Explore the complexities of Direct Marketing consent under GDPR with a case study of WonderKids, a childcare booking service. Learn about legitimate interest, data retention, and user rights.

Question

WonderkKids provides an online booking service for childcare. WonderKids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all Personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on WonderKids’ website states the following:

“WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child’s personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child’s personal information. We will only share you and your child’s personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers.”

“We may retain you and your child’s personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years.”

“We are processing you and your child’s personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your child’s personal information; rectify or erase you or your child’s personal information; the right to correction or erasure of you and/or your child’s personal information; object to any processing of you and your child’s personal information. You also have the right to complain to the supervisory authority about our data processing activities.”

What direct marketing information can WonderKids send by email without prior consent of the person booking the childcare?

A. No marketing information at all.
B. Any marketing information at all.
C. Marketing information related to other business operations of WonderKids.
D. Marketing information for products or services similar to those purchased from WonderKids.

Answer

C. Marketing information related to other business operations of WonderKids.

Explanation

Consent for Data Sharing: The privacy statement clearly indicates the requirement of consent for sharing personal information with affiliated businesses for promotional offers. This implies that direct marketing for services beyond WonderKids’ core offerings necessitates explicit consent.

Legitimate Interest: While “legitimate business purposes” are mentioned, the context suggests this pertains to internal operations rather than direct marketing of unrelated services.

Data Retention: The statement specifies data retention periods for different purposes, but it does not exempt direct marketing from consent requirements.

IAPP CIPP-E certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the IAPP CIPP-E exam and earn IAPP CIPP-E certification.

The post IAPP CIPP-E: Case Study to Understand Direct Marketing Consent under GDPR appeared first on PUPUWEB - Tech Solution and Advice from Pro.