Certified Information Privacy Manager (CIPM) — Question 76

Under the General Data Protection Regulation (GDPR), what must be included in a written agreement between the controller and processor in relation to processing conducted on the controller's behalf?

Answer options

• A. An obligation on the processor to report any personal data breach to the controller within 72 hours.
• B. An obligation on both parties to report any serious personal data breach to the supervisory authority.
• C. An obligation on both parties to agree to a termination of the agreement if the other party is responsible for a personal data breach.
• D. An obligation on the processor to assist the controller in complying with the controller's obligations to notify the supervisory authority about personal data breaches.

Correct answer: D

Explanation

The correct answer is D, as the GDPR mandates that the processor must assist the controller in fulfilling their obligations, including notifying the supervisory authority about personal data breaches. Options A, B, and C, while relevant, do not specifically address the requirement for the processor to assist the controller in compliance with notification duties.