IAPP CIPM Exam - Topic 7 Question 59 Discussion

Actual exam question for IAPP's CIPM exam

Question #: 59
Topic #: 7

[All CIPM Questions]

Under the General Data Protection Regulation (GDPR), what are the obligations of a processor that engages a sub-processor?

AThe processor must give the controller prior written notice and perform a preliminary audit of the sub-processor.

BThe processor must Obtain the controllers specifiC written authorization and provide annual reports on the sub-processor'S performance.

CThe processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.

DThe processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.

Show Suggested Answer

Suggested Answer: D

Under the General Data Protection Regulation (GDPR), the obligations of a processor that engages a sub-processor are to obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor. The GDPR defines a processor as a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. A sub-processor is a third party that is engaged by the processor to carry out specific processing activities on behalf of the controller. The GDPR requires that the processor does not engage another processor without prior specific or general written authorization of the controller. In the case of general written authorization, the processor must inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. The processor must also ensure that the same data protection obligations as set out in the contract or other legal act between the controller and the processor are imposed on that other processor by way of a contract or other legal act under Union or Member State law, .Reference:[GDPR Article 28], [CIPM - International Association of Privacy Professionals]

by Selma at Mar 09, 2024, 10:26 AM

Limited Time Offer

25%

Off

Get Premium CIPM Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Mike

4 months ago

Yeah, and they should have a solid agreement in place!

upvoted 0 times

...

Chaya

4 months ago

I think they need to get written consent from the controller too.

upvoted 0 times

...

Gail

4 months ago

Wait, does that mean the processor is still liable if the sub-processor messes up?

upvoted 0 times

...

Jerry

4 months ago

Totally agree, compliance is key!

upvoted 0 times

...

Johanna

4 months ago

The processor must ensure the sub-processor complies with GDPR obligations.

upvoted 0 times

...

Flo

5 months ago

I feel like option D sounds right because it mentions compliance with data processing obligations, but I’m a bit confused about the consent part.

upvoted 0 times

...

Carole

5 months ago

I practiced a question similar to this, and I believe the processor must get the controller's authorization before engaging a sub-processor.

upvoted 0 times

...

Juan

5 months ago

I remember something about the processor being liable for the sub-processor's actions, but I can't recall if that was in the context of a written agreement or just general liability.

upvoted 0 times

...

Teddy

5 months ago

I think the processor needs to ensure the sub-processor complies with the same obligations, but I'm not sure if it requires consent or just notification.

upvoted 0 times

...

Helga

5 months ago

I'm feeling pretty confident about this one. The processor has to get written agreement from the sub-processor and make sure they're fully liable to the controller.

upvoted 0 times

...

Ashton

5 months ago

Okay, I think I've got a handle on this. The key is that the processor needs to get the controller's authorization and ensure the sub-processor meets the same data processing obligations.

upvoted 0 times

...

Pauline

5 months ago

Hmm, I'm a bit unsure about the specific requirements here. I'll need to review the GDPR regulations carefully to make sure I get this right.

upvoted 0 times

...

Terrilyn

5 months ago

This question seems straightforward, but I want to make sure I understand the key obligations of the processor under GDPR.

upvoted 0 times

...

Stacey

6 months ago

Hmm, I'm a bit unsure about this one. I know SDN is all about programmable networks, but I'm not totally clear on the specifics of how it handles alternative path finding. I'll have to think this through.

upvoted 0 times

...

Adelaide

6 months ago

Okay, let's see. Based on the options, I'm guessing B and E are probably not correct, since those seem more like general desktop/developer use cases. I'll go with A and D as my final answer.

upvoted 0 times

...

Eve

6 months ago

Okay, let me think this through step-by-step. The gNB is the 5G base station, and the protocol layers include RLC, PDCP, MAC, and SDAP. Based on my understanding, SDAP is the layer that handles QoS mapping, so I'll go with that.

upvoted 0 times

...

Salena

2 years ago

I believe the processor must also ensure the sub-processor complies with data processing obligations equivalent to their own.

upvoted 0 times

...

Diane

2 years ago

I agree with that. It's important for the sub-processor to take responsibility for their actions.

upvoted 0 times

...

Genevieve

2 years ago

I think the processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations.

upvoted 0 times

...

Julene

2 years ago

What are the obligations of a processor that engages a sub-processor?

upvoted 0 times

...