CompTIA Security+ (SY0-701) — Question 584

A retail company receives a request to remove a customer's data. Which of the following is the retail company considered under GDPR legislation?

Answer options

• A. Data processor
• B. Data controller
• C. Data subject
• D. Data custodian

Correct answer: B

Explanation

The correct answer is B, as a data controller is responsible for determining how customer data is processed and ensuring compliance with GDPR requirements. Options A and D do not apply because a data processor acts on behalf of the controller, while a data custodian typically refers to the management of data storage rather than data rights. C, data subject, refers to the individual whose data is being processed.