Certified Information Privacy Professional – Europe (CIPP/E) — Question 283

The GDPR requires controllers to supply data subjects with detailed information about the processing of their data. Where a controller obtains data directly from data subjects, which of the following items of information does NOT legally have to be supplied?

Answer options

• A. The recipients or categories of recipients.
• B. The categories of personal data concerned.
• C. The rights of access, erasure, restriction, and portability.
• D. The right to lodge a complaint with a supervisory authority.

Correct answer: B

Explanation

The correct answer is B because while controllers must inform data subjects about various aspects of data processing, the specific categories of personal data are not mandatory to disclose if the data is obtained directly. Options A, C, and D are required under the GDPR to ensure transparency and inform subjects of their rights.