Free IAPP CIPP-E Actual Exam Questions - Question 2 Discussion
Please use the following to answer the next question:
BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on
sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how
extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with
Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided
to share its existing customer information – name, location, and prior purchase history – with Natural
Insight. Natural Insight intends to use this information to train its algorithm to help determine the
price point at which BHealthy can sell its new sunscreens.
Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices
and concluded that the company has sufficient security measures to protect the contact information.
Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued
implementation of technical and organization measures. Also indicated in the contract are
restrictions on use of the data provided by BHealthy for any purpose beyond provision of the
services, which include use of the data for continued improvement of Natural Insight’s machine
learning algorithms.
Under the GDPR, what are Natural Insight’s security obligations with respect to the customer
information it received from BHealthy?
It’s A because GDPR demands continuous, appropriate security that matches industry practices, not just a one-time check or what feels reasonable to individuals. Security has to keep evolving with new threats.
It’s A. GDPR calls for ongoing appropriate security aligned with industry standards, not just what was agreed at the start or based on customer expectations alone. Natural Insight has to keep up with evolving risks.
Guessing A, since GDPR needs ongoing appropriate security, not just initial checks.
This one feels like A because GDPR needs security that's appropriate and aligned with industry standards, not just whatever was initially checked or some vague ‘reasonable expectation.’ So A it is.
D imo. The GDPR doesn’t demand absolute security (so not C), but it requires a level that meets what a reasonable person would expect given the sensitivity of the data. Since purchase history is involved, which is personal but not super sensitive like health data, Natural Insight should apply security measures that reflect that expectation. Also, the contract terms don’t limit their security obligations just to what BHealthy checked initially, so B is out. A is close but a bit vague compared to what D states about reasonable expectations.
Option A makes the most sense here. Natural Insight has to provide appropriate security measures, which should align with industry standards for handling customer data like names and purchase histories. It’s not about absolute security (C), which is unrealistic, or just sticking to what BHealthy checked before (B). And D feels too vague and subjective — what a data subject expects might differ a lot. The GDPR requires suitable technical and organizational measures, so A fits best with that principle.
Probably A