Certified Information Privacy Professional – Europe (CIPP/E) — Question 155

What should a controller do after a data subject opts out of a direct marketing activity?

Answer options

• A. Without exception, securely delete all personal data relating to the data subject.
• B. Without undue delay, provide information to the data subject on the action that will be taken.
• C. Refrain from processing personal data relating to the data subject for the relevant type of communication.
• D. Take reasonable steps to inform third-party recipients that the data subject’s personal data should be deleted and no longer processed.

Correct answer: C

Explanation

The correct answer is C because once a data subject opts out, the controller must stop processing their personal data for that specific communication type. Option A is incorrect as it suggests deleting all personal data, which may not be necessary. Option B is not the best action, as the primary requirement is to cease processing, not just to inform. Option D, while important for transparency, does not address the immediate need to stop processing the data.