New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Exin PDPF Exam - Topic 9 Question 93 Discussion

Actual exam question for Exin's PDPF exam
Question #: 93
Topic #: 9
[All PDPF Questions]

A controller asks a processor to produce a report containing customers who have purchased a particular product more than once in the past 6 months.

The processor provides services to several companies (which in this case are the controllers).

When generating the requested report, it uses customer data collected by another controller, that is, for a different purpose.

Fortunately, the error is noticed in time, the report is not sent, and nobody has had access to this dat

a. In this case, how does the processor need to proceed and what action should the controller take?

Show Suggested Answer Hide Answer
Suggested Answer: B

In the example there is likely to be no risk to the data subjects or if it exists it will be very low, but this does not exempt the processor from notifying the Controller. However, at least the Controller should assess whether there is a need to notify the Supervisory Authority.


by Thad at Jan 05, 2026, 05:16 AM

Limited Time Offer

25%

Off

Get Premium PDPF Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Vivan
12 days ago
Option D is tempting, but it's better to be safe than sorry. The processor should notify the controller, just to be on the right side of the law.
upvoted 0 times
...
Ahmad
17 days ago
I agree with Antonio. The processor should notify the controller, and the controller can take the necessary actions.
upvoted 0 times
...
Antonio
22 days ago
Option B seems the most appropriate. The processor should notify the controller, and the controller can then assess the risks to the data subjects.
upvoted 0 times
...
Catarina
28 days ago
I feel like the controller has to assess risks if the processor notifies them, so maybe option B is the best choice after all.
upvoted 0 times
...
Haydee
1 month ago
I'm a bit confused about whether the error being caught in time changes the requirement to notify anyone. I think option D might be too simplistic.
upvoted 0 times
...
Ligia
1 month ago
I remember a practice question where the processor had to inform the controller about a data breach. I feel like option B makes sense here too.
upvoted 0 times
...
Salina
1 month ago
I think the processor should notify the controller, but I'm not sure if they also need to inform the Supervisory Authority since the report wasn't sent.
upvoted 0 times
...
Kristine
2 months ago
Ah, I see. Since the error was caught before the report was sent, that changes things. I'll need to weigh the options carefully to determine the best course of action.
upvoted 0 times
...
Shawna
2 months ago
I think the safest approach is to notify the controller and let them handle it from there. Better to err on the side of caution when it comes to personal data breaches.
upvoted 0 times
...
Christoper
2 months ago
I'm a bit confused on the roles here - is the processor the one who generated the report, or the one who collects the customer data? That feels important to understand.
upvoted 0 times
...
Bo
2 months ago
Okay, let's see. The key seems to be that the data was collected for a different purpose, so that could be a problem. I'll need to review the privacy policies and regulations carefully.
upvoted 0 times
...
Alida
2 months ago
Hmm, this seems like a tricky one. I'll need to really think through the data protection implications here.
upvoted 0 times
...

Save Cancel