IAPP Updated CIPP-E Exam Questions and Answers by safiyyah

The “soft opt-in” rule is an exception to the general requirement of obtaining consent before sending electronic mail marketing to individuals. It applies when the following conditions are met12:

• the sender has obtained the contact details of the recipient in the context of the sale or negotiations for the sale of a product or service to that recipient;
• the sender only sends direct marketing relating to its own similar products or services; and
• the recipient has been given a simple opportunity to refuse or opt out of the marketing, both when the details were initially collected and in every subsequent message.

The option B matches these conditions, as it implies that the individual has shown an interest in buying a product from the sender, and that the sender can use the individual’s details to send marketing about similar products, as long as the individual can easily opt out. The other options do not qualify for the “soft opt-in” rule, as they either involve no consent, no prior relationship, or no opt-out mechanism. References: Electronic mail marketing | ICO, Direct marketing rules and exceptions under the GDPR

According to Article 23 of the GDPR, the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, may be restricted by a legislative measure of a Member State or the Union, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard certain public interests or the rights and freedoms of others1. However, Article 23 does not include Article 77, which grants the data subject the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the GDPR2. Therefore, this right cannot be restricted by any legislative measure, as it is essential for the effective judicial protection of the data subject and the enforcement of the GDPR3. References:

• Free CIPP/E Study Guide, page 14, section 2.3
• GDPR, Article 77
• GDPR, Article 23
• Guidelines on restrictions of data subject rights under Art. 23 of the GDPR, page 4, section 2
• Statement on restrictions on data subject rights in connection to the COVID-19 pandemic, page 2, section 2

According to the GDPR, the right to be forgotten, also known as the right to erasure, is not an absolute right and only applies in certain circumstances1. One of the exceptions to this right is when the processing of personal data is necessary for the establishment, exercise or defence of legal claims2. In this scenario, the company may need to retain the personal data of Jack, such as his employment records, performance reviews, and internal emails, in order to defend itself against a possible legal action of unfair dismissal. Therefore, the company should not erase the data at this time, unless it is confident that it has no legal basis to keep it. The company should also inform Jack of the reasons for not complying with his request and of his right to lodge a complaint with a supervisory authority or a judicial remedy3. References: 1: Everything you need to know about the “Right to be forgotten”2: Article 17(3)(e) of the GDPR3: Article 12(4) of the GDPR.