Question 17
Domain 5: Privacy by DesignAn API returns an entire user profile object even though the frontend needs only the display name and avatar. Which privacy issue is most direct?
Correct answer: B
Explanation
This is excessive data exposure because the API returns more personal data than the frontend needs. Privacy principles require data minimization: collect and disclose only what is necessary for the stated purpose, so an overbroad response increases unnecessary exposure of the user profile.
Why each option is right or wrong
A. Proper pseudonymization
B. Excessive data exposure through an overbroad API response
The most direct privacy concern is over-disclosure of personal data: the API is sending the full profile when only two fields are needed, which violates the data minimization principle in GDPR Article 5(1)(c) (personal data must be adequate, relevant and limited to what is necessary). In practice, that means the response should be restricted to the display name and avatar; returning the entire object unnecessarily exposes additional attributes and increases the risk surface without any stated purpose.
C. Adequate data minimization
D. Secure deletion