IAPP CIPP-E Exam - Topic 4 Question 110 Discussion

Actual exam question for IAPP's CIPP-E exam

Question #: 110
Topic #: 4

SCENARIO

Please use the following to answer the next question:

Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta (EU).

People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.

The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a

Are the cybersecurity assessors required to sign a data processing agreement with the company in order to comply with the GDPR''

ANo, the assessors do not quality as data processors as they only have access to encrypted data.

BNo. the assessors do not quality as data processors as they do not copy the data to their facilities.

CYes. the assessors a-e considered to be joint data controllers and must sign a mutual data processing agreement.

DYes, the assessors are data processors and their processing of personal data must be governed by a separate contract or other legal act.

Show Suggested Answer

Suggested Answer: D

According to the GDPR, a data processor is any person or entity that processes personal data on behalf of a data controller1.A data controller is the one who determines the purposes and means of the processing of personal data1.A data processing agreement (DPA) is a contractual document that sets out the rights and obligations of both parties regarding data protection2.The GDPR requires that a data controller who engages a data processor must enter into a written contract or legal act along the lines set out in Article 28.3 of the GDPR3.The DPA must specify, among other things, the subject matter, duration, nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller3.

In this scenario, the company is the data controller, as it determines the purposes and means of processing the personal data of its customers. The cybersecurity assessors are data processors, as they process the personal data of the customers on behalf of the company. The assessors have access to the personal data, even if it is encrypted, and they perform a specific technical service for the company. Therefore, the assessors are required to sign a DPA with the company in order to comply with the GDPR.The DPA will define the scope, nature and purpose of the processing, the security measures to be implemented, the notification procedures in case of a data breach, and the rights and obligations of both parties.Reference:1: Article 4 of the GDPR2: Data Processing Agreement (Template) - GDPR.eu3: Article 28 of the GDPR.

by Ria at Jul 08, 2025, 01:59 PM

Limited Time Offer

25%

Off

Get Premium CIPP-E Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Melita

3 months ago

Totally agree, they should sign a contract to be compliant with GDPR.

upvoted 0 times

...

Mabel

3 months ago

I thought they only access encrypted data? Seems like they shouldn't need one.

upvoted 0 times

...

Caprice

3 months ago

Wait, can they really waive GDPR rights? That sounds sketchy.

upvoted 0 times

...

Reuben

3 months ago

If they're processing data, they should be treated as data processors for sure!

upvoted 0 times

...

Oneida

4 months ago

Assessors definitely need a data processing agreement. It's a must!

upvoted 0 times

...

Dominque

4 months ago

I recall that data processors need to have agreements in place, but I'm unsure if assessors qualify as processors if they don't store the data.

upvoted 0 times

...

Hannah

4 months ago

I'm leaning towards option D because it seems like assessors would be handling personal data, even if it's encrypted. But I'm not completely confident.

upvoted 0 times

...

Alpha

4 months ago

I think I saw a similar question about data processing agreements in our practice exams. If they access personal data, they might need a contract, right?

upvoted 0 times

...

Valentin

5 months ago

I remember discussing the role of data processors and controllers in class, but I'm not entirely sure if assessors fall into one of those categories.

upvoted 0 times

...

Alesia

5 months ago

I'm feeling pretty confident about this one. The scenario provides a lot of relevant details, and I think I can apply my knowledge of GDPR compliance to determine the correct answer.

upvoted 0 times

...

Alishia

5 months ago

Okay, I think I've got a strategy for this. I'll focus on identifying the key parties and their data processing activities, then apply the GDPR principles to determine the appropriate legal agreements required.

upvoted 0 times

...

Rosita

5 months ago

Hmm, I'm a bit confused about the distinction between data controllers and data processors here. I'll need to re-read the details to make sure I understand the nuances.

upvoted 0 times

...

Antione

5 months ago

This seems like a tricky GDPR compliance question. I'll need to carefully review the scenario and think through the different roles and responsibilities involved.

upvoted 0 times

...