OneTrust Certified Privacy Professional Practice Exam 2026 - Free Privacy Professional Practice Questions and Study Guide

Under the General Data Protection Regulation (GDPR), organizations are indeed required to inform data subjects before profiling them. This requirement is grounded in the principles of transparency and fairness, which are pivotal to data protection. When individuals' data is used to create profiles that could significantly affect them, they must be made aware of this practice.

Profiling under GDPR refers to any automated processing of personal data to evaluate certain personal aspects related to a natural person, including analyzing or predicting aspects concerning that person’s performance at work, economic situation, health, preferences, interests, reliability, behavior, location, or movements. The regulation ensures that data subjects are informed about the existence of profiling, the logic involved, and the potential consequences of such processing.

This obligation exists to empower individuals with the knowledge and control over their personal data, ensuring they understand how their information is processed and the implications it may have. This proactive communication must occur at the time of data collection or when profiling is initiated.

The other options, while they might suggest scenarios around notification and profiling, do not fully capture the essential requirement of informing data subjects in all cases of profiling as mandated by GDPR.