ExpertHard1 markMultiple Choice
CPA · Question 10 · Area II: Security
Under the General Data Protection Regulation (GDPR), a data subject requests that a company delete all their personal data. The company refuses because the data is required to be retained by tax laws. Which GDPR principle allows the company to refuse this request?
Under the General Data Protection Regulation (GDPR), a data subject requests that a company delete all their personal data. The company refuses because the data is required to be retained by tax laws. Which GDPR principle allows the company to refuse this request?
Answer options:
A.
Legitimate interest
B.
Compliance with a legal obligation
C.
Public interest
D.
Contractual necessity
How to approach this question
GDPR rights have exceptions. If the law says 'keep the data', GDPR does not override that law.
Full Answer
B.Compliance with a legal obligation✓ Correct
Compliance with a legal obligation
Article 17 of GDPR (Right to Erasure) provides exceptions, including when processing is necessary for compliance with a legal obligation which requires processing by Union or Member State law.
Common mistakes
Thinking the Right to Erasure is absolute.
Practice the full CPA ISC Practice Exam 4
82 questions · hints · full answers · grading
More questions from this exam
Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud environ...HardQ02An auditor is reviewing the Service Level Agreement (SLA) for a client using a public cloud provi...HardQ03A company uses an Infrastructure as a Service (IaaS) model. During an IT audit, the auditor disco...HardQ04An organization is implementing the COSO Enterprise Risk Management (ERM) framework to govern its...HardQ05During a walkthrough of an order-to-cash process, the auditor observes that the sales manager can...Hard