Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Exin PDPF Exam - Topic 9 Question 93 Discussion

A controller asks a processor to produce a report containing customers who have purchased a particular product more than once in the past 6 months.The processor provides services to several companies (which in this case are the controllers).When generating the requested report, it uses customer data collected by another controller, that is, for a different purpose.Fortunately, the error is noticed in time, the report is not sent, and nobody has had access to this data. In this case, how does the processor need to proceed and what action should the controller take?
B) The processor needs to notify the controller. And the controller can assess whether there were risks to the data subjects.
A) The processor notifies the Supervisory Authority that a violation has occurred. The controller will be notified and must perform a Data Protection Impact Assessment (DPIA).
C) The processor needs to notify the controller so that the controller notifies the Supervisory Authority of the personal data breach.
D) As the error was noticed in time and the report was not sent, there is no need for the processor to inform the controller. The processor must delete the wrong report and generate a new one, this time with the correct data.

Exin PDPF Exam - Topic 9 Question 93 Discussion

Actual exam question for Exin's PDPF exam
Question #: 93
Topic #: 9
[All PDPF Questions]

A controller asks a processor to produce a report containing customers who have purchased a particular product more than once in the past 6 months.

The processor provides services to several companies (which in this case are the controllers).

When generating the requested report, it uses customer data collected by another controller, that is, for a different purpose.

Fortunately, the error is noticed in time, the report is not sent, and nobody has had access to this dat

a. In this case, how does the processor need to proceed and what action should the controller take?

Show Suggested Answer Hide Answer
Suggested Answer: B

In the example there is likely to be no risk to the data subjects or if it exists it will be very low, but this does not exempt the processor from notifying the Controller. However, at least the Controller should assess whether there is a need to notify the Supervisory Authority.


by Thad at Jan 05, 2026, 05:16 AM

Limited Time Offer

25%

Off

Get Premium PDPF Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Norah
22 days ago
I feel like option A is overkill. Just notify the controller, right?
upvoted 0 times
...
Ming
28 days ago
Option D seems too relaxed. We can't ignore the error.
upvoted 0 times
...
Judy
1 month ago
I agree, but what if there were risks? Option C might be safer.
upvoted 0 times
...
Tiara
1 month ago
I think option B is the best. Notify the controller first.
upvoted 0 times
...
Novella
1 month ago
I’m surprised they even used data from another controller like that!
upvoted 0 times
...
Veronique
2 months ago
Option C is the best choice, they need to inform the authority.
upvoted 0 times
...
Kenny
2 months ago
Wait, are you saying they don’t have to notify anyone since it was caught in time? That seems risky!
upvoted 0 times
...
Leatha
2 months ago
I agree, option B makes the most sense here.
upvoted 0 times
...
Detra
2 months ago
The processor should definitely notify the controller.
upvoted 0 times
...
Casie
2 months ago
I'm just glad I don't have to deal with this kind of data privacy headache. I'll stick to my job of making sure the coffee machine is always full.
upvoted 0 times
...
Dorthy
2 months ago
Option C is the way to go. The processor should notify the controller, and the controller should then notify the Supervisory Authority. Better safe than sorry, right?
upvoted 0 times
...
Louisa
3 months ago
Hmm, I'm not sure. This seems like a tricky situation. Maybe the processor should just go with their gut and delete the report, no need to bother the controller.
upvoted 0 times
...
Vivan
3 months ago
Option D is tempting, but it's better to be safe than sorry. The processor should notify the controller, just to be on the right side of the law.
upvoted 0 times
...
Ahmad
4 months ago
I agree with Antonio. The processor should notify the controller, and the controller can take the necessary actions.
upvoted 0 times
...
Antonio
4 months ago
Option B seems the most appropriate. The processor should notify the controller, and the controller can then assess the risks to the data subjects.
upvoted 0 times
...
Catarina
4 months ago
I feel like the controller has to assess risks if the processor notifies them, so maybe option B is the best choice after all.
upvoted 0 times
...
Haydee
4 months ago
I'm a bit confused about whether the error being caught in time changes the requirement to notify anyone. I think option D might be too simplistic.
upvoted 0 times
...
Ligia
4 months ago
I remember a practice question where the processor had to inform the controller about a data breach. I feel like option B makes sense here too.
upvoted 0 times
...
Salina
4 months ago
I think the processor should notify the controller, but I'm not sure if they also need to inform the Supervisory Authority since the report wasn't sent.
upvoted 0 times
...
Kristine
5 months ago
Ah, I see. Since the error was caught before the report was sent, that changes things. I'll need to weigh the options carefully to determine the best course of action.
upvoted 0 times
...
Shawna
5 months ago
I think the safest approach is to notify the controller and let them handle it from there. Better to err on the side of caution when it comes to personal data breaches.
upvoted 0 times
...
Christoper
5 months ago
I'm a bit confused on the roles here - is the processor the one who generated the report, or the one who collects the customer data? That feels important to understand.
upvoted 0 times
...
Bo
5 months ago
Okay, let's see. The key seems to be that the data was collected for a different purpose, so that could be a problem. I'll need to review the privacy policies and regulations carefully.
upvoted 0 times
...
Alida
5 months ago
Hmm, this seems like a tricky one. I'll need to really think through the data protection implications here.
upvoted 0 times
...

Save Cancel