Question 1
Domain 1: Data Collection, Use, Dissemination, and DestructionA retailer collected return-history data for fraud prevention and now wants to use it to personalize prices. Which technical control best addresses the privacy risk?
Correct answer: A
Explanation
Keeping the fraud dataset segregated limits use to the original purpose and supports data minimization and purpose limitation, which reduce privacy risk. Blocking reuse until a separate justification and controls are approved ensures any new processing has an authorized basis and appropriate safeguards before return-history data is repurposed for pricing.
Why each option is right or wrong
A. Keep the fraud dataset segregated and block reuse until a separate justification and controls are approved
Purpose limitation under GDPR Article 5(1)(b) requires personal data collected for one purpose to be processed for incompatible new purposes only with a fresh lawful basis and compatible safeguards; using return-history data gathered for fraud prevention to set individualized prices is a distinct secondary use. Segregating the dataset and preventing reuse until a separate business justification, DPIA where required under Article 35, and access/processing controls are approved is the control that directly enforces that boundary and reduces unauthorized repurposing risk.
B. Merge the data into the marketing warehouse because the retailer already owns it
C. Reuse the data automatically if the privacy policy mentions analytics
D. Delete all fraud controls before launching the pricing model