Certified Information Privacy Professional – Europe (CIPP/E) — Question 139

Which of the following would require designating a data protection officer?

Answer options

• A. Processing is carried out by an organization employing 250 persons or more.
• B. Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.
• C. The core activities of the controller or processor consist of processing operations of financial information or information relating to children.
• D. The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale.

Correct answer: D

Explanation

The correct answer is D because it specifically addresses the requirement for a data protection officer when there is systematic monitoring of data subjects on a large scale, which poses greater risks to privacy. Options A, B, and C do not inherently require a data protection officer based on the GDPR guidelines.