Which of the following is TRUE about the Data Protection Impact Assessment (DPIA) process as required under the General Data Protection Regulation (GDPR)?
A . The DPIA result must be reported to the corresponding supervisory authority.
B . The DPIA report must be published to demonstrate the transparency of the data processing.
C . The DPIA must include a description of the proposed processing operation and its purpose.
D . The DPIA is required if the processing activity entails risk to the rights and freedoms of an EU individual.
Answer: C
Explanation:
The statement that is true about the Data Protection Impact Assessment (DPIA) process as required under the General Data Protection Regulation (GDPR) is that the DPIA must include a description of the proposed processing operation and its purpose.
According to Article 35(7) of the GDPR, a DPIA shall contain at least:
“a systematic description of the envisaged processing operations and the purposes of the processing”;
“an assessment of the necessity and proportionality of the processing operations in relation to the purposes”;
“an assessment of the risks to the rights and freedoms of data subjects”; “the measures envisaged to address the risks”; “safeguards”, “security measures”;
“mechanisms to ensure the protection of personal data”;
“to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned”5
Therefore, a DPIA must include a description of what data processing activities are planned and why they are needed as part of its content. This helps to provide a clear overview of the processing operation and its objectives as well as to assess its necessity and proportionality in relation to its purposes6
Reference: 5: [General Data Protection Regulation (GDPR) C Official Legal Text], Article 35(7); 6: Data protection impact assessments | ICO
Latest CIPM Dumps Valid Version with 90 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund