Certified Information Privacy Professional – Europe (CIPP/E) — Question 60

When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach?

Answer options

• A. Documenting due diligence steps taken in the pre-contractual stage.
• B. Conducting a risk assessment to analyze possible outsourcing threats.
• C. Requiring that the processor directly notifies the appropriate supervisory authority.
• D. Maintaining evidence that the processor was the best possible market choice available.

Correct answer: C

Explanation

The correct answer is C because requiring the processor to notify the supervisory authority does not absolve the data controller of liability. Options A, B, and D involve proactive measures that a data controller can take to demonstrate due diligence and risk management, thus providing some level of protection against liability.