CIPP-E Exam Dumps | An employee of company ABCD has just noticed a memory stick containing records of client data, including

<< Prev Question Next Question >>

Question 92/131

An employee of company ABCD has just noticed a memory stick containing records of client data, including their names, addresses and full contact details has disappeared. The data on the stick is unencrypted and in clear text. It is uncertain what has happened to the stick at this stage, but it likely was lost during the travel of an employee. What should the company do?

A. Notify as soon as possible the data protection supervisory authority that a data breach may have taken place.

B. Launch an investigation and if nothing is found within one month, notify the data protection supervisory authority.

C. Invoke the "disproportionate effort" exception under Article 33 to postpone notifying data subjects until more information can be gathered.

D. Immediately notify all the customers of the company that their information has been accessed by an unauthorized person.

Correct Answer: A

The GDPR requires that in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons1. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed2. In this scenario, the company ABCD is the controller of the client data, and the loss of the memory stick containing unencrypted and clear text personal data is a personal data breach that may pose a risk to the rights and freedoms of the data subjects, such as identity theft, fraud, financial loss, or reputational damage. Therefore, the company ABCD should notify the data protection supervisory authority as soon as possible, and provide the information specified in Article 33(3) of the GDPR, such as the nature of the breach, the categories and number of data subjects and personal data records concerned, the likely consequences of the breach, and the measures taken or proposed to address the breach1. Option A is the correct answer, as it reflects the obligation of the controller under the GDPR. Options B, C and D are incorrect, as they do not comply with the GDPR requirements. Option B would delay the notification beyond the 72-hour deadline, which could result in administrative fines or other sanctions3. Option C would misuse the "disproportionate effort" exception, which only applies to the communication of the breach to the data subjects, not to the notification to the supervisory authority, and only when the controller has implemented appropriate technical and organisational protection measures, such as encryption, that render the personal data unintelligible to any person who is not authorised to access it4. Option D would prematurely notify the customers of the company without first notifying the supervisory authority, and without assessing the level of risk and the necessity of such communication, which should be done in consultation with the supervisory authority5. Reference: 1: Article 33(1) of the GDPR 2: Article 4(12) of the GDPR 3: Article 83(4)(a) of the GDPR 4: Article 34(3)(a) of the GDPR 5: Article 34(1) and (2) of the GDPR

Question 92/131

LEAVE A REPLY

Download PDF File