Certified Information Privacy Professional – Europe (CIPP/E) — Question 243

After detecting an intrusion involving the theft of unencrypted personal data, who shall the breached company notify first under GDPR requirements?

Answer options

• A. Any parents of children whose personal data was compromised.
• B. Any affected customers whose data was compromised.
• C. A competent supervisory authority.
• D. A local law enforcement agency.

Correct answer: C

Explanation

Under GDPR, the first notification must be made to a competent supervisory authority when a data breach occurs. While affected customers and parents of children whose data was compromised need to be informed, this is required after the supervisory authority has been notified. Local law enforcement may also be involved, but they are not the first point of contact under GDPR regulations.