Exam CIPP-E All QuestionsBrowse all questions from this exam
Go to Exam
Question 112

SCENARIO -

Please use the following to answer the next question:

CreditPlaya, SA is an established Spanish online insurance company whose exclusive activity is providing health insurance for legal residents of Spain, regardless of their nationality.

CreditPlaya autonomously manages its own website, through which a potential customer, engaging in a free pre-contractual activity, enters his or her full name, e-mail address, tax identification number (to verify residence in Spain), age, profession, and the full names of any other adult members of his or her family.

With this data, CreditPlaya immediately sends an email granting or denying eligibility for a health insurance policy. In the case of eligibility, the email also contains the eventual cost of the policy and two PDF documents – one with the contractual Terms and Conditions, and the other with the privacy notice as required by Article 13 of the GDPR.

The CreditPlaya Information Tracking System (ITS) is very efficient, with a low rate of unpaid insurance policies. The ITS is automatically fed by the information provided by every applicant, whose data is then used to refine insurance policy rates.

To ensure their back-up procedures, in January 2021 CreditPlaya started sending weekly copies of the whole database with all the applicants' personal data to an independent company in Uruguay. The information was sent through state-of-the-art encrypting tools, but once in Uruguay was stored without any encryption method.

In March 2022, the entire data base stored on the Uruguay's company servers was encrypted by malicious ransomware. There was no evidence that the data was accessed by unauthorized persons, much less altered or exfiltrated. Despite the incident, CreditPlaya found that they could rely on the locally based Spanish back-up information and carry on its activity without interrupting its operations. The incident caused the termination of the professional relationship between the two companies.

The privacy notice provided by CreditPlaya contravenes Article 13 of the GDPR because?

    Correct Answer: A

    The privacy notice provided by CreditPlaya contravenes Article 13 of the GDPR because the document is delivered after the personal data has been obtained. According to Article 13, the data subject must be informed of the privacy notice 'at the time when personal data are obtained.' Since CreditPlaya sends the privacy notice after collecting the personal data, this violates the GDPR requirements.

Discussion
blasto767Option: A

Answer is A https://gdpr-info.eu/art-13-gdpr/

GrzesztofOption: A

'Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information(...)'