Certified Information Privacy Professional – Europe (CIPP/E) — Question 270

A private company has establishments in France, Poland, the United Kingdom and, most prominently, Germany, where its headquarters is established. The company offers its services worldwide. Most of the services are designed in Germany and supported in the other establishments. However, one of the services, a Software as a Service (SaaS) application, was defined and implemented by the Polish establishment. It is also supported by the other establishments.

What is the lead supervisory authority for the SaaS service?

Answer options

• A. The supervisory authority of Germany at federal level.
• B. The supervisory authority of Germany at regional level.
• C. The supervisory authority of the Republic of Poland.
• D. The supervisory authority of the European Union.

Correct answer: C

Explanation

The correct answer is C because the SaaS service was defined and implemented by the Polish establishment, making Poland the lead supervisory authority according to the GDPR. The other options are incorrect as they pertain to Germany or the EU, which do not have jurisdiction over a service created in Poland.