Certified Information Privacy Professional – Europe (CIPP/E) — Question 174

In which of the following cases, cited as an example by a WP29 guidance, would conducting a single data protection impact assessment to address multiple processing operations be allowed?

Answer options

• A. A medical organization that wants to begin genetic testing to support earlier research for which they have performed a DPIA.
• B. A data controller who plans to use a new technology product that has already undergone a DPIA by the product’s provider.
• C. A marketing team that wants to collect mailing addresses of customers for whom they already have email addresses.
• D. A railway operator who plans to evaluate the same video surveillance in all the train stations of his company.

Correct answer: D

Explanation

The correct answer is D because conducting a single DPIA for uniform video surveillance across multiple locations is justified due to the consistent nature of the processing. Options A, B, and C involve distinct processing activities or different contexts that do not allow for a combined assessment under WP29 guidance.