Certified Information Privacy Professional – Europe (CIPP/E) — Question 204

An organization receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal data. Under what condition can the organization charge the data subject a fee for processing the request?

Answer options

• A. Only where the organization can show that it is reasonable to do so because more than one request was made.
• B. Only to the extent this is allowed under the restrictions on data subjects’ rights introduced under Art 23 of GDPR.
• C. Only where the administrative costs of taking the action requested exceeds a certain threshold.
• D. Only if the organization can demonstrate that the request is clearly excessive or misguided.

Correct answer: D

Explanation

The correct answer is D because organizations may charge a fee when a request is clearly excessive or misguided, as this prevents abuse of the rights granted under GDPR. Options A and C do not align with GDPR stipulations regarding fees, while B refers to restrictions that do not inherently justify charging a fee.