ExamTopics Logo
Mail Us[email protected]
Menu
Iapp Discussions
exam questions

Exam CIPM All Questions

View all questions & answers for the CIPM exam
Go to Exam

Exam CIPM topic 1 question 21 discussion

Actual exam question from IAPP's CIPM
Question #: 21
Topic #: 1
[All CIPM Questions]

SCENARIO -
Please use the following to answer the next question:
John is the new privacy officer at the prestigious international law firm – A&M LLP. A&M LLP is very proud of its reputation in the practice areas of Trusts & Estates and Merger & Acquisition in both U.S. and Europe. During lunch with a colleague from the Information Technology department, John heard that the Head of IT, Derrick, is about to outsource the firm's email continuity service to their existing email security vendor – MessageSafe. Being successful as an email hygiene vendor, MessageSafe is expanding its business by leasing cloud infrastructure from Cloud Inc. to host email continuity service for A&M LLP.
John is very concerned about this initiative. He recalled that MessageSafe was in the news six months ago due to a security breach. Immediately, John did a quick research of MessageSafe's previous breach and learned that the breach was caused by an unintentional mistake by an IT administrator. He scheduled a meeting with Derrick to address his concerns.
At the meeting, Derrick emphasized that email is the primary method for the firm's lawyers to communicate with clients, thus it is critical to have the email continuity service to avoid any possible email downtime. Derrick has been using the anti-spam service provided by MessageSafe for five years and is very happy with the quality of service provided by MessageSafe. In addition to the significant discount offered by MessageSafe, Derrick emphasized that he can also speed up the onboarding process since the firm already has a service contract in place with MessageSafe. The existing on-premises email continuity solution is about to reach its end of life very soon and he doesn't have the time or resource to look for another solution. Furthermore, the off- premises email continuity service will only be turned on when the email service at A&M LLP's primary and secondary data centers are both down, and the email messages stored at MessageSafe site for continuity service will be automatically deleted after 30 days.
Which of the following is a TRUE statement about the relationship among the organizations?

  • A. Cloud Inc. must notify A&M LLP of a data breach immediately.
  • B. MessageSafe is liable if Cloud Inc. fails to protect data from A&M LLP.
  • C. Cloud Inc. should enter into a data processor agreement with A&M LLP.
  • D. A&M LLP's service contract must be amended to list Cloud Inc. as a sub-processor.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by szopenowa at May 15, 2023, 3:21 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
MaritzTee
Highly Voted 8 months ago
Selected Answer: B
MessageSafe is the direct vendor to A&M LLP and is responsible for the subcontractors it engages. If Cloud Inc. fails to protect A&M LLP's data, MessageSafe, as the data processor, is liable to A&M LLP. This aligns with standard data protection regulations where the primary processor retains responsibility for the actions of its sub-processors.
upvoted 6 times
...
0ef35ef
Most Recent 2 weeks, 1 day ago
Selected Answer: D
The correct answer is D, because the GDPR and other data protection regulations require that organizations (like A&M LLP) be made aware of and have agreements in place for any sub-processors involved in the processing of personal data. Therefore, A&M LLP's service contract with MessageSafe must be amended to list Cloud Inc. as a sub-processor.
upvoted 1 times
...
9385ae2
2 weeks, 2 days ago
Selected Answer: B
B. https://gdpr-info.eu/art-28-gdpr/ Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. 2Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.
upvoted 1 times
...
thecheaterz
7 months, 3 weeks ago
Selected Answer: B
without information on jurisdictions we can exclude D
upvoted 2 times
Habeeb007
7 months, 2 weeks ago
The questions has references to US & EU therefore D is the correct answer
upvoted 2 times
...
...
BevMe
8 months, 1 week ago
Selected Answer: D
When a data processor (MessageSafe) engages another party (Cloud Inc.) to process data on behalf of the data controller (A&M LLP), GDPR requires that the sub-processing be approved by the data controller. This typically involves amending the service contract to explicitly list the sub-processor
upvoted 2 times
...
MaritzTee
8 months, 2 weeks ago
Selected Answer: D
D. A&M LLP's service contract must be amended to list Cloud Inc. as a sub-processor. This is because Cloud Inc., as the provider of the cloud infrastructure that MessageSafe uses to host the email continuity service, is effectively acting as a sub-processor of A&M LLP's data. To comply with data protection regulations, such as the GDPR, it is important to have clear contractual agreements that identify all parties involved in the processing of personal data, including sub-processors. The contract should outline the responsibilities and obligations of each party to ensure data protection and compliance.
upvoted 2 times
...
DPRamone
11 months ago
Selected Answer: B
Under the GDPR, a sub-processor will remain liable to the processor for its own data processing operations. Ref. https://incorporated.zone/sub-processor-compliance-obligations-under-gdpr/
upvoted 2 times
...
humhain
11 months, 2 weeks ago
Selected Answer: A
Cloud Inc. must notify A&M LLP of a data breach immediately.
upvoted 2 times
...
katizeti
1 year ago
C maybe??
upvoted 1 times
katizeti
11 months, 2 weeks ago
D. A&M LLP's service contract must be amended to list Cloud Inc. as a sub-processor. This option accurately reflects the data processing flow and legal obligations within the scenario.
upvoted 2 times
...
...
[Removed]
1 year, 5 months ago
Selected Answer: B
Should be B
upvoted 1 times
...
baranikumar_v
1 year, 5 months ago
B may be the right answer.
upvoted 3 times
...
Alex951
1 year, 7 months ago
I suggest B
upvoted 3 times
...
szopenowa
1 year, 8 months ago
maybe B?
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago