Certified Information Privacy Professional – Europe (CIPP/E) — Question 92

In which case would a controller who has undertaken a DPIA most likely need to consult with a supervisory authority?

Answer options

• A. Where the DPIA identifies that personal data needs to be transferred to other countries outside of the EEA.
• B. Where the DPIA identifies high risks to individuals’ rights and freedoms that the controller can take steps to reduce.
• C. Where the DPIA identifies that the processing being proposed collects the sensitive data of EU citizens.
• D. Where the DPIA identifies risks that will require insurance for protecting its business interests.

Correct answer: B

Explanation

The correct answer is B because consulting with a supervisory authority is required when high risks to individuals' rights and freedoms are identified that cannot be sufficiently mitigated by the controller. Options A, C, and D do not necessarily trigger the requirement for consultation, as they relate to data transfers, sensitivity of data, and business interests rather than direct risks to individuals' rights.