Certified Information Privacy Professional – Europe (CIPP/E) — Question 13

Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and disclosure of a data subject’s sensitive medical information without the data subject’s knowledge or consent?

Answer options

• A. A member of the judiciary involved in adjudicating a legal dispute involving the data subject and concerning the health of the data subject.
• B. A public authority responsible for public health, where the sharing of such information is considered necessary for the protection of the general populace.
• C. A health professional involved in the medical care for the data subject, where the data subject’s life hinges on the timely dissemination of such information.
• D. A journalist writing an article relating to the medical condition in question, who believes that the publication of such information is in the public interest.

Correct answer: D

Explanation

The correct answer is D because journalists do not typically have legal grounds to collect or disclose sensitive medical information without consent, even if they believe it serves the public interest. In contrast, members of the judiciary, public authorities, and health professionals may be permitted to handle such information under specific legal or medical circumstances that prioritize public health or safety.