Free IAPP CIPP-E Actual Exam Questions - Question 9 Discussion

B/D? The website being in English and French and accessible in France (B) alone doesn’t trigger GDPR unless it’s clearly targeting EU residents. But placing cookies to monitor EU user behavior (D) involves processing personal data, which definitely falls under GDPR. So D seems more likely to bring GDPR into play, making B the odd one out. The cookies actively collect data, whereas just language options and access don’t necessarily do that by themselves.

Option B seems off because just having the site in French and English and accessible in France doesn’t by itself mean GDPR applies; there has to be a clear focus on EU customers or data processing.

B imo. Just having the website in English and French and accessible in France doesn’t automatically mean GDPR applies. The key factor is whether the company targets or offers goods/services to EU residents or processes their data. Accessibility alone isn’t enough since anyone can access a website worldwide, but actively offering in euros or targeting EU customers is different. Also, D’s cookie monitoring would usually involve personal data, so GDPR would likely apply there. So, B feels like the weakest trigger on its own here.

C seems off if processing happens only in the U.S., but is presence alone enough?

Good point, C is independent since the processing is outside the EU, so no direct GDPR impact. C

Actually, D isn’t enough by itself either. Just placing cookies to monitor behavior doesn’t trigger GDPR unless it involves personal data or explicit targeting of EU users. So, D could also be a candidate here.

A imo, just pricing in euros and offering widgets in the EU doesn’t alone trigger GDPR unless there’s clear data processing involving EU residents. The actual processing location and data scope matter more here.

Option C, since processing outside the EU might not be enough to trigger GDPR alone.

C