Practice Exam ยท Chapters 113โ€“117

Exam: Business Continuity & Compliance

Business Impact Analysis ยท Third-party Risk ยท Agreement Types ยท Compliance ยท Privacy โ€” 20 scored questions + 2 scenario questions.

Chapters 113โ€“117 Practice Exam
๐Ÿ“ 20 scored questions โฑ๏ธ 25-minute target ๐ŸŽฏ Pass threshold: 80% (16/20)
Time remaining
25:00
Part A โ€” Multiple Choice (Questions 1โ€“20)
Ch 113 ยท Business Impact Analysis
Question 1 of 20
A logistics company runs nightly backups at midnight. A ransomware attack at 4 PM destroys 16 hours of order data; recovery is performed from the previous midnight backup. The company's BIA states the order management system has an 8-hour RPO. Was the RPO violated, and what operational change is required?
โœ… A โ€” RPO violated; increase backup frequency. RPO (Recovery Point Objective) defines the maximum acceptable data loss measured in time โ€” it directly drives backup frequency. An 8-hour RPO means no more than 8 hours of data can be lost in any failure. The nightly backup created a potential loss window of up to 24 hours; in this case 16 hours were lost, which is double the 8-hour RPO. The fix: run backups every 8 hours (or less) so the most recent restore point is never more than 8 hours old. RPO is not an annual metric โ€” it applies to every failure event.
Ch 113 ยท Business Impact Analysis
Question 2 of 20
A hospital's emergency department scheduling system has a 45-minute RTO. Over one quarter, the system experienced three failures: restored in 38 minutes, 52 minutes, and 41 minutes respectively. How should the IT operations team characterize RTO compliance for this period?
โœ… B โ€” RTO violated once; per-failure evaluation. RTO is not measured on average โ€” it must be met in every individual failure. The 52-minute restoration in the second failure exceeded the 45-minute RTO by 7 minutes. That is a violation, regardless of how well the other two failures went. Averaging RTO performance would allow a catastrophic 4-hour recovery to be hidden by two fast recoveries. The operations team must investigate what caused the second failure to take longer and address the root cause to prevent future violations.
Ch 113 ยท Business Impact Analysis
Question 3 of 20
A web server experienced 5 failures over 6 months with repair times of 1 hour, 2 hours, 2 hours, 3 hours, and 7 hours. The security team must report the MTTR to leadership to justify a request for better monitoring tools. What is the correct MTTR?
โœ… C โ€” MTTR = 3 hours (arithmetic mean). MTTR is always calculated as Total Repair Time divided by Number of Repairs โ€” a straightforward arithmetic mean. Total = 1+2+2+3+7 = 15 hours; divided by 5 repairs = 3 hours. MTTR is not the maximum (that would represent only worst-case), not the median (that would exclude the 7-hour outlier that represents real operational cost), and not the sum (that would be total repair burden, not average). The 3-hour MTTR compared against the RTO tells the team whether current recovery capability meets the business requirement.
Ch 113 ยท Business Impact Analysis
Question 4 of 20
A database server ran for 8,760 hours (one full year) with 3 failures totaling 48 hours of downtime. A vendor proposes a replacement server with a manufacturer-rated MTBF of 3,000 hours. Based on calculated MTBF, which server offers better projected reliability?
โœ… D โ€” Replacement server; MTBF = 2,904 hours < 3,000. The correct MTBF formula is: Total Uptime รท Number of Breakdowns. Uptime = Total Hours โˆ’ Downtime = 8,760 โˆ’ 48 = 8,712 hours. Breakdowns = 3. MTBF = 8,712 รท 3 = 2,904 hours. The common trap in option A is dividing total hours (not uptime) by failures โ€” this overstates reliability by failing to exclude downtime. With a calculated MTBF of 2,904 hours versus the proposed 3,000-hour rated MTBF, the replacement offers modestly better projected reliability. Higher MTBF = longer average time between failures = more reliable.
Ch 114 ยท Third-party Risk
Question 5 of 20
Before a penetration test begins, a testing firm receives the following instructions: social engineering attacks against employees are not authorized; testing may only occur between 9 PM and 5 AM on weekdays; three legacy systems are explicitly excluded from all testing; and any critical finding must be reported to the security director by phone within one hour of discovery. What is the specific document that captures these specifications, and when must it be finalized?
