Certified Information Privacy Professional – Europe (CIPP/E) — Question 199

A multinational company is appointing a mandatory data protection officer. In addition to considering the rules set out in Article 37 (1) of the GDPR, which of the following actions must the company also undertake to ensure compliance in all EU jurisdictions in which it operates?

Answer options

• A. Consult national derogations to evaluate if there are additional cases to be considered in relation to the matter.
• B. Conduct a Data Protection Privacy Assessment on the processing operations of the company in all the countries it operates.
• C. Assess whether the company has more than 250 employees in each of the EU member-states in which it is established.
• D. Revise the data processing activities of the company that affect more than one jurisdiction to evaluate whether they comply with the principles of privacy by design and by default.

Correct answer: D

Explanation

The correct answer is D because it is essential for the company to review its data processing practices across different jurisdictions to ensure they align with the GDPR's privacy by design and by default principles. Options A and B, while important, do not directly address the need for compliance across multiple jurisdictions. Option C is irrelevant to GDPR compliance requirements concerning a data protection officer.