According to the GDPR, the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject1. The data subject also has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her2. Therefore, options A, B and D are valid data access requests that ABC Hotel Chain and XYZ Travel Agency have to honor, as they fall within the scope of the right of access and rectification. However, option C is not a valid data access request, as it involves the right to erasure, which is a separate right from the right of access. The right to erasure, also known as the right to be forgotten, entitles the data subject to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1)3. However, the right to erasure is not absolute and does not apply where processing is necessary: (a) for exercising the right of freedom of expression and information; (b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3); (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or (e) for the establishment, exercise or defence of legal claims4. In this scenario, Mike's request to obtain access and erasure of his personal data while keeping his rewards membership is not a valid data access request, as it contradicts the right to erasure. If Mike wants to exercise his right to erasure, he has to withdraw his consent for the processing of his personal data by ABC Hotel Chain and XYZ Travel Agency, which means that he cannot keep his rewards membership, as it is based on the processing of his personal data. Moreover, ABC Hotel Chain and XYZ Travel Agency may have other legal grounds for retaining his personal data, such as compliance with a legal obligation or the establishment, exercise or defence of legal claims. Therefore, option C is the correct answer, as it is the only situation where ABC Hotel Chain and XYZ Travel Agency do not have to honor Mike's data access request. Reference: 1: Article 15 of the GDPR; 2: Article 16 of the GDPR; 3: Article 17(1) of the GDPR; 4: Article 17(3) of the GDPR; Free CIPP/E Study Guide, pages 33-35.