Certified Information Privacy Professional – Europe (CIPP/E) — Question 35

The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?

Answer options

• A. Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing.
• B. Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default.
• C. Failure to process personal information in a manner compatible with its original purpose.
• D. Failure to provide the means for a data subject to rectify inaccuracies in personal data.

Correct answer: B

Explanation

The correct answer is B because the GDPR emphasizes the importance of data protection by design and by default, and failing to implement these measures results in a less severe fine. Options A, C, and D involve more serious breaches that threaten the rights of data subjects, thus attracting higher penalties under the GDPR.