Certified Information Privacy Manager (CIPM) — Question 27

Which of the following best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?

Answer options

• A. Employees must sign an ad hoc contractual agreement each time personal data is exported.
• B. All employees are subject to the rules in their entirety, regardless of where the work is taking place.
• C. All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.
• D. Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.

Correct answer: B

Explanation

The correct answer is B because Binding Corporate Rules require all employees to comply fully with the rules, irrespective of their location, ensuring consistent data protection practices. Option A is incorrect as BCRs do not necessitate ad hoc agreements for each data export. Option C is misleading because it suggests compliance only with local laws, which contradicts the comprehensive nature of BCRs. Option D is wrong since employees who handle personal data are not exempt from legal enforcement and must comply with regulatory standards.