What should a controller do after a data subject opts out of a direct marketing...

IAPP CIPP-E Question Answer

What should a controller do after a data subject opts out of a direct marketing activity?

Without exception, securely delete all personal data relating to the data subject.

Without undue delay, provide information to the data subject on the action that will be taken.

Refrain from processing personal data relating to the data subject for the relevant type of communication.

Take reasonable steps to inform third-party recipients that the data subject’s personal data should be deleted and no longer processed.

Explanation:

According to Article 21 of the GDPR, the data subject has the right to object at any time to the processing of his or her personal data for direct marketing purposes, which includes profiling related to such marketing. When the data subject exercises this right, the controller must stop processing the personal data for that purpose, unless it can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. The controller must also inform the data subject of this right before the first communication with him or her, and in a clear and separate manner from other information. The controller must also provide the data subject with a simple and effective way to opt out of receiving direct marketing communications, such as an unsubscribe link or a STOP text message. The controller must respect the data subject’s choice and refrain from sending any further direct marketing messages of the relevant type (e.g., email, phone, post, etc.) to the data subject, unless he or she opts in again. The controller does not need to delete the personal data of the data subject who opts out, unless the data subject also requests the erasure of his or her data under Article 17 of the GDPR, or the data is no longer necessary for the purposes for which it was collected or processed. The controller may also retain some minimal information about the data subject (such as name and email address) to ensure that his or her opt-out request is honored and that he or she is not contacted again for direct marketing purposes. The controller must also ensure that any third parties to whom it has disclosed the personal data of the data subject for direct marketing purposes are informed of the opt-out request and comply with it, unless this proves impossible or involves disproportionate effort. References: Direct marketing rules and exceptions under the GDPR, Direct marketing and privacy and electronic communications, Marketing and advertising: the law: Direct marketing, Direct Marketing - What you need to know about direct marketing

CIPP-E PDF/Engine

Printable Format
Value of Money
100% Pass Assurance
Verified Answers
Researched by Industry Experts
Based on Real Exams Scenarios
100% Real Questions

Get 65% Discount on All Products, Use Coupon: "ac4s65"

With the issue of consent, the GDPR allows member states some choice regarding what?

A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a global...

Weekend Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ac4s65

What should a controller do after a data subject opts out of a direct marketing...

The Answer Is:

Explanation:

Quick Links