Certified Information Privacy Professional – Europe (CIPP/E) — Question 207

SCENARIO -
Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.
Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.
In which of the following situations would ABC Hotel Chain and XYZ Travel Agency NOT have to honor Mike’s data access request?

Answer options

• A. The request is to obtain access and correct inaccurate personal data in his profile.
• B. The request is to obtain access and information about the purpose of processing his personal data.
• C. The request is to obtain access and erasure of his personal data while keeping his rewards membership.
• D. The request is to obtain access and the categories of recipients who have received his personal data to process his rewards membership.

Correct answer: C

Explanation

The correct answer is C because while Mike can request access to his data, he cannot demand erasure of his personal data if it is necessary for maintaining his rewards membership. The other requests (A, B, and D) pertain to accessing information or correcting inaccuracies, which are typically honored under data subject rights.