Exin PDPF Exam - Topic 9 Question 93 Discussion

Actual exam question for Exin's PDPF exam

Question #: 93
Topic #: 9

A controller asks a processor to produce a report containing customers who have purchased a particular product more than once in the past 6 months.

The processor provides services to several companies (which in this case are the controllers).

When generating the requested report, it uses customer data collected by another controller, that is, for a different purpose.

Fortunately, the error is noticed in time, the report is not sent, and nobody has had access to this dat

a. In this case, how does the processor need to proceed and what action should the controller take?

AThe processor notifies the Supervisory Authority that a violation has occurred. The controller will be notified and must perform a Data Protection Impact Assessment (DPIA).

BThe processor needs to notify the controller. And the controller can assess whether there were risks to the data subjects.

CThe processor needs to notify the controller so that the controller notifies the Supervisory Authority of the personal data breach.

DAs the error was noticed in time and the report was not sent, there is no need for the processor to inform the controller. The processor must delete the wrong report and generate a new one, this time with the correct data.

Show Suggested Answer

Suggested Answer: B

In the example there is likely to be no risk to the data subjects or if it exists it will be very low, but this does not exempt the processor from notifying the Controller. However, at least the Controller should assess whether there is a need to notify the Supervisory Authority.

by Thad at Jan 05, 2026, 05:16 AM

Limited Time Offer

25%

Off

Get Premium PDPF Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Veronique

3 days ago

Option C is the best choice, they need to inform the authority.

upvoted 0 times

...

Kenny

8 days ago

Wait, are you saying they don’t have to notify anyone since it was caught in time? That seems risky!

upvoted 0 times

...

Leatha

13 days ago

I agree, option B makes the most sense here.

upvoted 0 times

...

Detra

18 days ago

The processor should definitely notify the controller.

upvoted 0 times

...

Casie

24 days ago

I'm just glad I don't have to deal with this kind of data privacy headache. I'll stick to my job of making sure the coffee machine is always full.

upvoted 0 times

...

Dorthy

29 days ago

Option C is the way to go. The processor should notify the controller, and the controller should then notify the Supervisory Authority. Better safe than sorry, right?

upvoted 0 times

...

Louisa

1 month ago

Hmm, I'm not sure. This seems like a tricky situation. Maybe the processor should just go with their gut and delete the report, no need to bother the controller.

upvoted 0 times

...

Vivan

2 months ago

Option D is tempting, but it's better to be safe than sorry. The processor should notify the controller, just to be on the right side of the law.

upvoted 0 times

...

Ahmad

2 months ago

I agree with Antonio. The processor should notify the controller, and the controller can take the necessary actions.

upvoted 0 times

...

Antonio

2 months ago

Option B seems the most appropriate. The processor should notify the controller, and the controller can then assess the risks to the data subjects.

upvoted 0 times

...

Catarina

2 months ago

I feel like the controller has to assess risks if the processor notifies them, so maybe option B is the best choice after all.

upvoted 0 times

...

Haydee

3 months ago

I'm a bit confused about whether the error being caught in time changes the requirement to notify anyone. I think option D might be too simplistic.

upvoted 0 times

...

Ligia

3 months ago

I remember a practice question where the processor had to inform the controller about a data breach. I feel like option B makes sense here too.

upvoted 0 times

...

Salina

3 months ago

I think the processor should notify the controller, but I'm not sure if they also need to inform the Supervisory Authority since the report wasn't sent.

upvoted 0 times

...

Kristine

3 months ago

Ah, I see. Since the error was caught before the report was sent, that changes things. I'll need to weigh the options carefully to determine the best course of action.

upvoted 0 times

...

Shawna

3 months ago

I think the safest approach is to notify the controller and let them handle it from there. Better to err on the side of caution when it comes to personal data breaches.

upvoted 0 times

...

Christoper

3 months ago

I'm a bit confused on the roles here - is the processor the one who generated the report, or the one who collects the customer data? That feels important to understand.

upvoted 0 times

...

Bo

4 months ago

Okay, let's see. The key seems to be that the data was collected for a different purpose, so that could be a problem. I'll need to review the privacy policies and regulations carefully.

upvoted 0 times

...

Alida

4 months ago

Hmm, this seems like a tricky one. I'll need to really think through the data protection implications here.

upvoted 0 times

...