Question 12
Domain 1: Data Collection, Use, Dissemination, and DestructionA newsletter sign-up form asks for date of birth, gender, employer, and phone number even though only an email address is needed to send the newsletter. What is the BEST fix?
Correct answer: C
Explanation
Data minimization requires collecting only what is needed for a stated purpose. Since the newsletter only needs an email address, fields like date of birth, gender, employer, and phone number should be removed because they are not necessary for sending the newsletter.
Why each option is right or wrong
A. Add more optional fields so the company can learn even more
B. Keep all fields because some users may not mind sharing them
C. Remove the fields that are not necessary for the stated purpose
Article 5(1)(c) GDPR requires personal data to be "adequate, relevant and limited to what is necessary" for the purpose stated, and Article 5(1)(b) requires collection for specified, explicit purposes. Here, the only stated purpose is sending a newsletter by email, so date of birth, gender, employer, and phone number are not necessary inputs and should be removed from the form; collecting them would exceed the minimum needed for that purpose.
D. Hide the extra fields after submission rather than deleting them