IAPP Certified Information Privacy Professional CIPP-E New Questions

According to Article 14 of the GDPR, if the controller obtains personal data from other sources, such as third parties or publicly accessible sources, the controller must provide the data subject with the necessary privacy information, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject. The controller must provide this information within a reasonable period after obtaining the personal data, but no later than one month, having regard to the specific circumstances in which the personal data are processed. However, there are some exceptions to this rule, such as if the data subject already has the information, if the provision of the information proves impossible or would involve a disproportionate effort, if the obtaining or disclosure of the data is expressly laid down by EU or member state law, or if the personal data must remain confidential subject to an obligation of professional secrecy12. References:

• GDPR, Article 14
• Free CIPP/E Study Guide, page 19, section 2.5.1
• CIPP/E Certification, page 14, section 1.2.1
• Art. 14 GDPR - Information to be provided where personal data have not been obtained from the data subject
• Article 14 GDPR - GDPRhub

The “soft opt-in” rule is an exception to the general requirement of obtaining consent before sending electronic mail marketing to individuals. It applies when the following conditions are met12:

• the sender has obtained the contact details of the recipient in the context of the sale or negotiations for the sale of a product or service to that recipient;
• the sender only sends direct marketing relating to its own similar products or services; and
• the recipient has been given a simple opportunity to refuse or opt out of the marketing, both when the details were initially collected and in every subsequent message.

The option B matches these conditions, as it implies that the individual has shown an interest in buying a product from the sender, and that the sender can use the individual’s details to send marketing about similar products, as long as the individual can easily opt out. The other options do not qualify for the “soft opt-in” rule, as they either involve no consent, no prior relationship, or no opt-out mechanism. References: Electronic mail marketing | ICO, Direct marketing rules and exceptions under the GDPR