Question 35
Domain 5: Protecting Personal Data Through Operational ControlsA data science team wants to keep raw customer voice recordings indefinitely for possible future model training. What is the BEST privacy management response?
Correct answer: A
Explanation
Privacy management should follow data minimization and storage limitation: keep personal data only for a "defined use case" and only as long as needed. Raw voice recordings are highly identifiable, so the team should use "shorter retention" and evaluate "less identifiable alternatives" such as derived features or anonymized data before indefinite storage.
Why each option is right or wrong
A. Require a defined use case, shorter retention, and evaluation of less identifiable alternatives
Under GDPR Article 5(1)(b) and (c), personal data must be collected for specified, explicit purposes and limited to what is necessary, with Article 5(1)(e) requiring storage only for as long as needed for that purpose. Indefinite retention of raw voice recordings would also sit uneasily with the privacy-by-design duty in Article 25, which supports assessing less identifiable alternatives before keeping highly identifying audio in its original form.
B. Approve the request because future value is impossible to predict
C. Move the recordings to archive storage and revisit later
D. Deny any analytics use of audio data