Certified Information Privacy Professional – Europe (CIPP/E) — Question 135

Under Article 21 of the GDPR, a controller must stop profiling when requested by a data subject, unless it can demonstrate compelling legitimate grounds that override the interests of the individual. In the Guidelines on Automated individual decision-making and Profiling, the WP 29 says the controller needs to do all of the following to demonstrate that it has such legitimate grounds EXCEPT?

Answer options

• A. Carry out an exercise that weighs the interests of the controller and the basis for the data subject’s objection.
• B. Consider the impact of the profiling on the data subject’s interest, rights and freedoms.
• C. Demonstrate that the profiling is for the purposes of direct marketing.
• D. Consider the importance of the profiling to their particular objective.

Correct answer: C

Explanation

The correct answer is C because demonstrating that the profiling is for direct marketing purposes is not necessary to establish legitimate grounds under GDPR. Options A, B, and D involve assessing the interests and impacts on the data subject, which are crucial for justifying the continuation of profiling.