Exam CIPP-E topic 1 question 102 discussion

When data is pseudonymized, the GDPR provides more latitude for organizations to process it beyond its original collection purpose. This is because the data is less likely to be used to identify individuals and therefore poses less of a risk to their privacy.

A. When the data has been pseudonymized. Relevant Legislation: GDPR Recital 28: Encourages the use of pseudonymization as a method to enhance privacy protections while allowing data to be processed for purposes beyond the original collection. GDPR Article 6(4): Specifies the conditions under which further processing for purposes other than those for which the personal data were initially collected may be considered compatible, including considerations of appropriate safeguards like pseudonymization.

Article 6(4) Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia: ... the existence of appropriate safeguards, which may include encryption or pseudonymisation.

The answer should be A. GDPR Art.6 (4): Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent... the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia: e) the existence of appropriate safeguards, which may include encryption or psudonymisation.