IAPP CIPP-E Exam - Topic 4 Question 112 Discussion

Actual exam question for IAPP's CIPP-E exam

Question #: 112
Topic #: 4

Which aspect of processing does the GDPR allow processors to determine for themselves?

AThe question of whether the controller needs to be informed about the substitution of another processor carrying out specific processing activities on behalf of the controller.

BTheir own purposes for the processing, if such purposes are compatible with those for which the personal data were initially collected.

CThe parameters of their marketing campaigns using personal data relating to the controller's customers.

DTheir own type of hardware or software and the specific security measures for the processing.

Show Suggested Answer

Suggested Answer: D

The GDPR defines processors as entities that process personal data on behalf of controllers, typically under a contract or other legal act that sets out the subject matter, duration, nature, purpose, type and categories of personal data, and the obligations and rights of the controller. Processors must act only on the documented instructions of the controller, unless required by law to act otherwise. Processors must also comply with the GDPR's requirements regarding the security, confidentiality, transfer, sub-processing, notification, assistance, cooperation, and documentation of the personal data processing.

However, the GDPR does not prescribe the exact technical and organisational measures that processors must implement to ensure the security of the personal data processing. Instead, the GDPR requires that processors take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of data subjects. Therefore, processors have some discretion to determine their own type of hardware or software and the specific security measures for the processing, as long as they provide a level of security appropriate to the risk and comply with the controller's instructions. Processors may also adhere to approved codes of conduct or certification mechanisms to demonstrate their compliance with the GDPR's security requirements.

The other options listed in the question are not aspects of processing that the GDPR allows processors to determine for themselves. According to the GDPR:

Processors must inform the controller of any intended changes concerning the addition or replacement of other processors, and give the controller the opportunity to object to such changes. Processors must also impose the same data protection obligations on any sub-processors as those agreed with the controller.

Processors must not process the personal data for their own purposes, unless they have a legal basis to do so and inform the data subjects accordingly. Processors must only process the personal data for the purposes determined by the controller, and in accordance with the controller's instructions.

Processors must not use the personal data relating to the controller's customers for their own marketing campaigns, unless they have obtained the consent of the data subjects or have another legitimate interest to do so. Processors must respect the data subjects' rights to object to direct marketing and to withdraw their consent at any time.

GDPR, Articles 4, 28, 29, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42 and 43.

EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, pages 19, 20, 21, 22, 23, 24, 25, 26, 27 and 28.

by Arminda at Aug 16, 2025, 07:58 PM

Limited Time Offer

25%

7 months ago

I think the answer is B.

upvoted 0 times

...