Exam CIPM topic 1 question 147 discussion

A is one of the scenarios that would trigger a DPIA, but it’s not the minimum requirement. The DPIA is necessary not just for special categories of data but whenever the processing is likely to result in high risks to individuals’ rights.

The GDPR sets out the minimum features of a DPIA: A description of the processing, including its purpose and the legitimate interest being pursued he necessity of the processing, its proportionality, and the risks that it poses to data subjects Measures to address the risks identified

It should be C. Necessity and proportionality is a minimum requirement because without the necessity of a DPIA, there is no point of proceeding with the assessment. See here for more details: Answer A is a scenario where a DPIA would be necessary, but it is not the only one, for instance a DPIA would still be necessary for sensitive data handled by a newly released system even when they are not in a large scale.

Assessment of necessty and proportionality (C) is required in a DPIA too, but would typically come AFTER identification and description of what you are processing.

should be A

The correct answer is A. Processing on a large scale of special categories of data. A Data Protection Impact Assessment (DPIA) is a document that helps organizations to identify, assess, and mitigate the privacy risks associated with a new or changed processing activity. It is a requirement under the General Data Protection Regulation (GDPR) for certain types of processing activities, including the processing on a large scale of special categories of data.