Exam CIPP-E topic 1 question 61 discussion

All data breaches should be documented if company more than 250 employees. The unailability of customer information doesn't lead to risk for the rights and freedom of data subject. Could be the case for live maintaining systems in a hospital, but this case seems to be very specific.

Notification to affected individuals or supervisory authorities is only necessary if the incident meets the GDPR's definition of a personal data breach, which requires the incident to result in a risk to the rights and freedoms of individuals. If the data was not compromised or there was no risk to individuals, notification is not required

B. Document the loss of availability to demonstrate accountability: According to WP 29’s guidelines, documenting the incident is essential for demonstrating compliance with the GDPR’s accountability principle. This ensures that Company Z can show it has taken appropriate steps to record and address the incident. other options are applicable only if incident likely to result in a risk to the rights and freedoms of natural persons.

" a breach involving the temporary loss of availability should be documented in accordance with Article 33(5) GDPR. This assists the controller in demonstrating accountability to the supervisory authority, which may ask to see those records19. However, depending on the circumstances of the breach, it may or may not require notification to the supervisory authority and communication to affected individuals. The controller will need to assess the likelihood and severity of the impact on the rights and freedoms of natural persons as a result of the lack of availability of personal data. In accordance with Article 33 GDPR, the controller will need to notify unless the breach is unlikely to result in a risk to individuals’ rights and freedoms. Of course, this will need to be assessed on a case-by-case basis."

C should be correct. Since inability to access for the data subject to his/her data is also a breach and as with all data breaches the controller should notify the supervisory authority in 72 hours as the first thing to do.

I think it's B. Because according to the guideline, "a breach involving the temporary loss of availability should be documented in accordance with Article 33(5)... However, depending on the circumstances of the breach, it may or may not require notification to the supervisory authority and communication to affected individuals"

answer should be D. Because this is a 'security breach'. Not a personal data breach event. only personal data breaches should directly be notified to authority based on article 4.12 description it would only qualify as personal data breach if involving unauthorized access. article 32.1 states this as a security breach and article 32.2 point to next step of required to "assessing the appropriate level of security account " WP29 acts as a guide to first determine the type of breach