Certified Information Privacy Professional – Europe (CIPP/E) — Question 245

If a company receives an anonymous email demanding ransom for the stolen personal data of its clients, what must the company do next, per GDPR requirements?

Answer options

• A. Notify the police and file a criminal complaint about the incident.
• B. Start an investigation to understand the incident's possible scope, duration and nature.
• C. Send a notification to the competent supervisory authority describing the incident.
• D. Send an email about the incident to all clients and ask them to change their passwords.

Correct answer: C

Explanation

According to GDPR, the company is required to notify the competent supervisory authority about the data breach. While notifying the police (A) and investigating the incident (B) are important, they do not fulfill the immediate GDPR obligation. Sending an email to clients (D) is also not a requirement under GDPR before notifying the supervisory authority.