Certified Information Privacy Professional – Europe (CIPP/E) — Question 212

Pursuant to Article 4(5) of the GDPR, data is considered “pseudonymized” if?

Answer options

• A. It cannot be attributed to a data subject without the use of additional information.
• B. It cannot be attributed to a person under any circumstances.
• C. It can only be attributed to a person by the controller.
• D. It can only be attributed to a person by a third party.

Correct answer: A

Explanation

The correct answer is A because pseudonymization involves processing data in a way that it can no longer be attributed to a specific data subject without additional information. Option B is incorrect as pseudonymized data can still potentially be linked to a person under certain conditions. Options C and D are also wrong since attributing data to a person does not solely depend on the controller or third parties.