Certified Information Privacy Professional – United States (CIPP/US) — Question 126

Your company, which sells its products in the United States and the European Union, is seeking to purchase cloud storage from a multinational cloud storage provider. The engineering team at your company wants to set up cloud data centers from the storage provider in both the United States and Germany.

Which of the following contractual provisions should be included in the contract to ensure the security of the personal data being stored in both data center locations?

Answer options

• A. An audit provision that allows the cloud storage provider to restrict an independent auditor’s access to the premises, documents and personnel involved in the cloud storage provider’s processing of the data.
• B. A general authorization provision that allows the cloud storage provider to appoint subcontractors to help provide the cloud storage services.
• C. A purpose limitation provision that requires the data, including personal information, to only be used for the contracted purposes.
• D. A non-solicitation provision prohibiting both companies from seeking to hire employees of the other company.

Correct answer: C

Explanation

The correct answer is C, as a purpose limitation provision ensures that personal data is only utilized for the specific purposes agreed upon in the contract, thus enhancing data security. Options A and B do not directly address data security; A restricts auditor access, which could hinder accountability, while B allows for subcontractors without ensuring data protection. Option D is irrelevant to data security as it focuses on employment issues rather than data management.