Certified Information Privacy Professional – Europe (CIPP/E) — Question 90

What are the obligations of a processor that engages a sub-processor?

Answer options

• A. The processor must give the controller prior written notice and perform a preliminary audit of the sub-processor.
• B. The processor must obtain the controller’s specific written authorization and provide annual reports on the sub-processor’s performance.
• C. The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.
• D. The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.

Correct answer: D

Explanation

The correct answer is D because the processor has to ensure that the sub-processor complies with the same data processing obligations, maintaining a level of protection for personal data. Option A is incorrect as it emphasizes prior notice and auditing instead of compliance. Option B focuses on authorization and performance reports, which are not the primary obligations. Option C is not correct as it emphasizes liability rather than compliance with data processing obligations.