Certified Information Privacy Manager (CIPM) — Question 154

Under the General Data Protection Regulation (GDPR), what are the obligations of a processor that engages a sub-processor?

Answer options

• A. The processor must give the controller prior written notice and perform a preliminary audit of the sub-processor.
• B. The processor must obtain the controller's specific written authorization and provide annual reports on the sub-processor's performance.
• C. The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.
• D. The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.

Correct answer: D

Explanation

The correct answer is D because the GDPR mandates that the processor must ensure that any sub-processor they engage complies with data processing obligations similar to their own. Options A, B, and C do not reflect the specific requirements set forth in the GDPR regarding the consent and compliance obligations related to sub-processors.