Certified Information Privacy Professional – Europe (CIPP/E) — Question 96

SCENARIO -

Please use the following to answer the next question:

CreditPlaya, SA is an established Spanish online insurance company whose exclusive activity is providing health insurance for legal residents of Spain, regardless of their nationality.

CreditPlaya autonomously manages its own website, through which a potential customer, engaging in a free pre-contractual activity, enters his or her full name, e-mail address, tax identification number (to verify residence in Spain), age, profession, and the full names of any other adult members of his or her family.

With this data, CreditPlaya immediately sends an email granting or denying eligibility for a health insurance policy. In the case of eligibility, the email also contains the eventual cost of the policy and two PDF documents – one with the contractual Terms and Conditions, and the other with the privacy notice as required by Article 13 of the GDPR.

The CreditPlaya Information Tracking System (ITS) is very efficient, with a low rate of unpaid insurance policies. The ITS is automatically fed by the information provided by every applicant, whose data is then used to refine insurance policy rates.

To ensure their back-up procedures, in January 2021 CreditPlaya started sending weekly copies of the whole database with all the applicants' personal data to an independent company in Uruguay. The information was sent through state-of-the-art encrypting tools, but once in Uruguay was stored without any encryption method.

In March 2022, the entire data base stored on the Uruguay's company servers was encrypted by malicious ransomware. There was no evidence that the data was accessed by unauthorized persons, much less altered or exfiltrated. Despite the incident, CreditPlaya found that they could rely on the locally based Spanish back-up information and carry on its activity without interrupting its operations. The incident caused the termination of the professional relationship between the two companies.

The refinement of the CreditPlaya Information Tracking System (ITS) is a processing activity that should be?

Answer options

• A. Explained in the privacy notice, with a list of the special categories of applicants' data.
• B. Specified in the Terms and Conditions document sent to applicants.
• C. Capable of allowing applicants to exercise their Right to Object.
• D. Subject to the explicit consent of the applicants.

Correct answer: C

Explanation

The correct answer is C because the Right to Object allows applicants to contest the processing of their data, which is relevant in the context of refining the ITS. Options A and B do not address the applicants' rights directly, and option D is incorrect as the processing activity in question is likely based on legitimate interests rather than requiring explicit consent.