ExpertMedium1 markMultiple Choice
CPA · Question 46 · Area II: Security
A company is subject to GDPR. They wish to use customer data for a new purpose (marketing) that was not disclosed when the data was originally collected. What must they typically do?
A company is subject to GDPR. They wish to use customer data for a new purpose (marketing) that was not disclosed when the data was originally collected. What must they typically do?
Answer options:
A.
Obtain fresh consent from the data subjects.
B.
Proceed if the marketing is in the company's legitimate interest.
C.
Anonymize the data and then de-anonymize it later.
D.
Pay a fee to the Data Protection Authority.
How to approach this question
GDPR Principle: Purpose Limitation. If you change the purpose, you need new permission.
Full Answer
A.Obtain fresh consent from the data subjects.✓ Correct
A
Under GDPR's Purpose Limitation principle, data collected for specified, explicit, and legitimate purposes shall not be further processed in a manner that is incompatible with those purposes. Marketing is often incompatible with original service provision, requiring new consent.
Common mistakes
Assuming 'Legitimate Interest' covers everything.
Practice the full CPA ISC Practice Exam
82 questions · hints · full answers · grading
More questions from this exam
Q01A CPA is performing a risk assessment for a client that uses a public cloud provider for its core...HardQ02During a walkthrough of a client's change management process, the auditor notes that developers h...HardQ03A service organization provides a real-time transaction processing platform. The service level ag...HardQ04An auditor is reviewing a SQL query used by the finance team to generate a report of all sales tr...HardQ05A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud dep...Hard