Certified Information Privacy Professional – Europe (CIPP/E) — Question 227

The GDPR's list of processor obligations regarding cloud computing includes all of the following EXCEPT?

Answer options

• A. Controllers must be given notice of any subprocessors and have a right of objection.
• B. Individuals authorized to process the personal data are subject to an obligation of confidentiality.
• C. Any personal data related to data subjects must be securely maintained for a maximum of ten years.
• D. Processors must implement technical and organizational measures to ensure a level of security appropriate to the risk.

Correct answer: C

Explanation

Option C is the correct answer because GDPR does not specify a maximum retention period of ten years for personal data; rather, it emphasizes that data should only be retained as long as necessary. Options A, B, and D all represent valid obligations for processors under GDPR, focusing on notification, confidentiality, and security measures.