Certified Information Privacy Professional – Europe (CIPP/E) — Question 28

Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

Answer options

• A. Incidents of personal data breaches, whether disclosed or not.
• B. Data inventory or data mapping exercises that have been conducted.
• C. Categories of recipients to whom the personal data have been disclosed.
• D. Retention periods for erasure and deletion of categories of personal data.

Correct answer: A

Explanation

The correct answer is A because while controllers must document various aspects of data handling, incidents of personal data breaches are not explicitly required to be included in the records. Options B, C, and D are all mandatory records that controllers must maintain under GDPR compliance.