Certified Information Privacy Professional – Europe (CIPP/E) — Question 53

A data controller appoints a data protection officer. Which of the following conditions would NOT result in an infringement of Articles 37 to 39 of the GDPR?

Answer options

• A. If the data protection officer lacks ISO 27001 auditor certification.
• B. If the data protection officer is provided by the data processor.
• C. If the data protection officer also manages the marketing budget.
• D. If the data protection officer receives instructions from the data controller.

Correct answer: A

Explanation

The correct answer is A because lacking ISO 27001 auditor certification does not inherently violate GDPR provisions concerning the role and responsibilities of a data protection officer. Options B, C, and D could lead to conflicts of interest or undermine the officer's independence, which are concerns under GDPR Articles 37 to 39.