ExamTopics Logo
Mail Us[email protected]
Menu
Iapp Discussions
exam questions

Exam CIPP-E All Questions

View all questions & answers for the CIPP-E exam
Go to Exam

Exam CIPP-E topic 1 question 115 discussion

Actual exam question from IAPP's CIPP-E
Question #: 115
Topic #: 1
[All CIPP-E Questions]

To provide evidence of GDPR compliance, a company performs an internal audit. As a result, it finds a data base, password-protected, listing all the social network followers of the client.
Regarding the domain of the controller-processor relationships, how is this situation considered?

  • A. Compliant with the security principle, because the data base is password-protected.
  • B. Non-compliant, because the storage of the data exceeds the tasks contractually authorized by the controller.
  • C. Not applicable, because the data base is password protected, and therefore is not at risk of identifying any data subject.
  • D. Compliant with the storage limitation principle, so long as the internal auditor permanently deletes the data base.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Ssourav at Aug. 1, 2024, 4:56 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
a4007d1
8 months, 3 weeks ago
The correct answer is: **B. Non-compliant, because the storage of the data exceeds the tasks contractually authorized by the controller.** ### Explanation: In GDPR, controllers determine the purposes and means of processing personal data, while processors act only on the instructions of the controller. If a processor (or even a controller) is found storing data beyond what is authorized by the controller (e.g., beyond what is necessary for the agreed-upon tasks), this constitutes non-compliance. - **A** is incorrect because password protection alone does not address compliance with the GDPR's other principles, such as purpose limitation and data minimization. - **C** is incorrect because password protection does not negate the risk of identifying data subjects, especially if the data includes identifiable information (like social network followers). - **D** is incorrect because simply deleting the data afterward does not make the original storage compliant with the GDPR. The storage must have been authorized and limited to the necessary duration from the beginning.
upvoted 1 times
...
8d60157
9 months, 2 weeks ago
Selected Answer: A
A, we have no information about the instructions from the controller so it cannot be B.
upvoted 1 times
...
aliblabla
10 months, 4 weeks ago
Selected Answer: A
There is no information about the authorization/purpose and means of the controller, so we do not know if this password protected database is part of the instruction of the controller or not. For all we know this is part of the instruction of controller. To assume that it is not, is guessing. Therefore A is the best answer.
upvoted 2 times
...
0529117
11 months, 2 weeks ago
It's A
upvoted 1 times
...
Ssourav
11 months, 2 weeks ago
Selected Answer: B
Relevant Legislation: GDPR Article 28(3): Specifies that a processor must process personal data only on documented instructions from the controller. GDPR Article 5(1)(e): Refers to the storage limitation principle, which requires personal data to be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Therefore, the correct answer is B. Non-compliant, because the storage of the data exceeds the tasks contractually authorized by the controller.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel