Certified Information Privacy Professional – Europe (CIPP/E) — Question 138

Company X has entrusted the processing of their payroll data to Provider Y. Provider Y stores this encrypted data on its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify?

Answer options

• A. The public
• B. Company X
• C. Law enforcement
• D. The supervisory authority

Correct answer: B

Explanation

Provider Y is obligated to notify Company X because they are the data owner and have a vested interest in the security of their payroll information. While law enforcement and supervisory authorities may also need to be informed, the immediate obligation lies with the entity that owns the data, which is Company X.