Certified Information Privacy Professional – Europe (CIPP/E) — Question 171

To provide evidence of GDPR compliance, a company performs an internal audit. As a result, it finds a data base, password-protected, listing all the social network followers of the client.
Regarding the domain of the controller-processor relationships, how is this situation considered?

Answer options

• A. Compliant with the security principle, because the data base is password-protected.
• B. Non-compliant, because the storage of the data exceeds the tasks contractually authorized by the controller.
• C. Not applicable, because the data base is password protected, and therefore is not at risk of identifying any data subject.
• D. Compliant with the storage limitation principle, so long as the internal auditor permanently deletes the data base.

Correct answer: B

Explanation

The correct answer is B because the storage of social network follower data likely exceeds the scope of what was contractually authorized by the controller, making it non-compliant. Option A is incorrect as mere password protection does not ensure compliance with GDPR. Option C is flawed because password protection does not eliminate the risk of data identification. Option D is also incorrect because deleting the database after the fact does not rectify prior non-compliance with data retention policies.