IAPP Exam CIPP-E Topic 4 Question 110 Discussion

Actual exam question for IAPP's CIPP-E exam

Question #: 110
Topic #: 4

SCENARIO

Please use the following to answer the next question:

Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta (EU).

People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.

The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a

Are the cybersecurity assessors required to sign a data processing agreement with the company in order to comply with the GDPR''

ANo, the assessors do not quality as data processors as they only have access to encrypted data.

BNo. the assessors do not quality as data processors as they do not copy the data to their facilities.

CYes. the assessors a-e considered to be joint data controllers and must sign a mutual data processing agreement.

DYes, the assessors are data processors and their processing of personal data must be governed by a separate contract or other legal act.

Show Suggested Answer

Suggested Answer: D

According to the GDPR, a data processor is any person or entity that processes personal data on behalf of a data controller1.A data controller is the one who determines the purposes and means of the processing of personal data1.A data processing agreement (DPA) is a contractual document that sets out the rights and obligations of both parties regarding data protection2.The GDPR requires that a data controller who engages a data processor must enter into a written contract or legal act along the lines set out in Article 28.3 of the GDPR3.The DPA must specify, among other things, the subject matter, duration, nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller3.

In this scenario, the company is the data controller, as it determines the purposes and means of processing the personal data of its customers. The cybersecurity assessors are data processors, as they process the personal data of the customers on behalf of the company. The assessors have access to the personal data, even if it is encrypted, and they perform a specific technical service for the company. Therefore, the assessors are required to sign a DPA with the company in order to comply with the GDPR.The DPA will define the scope, nature and purpose of the processing, the security measures to be implemented, the notification procedures in case of a data breach, and the rights and obligations of both parties.Reference:1: Article 4 of the GDPR2: Data Processing Agreement (Template) - GDPR.eu3: Article 28 of the GDPR.

by Ria at Jul 08, 2025, 01:59 PM

Limited Time Offer

25%

Off

Get Premium CIPP-E Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Currently there are no comments in this discussion, be the first to comment!