Certified Information Privacy Professional – Europe (CIPP/E) — Question 163

What must a data controller do in order to make personal data pseudonymous?

Answer options

• A. Separately hold any information that would allow linking the data to the data subject.
• B. Encrypt the data in order to prevent any unauthorized access or modification.
• C. Remove all indirect data identifiers and dispose of them securely.
• D. Use the data only in aggregated form for research purposes.

Correct answer: A

Explanation

The correct answer is A because pseudonymization requires that any information capable of linking the data back to the individual is kept separate. Options B, C, and D do not directly address the requirement for pseudonymization, as they focus on encryption, removal of identifiers, and aggregated usage, respectively, which do not meet the specific criteria for pseudonymization.