Certified Information Privacy Professional – Europe (CIPP/E) — Question 175

In which scenario is a Controller most likely required to undertake a Data Protection Impact Assessment?

Answer options

• A. When the controller is collecting email addresses from individuals via an online registration form for marketing purposes.
• B. When personal data is being collected and combined with other personal data to profile the creditworthiness of individuals.
• C. When the controller is required to have a Data Protection Officer.
• D. When personal data is being transferred outside of the EEA.

Correct answer: B

Explanation

The correct answer is B because conducting a Data Protection Impact Assessment is crucial when combining personal data for profiling, as it poses higher risks to individual privacy. Options A, C, and D may have their own compliance requirements, but they do not inherently necessitate a Data Protection Impact Assessment in the same way that profiling for creditworthiness does.