ExamGecko
Home Home / IAPP / CIPM
Question list
Search
Search

List of questions

Search

Related questions











Question 48 - CIPM discussion

Report
Export

SCENARIO

Please use the following to answer the next QUESTION:

John is the new privacy officer at the prestigious international law firm -- A&M LLP. A&M LLP is very proud of its reputation in the practice areas of Trusts & Estates and Merger & Acquisition in both U.S. and Europe.

During lunch with a colleague from the Information Technology department, John heard that the Head of IT, Derrick, is about to outsource the firm's email continuity service to their existing email security vendor -- MessageSafe. Being successful as an email hygiene vendor, MessageSafe is expanding its business by leasing cloud infrastructure from Cloud Inc. to host email continuity service for A&M LLP.

John is very concerned about this initiative. He recalled that MessageSafe was in the news six months ago due to a security breach. Immediately, John did a quick research of MessageSafe's previous breach and learned that the breach was caused by an unintentional mistake by an IT administrator. He scheduled a meeting with Derrick to address his concerns.

At the meeting, Derrick emphasized that email is the primary method for the firm's lawyers to communicate with clients, thus it is critical to have the email continuity service to avoid any possible email downtime. Derrick has been using the anti-spam service provided by MessageSafe for five years and is very happy with the quality of service provided by MessageSafe. In addition to the significant discount offered by MessageSafe, Derrick emphasized that he can also speed up the onboarding process since the firm already has a service contract in place with MessageSafe. The existing on-premises email continuity solution is about to reach its end of life very soon and he doesn't have the time or resource to look for another solution. Furthermore, the off- premises email continuity service will only be turned on when the email service at A&M LLP's primary and secondary data centers are both down, and the email messages stored at MessageSafe site for continuity service will be automatically deleted after 30 days.

Which of the following is a TRUE statement about the relationship among the organizations?

A.

Cloud Inc. must notify A&M LLP of a data breach immediately.

Answers
A.

Cloud Inc. must notify A&M LLP of a data breach immediately.

B.

MessageSafe is liable if Cloud Inc. fails to protect data from A&M LLP.

Answers
B.

MessageSafe is liable if Cloud Inc. fails to protect data from A&M LLP.

C.

Cloud Inc. should enter into a data processor agreement with A&M LLP.

Answers
C.

Cloud Inc. should enter into a data processor agreement with A&M LLP.

D.

A&M LLP's service contract must be amended to list Cloud Inc. as a sub-processor.

Answers
D.

A&M LLP's service contract must be amended to list Cloud Inc. as a sub-processor.

Suggested answer: B

Explanation:

A true statement about the relationship among the organizations is that MessageSafe is liable if Cloud Inc. fails to protect data from A&M LLP.This statement reflects the principle of accountability under the GDPR, which requires data controllers and processors to be responsible for complying with the GDPR and demonstrating their compliance4As a data processor for A&M LLP, MessageSafe is liable for any damage caused by processing that infringes the GDPR or by processing that does not comply with A&M LLP's lawful instructions5This liability extends to any sub-processors that MessageSafe engages to carry out specific processing activities on behalf of A&M LLP5Therefore, if Cloud Inc., as a sub-processor for MessageSafe, fails to protect data from A&M LLP and causes harm to the data subjects or breaches the GDPR or A&M LLP's instructions, MessageSafe will be held liable for such failure and may have to pay compensation or face administrative fines or other sanctions6Reference:4:Article 5 GDPR | General Data Protection Regulation (GDPR);5:Article 82 GDPR | General Data Protection Regulation (GDPR);6:Article 83 GDPR | General Data Protection Regulation (GDPR)

asked 22/11/2024
Irving Indian
30 questions
User
Your answer:
0 comments
Sorted by

Leave a comment first