1. A US-based software company sells its products globally, including to customers in France, Germany, and Spain. The company collects customer names, email addresses, IP addresses, and usage analytics from all customers. A European data protection authority investigates the company for privacy violations. The company argues that as a US company, EU law does not apply to it. Is the company correct?
2. A customer who previously purchased products from an online retailer submits a formal request asking the retailer to delete all personal data associated with their account, as they have not purchased anything in 3 years and withdraw any consent they previously gave. The retailer's legal team confirms there is no ongoing legal obligation requiring retention of this customer's data. Under GDPR, what right is the customer exercising, and what must the retailer do?
3. A healthcare company uses a cloud provider to host patient medical records. The healthcare company decides what patient data to collect, for what medical purposes it is used, and how long it is retained. The cloud provider stores and manages the data according to the healthcare company's instructions but makes no independent decisions about the data's purpose or use. What roles do the healthcare company and cloud provider hold respectively under GDPR?
4. A company assigns the following responsibilities to a database administrator: classify all database records as public, internal, confidential, or restricted based on the data owner's policy decisions; configure role-based access controls so only authorized roles can query each classification tier; apply encryption at rest to all confidential and restricted tables; maintain daily backup verification logs; and investigate access anomalies flagged by the SIEM. What data role does this describe?
5. A company suffers a ransomware attack that encrypts 15 servers. Incident responders need to immediately determine: which servers held personal data subject to GDPR notification requirements, who is the accountable business owner for each affected dataset, what sensitivity classification applies to each dataset, and how to communicate breach scope to regulators. What asset management document would provide all of this information?
6. A company's data retention policy requires deleting all customer transaction records older than 7 years. An automated process runs monthly to purge records that have exceeded this retention period from the production database. A compliance audit later reveals that the purged transaction records are still present in monthly backup archives retained for 10 years and in a data warehouse used for historical analytics. What problem does this reveal?
Matching: Data Roles
Match each data role (1–4) to its correct description (A–D).
1Data Owner
2Data Controller
3Data Processor
4Data Custodian
AThe technical role responsible for implementing day-to-day data protection controls including sensitivity labeling, access control enforcement, encryption, backup verification, and access monitoring
BThe senior business executive accountable for a data category; makes classification, access, and retention decisions; accepts residual risk on behalf of the business unit
CThe GDPR-defined entity that determines the purpose and means of processing personal data; bears primary legal accountability for compliance and cannot fully delegate that accountability to processors
DAn entity that processes personal data on behalf of and under the instructions of the controller; does not independently determine the purpose or use of the data; bound by a data processing agreement