

Explanation

The correct answer is D because the GDPR specifies that only the lead authority can take action in cases where it has jurisdiction, preventing other supervisory authorities from intervening. Options A and B are incorrect as they misunderstand the authority's role under GDPR, and option C does not address the core issue of jurisdictional authority in this context.