โœ… A โ€” Rules of engagement, finalized before testing begins. Rules of engagement (ROE) govern what the tester is and is not authorized to do during the assessment. Every element described โ€” prohibited techniques (no social engineering), timing windows, out-of-scope systems, and emergency escalation contacts โ€” is a rules of engagement element. The ROE must be finalized and signed before any testing begins because it defines the legal and operational boundaries within which the tester operates. Testing without agreed ROE creates legal risk for the tester and operational risk for the organization. The MSA is the parent legal contract; the SOW defines deliverables and payment; the ROE governs authorized conduct.
Ch 114 ยท Third-party Risk
Question 6 of 20
Between March and June 2020, attackers inserted a backdoor called SUNBURST into the build pipeline of the Orion network management platform. The malicious update bore a valid digital signature from the vendor and was delivered to approximately 18,000 organizations as a routine software update. What makes this attack category especially dangerous compared to a direct network intrusion against each target organization?
โœ… B โ€” Supply chain attack via trusted vendor relationship. The SolarWinds attack (2020) is the canonical supply chain attack example. Rather than attacking each of the 18,000 victim organizations individually โ€” which would require separate intrusion campaigns โ€” the attackers compromised the upstream software supplier's build pipeline. Because SolarWinds' digital certificate signed the update, it appeared completely legitimate. Victims installed it through normal patch management procedures, unknowingly installing a backdoor. Supply chain attacks are especially dangerous because they: (1) scale to every downstream customer in one action, (2) exploit legitimate trusted delivery mechanisms that bypass security controls, and (3) may go undetected for months because the malicious code arrives with a trusted signature.
Ch 114 ยท Third-party Risk
Question 7 of 20
A company contracts a payroll processing vendor to handle tax data for 8,000 employees. During contract negotiations, the vendor agrees to share annual SOC 2 Type II reports but refuses to include a right-to-audit clause, citing competitive sensitivity of their infrastructure. How should the organization evaluate this refusal?
โœ… C โ€” Refusal is a significant risk indicator. A right-to-audit clause gives the customer the contractual right to independently verify vendor security at any time with reasonable notice. This is distinct from SOC 2: a SOC 2 report covers what the auditor examined, on the vendor's schedule, with scope the vendor agreed to. A right-to-audit clause lets the customer examine what the customer needs to examine when the customer needs to. A vendor who is genuinely confident in their security posture has no reason to refuse independent examination. Refusal is therefore a meaningful signal. Payroll vendors hold sensitive tax data for thousands of employees โ€” this is exactly the high-value data that warrants audit rights regardless of industry conventions.
Ch 114 ยท Third-party Risk
Question 8 of 20
A retailer's security team runs an automated tool against their web application and receives a report identifying 31 potential security issues categorized by severity. Three months later, an external security firm actively attempts to authenticate as other users, extract customer records, and escalate privileges using those same 31 identified issues. What is the fundamental distinction between the first and second activities?
โœ… D โ€” Vulnerability scan identifies; penetration test actively exploits. A vulnerability scan uses automated tools to identify potential weaknesses and produces a categorized report โ€” it never attempts to exploit the findings. A penetration test begins where the scan leaves off: a skilled human tester actively attempts to use identified vulnerabilities to gain unauthorized access, escalate privileges, or exfiltrate data. This answers the critical business question: "Can an attacker actually get in, and what can they reach?" Not all vulnerabilities that appear on a scan report are actually exploitable; penetration testing reveals which ones represent genuine risk. The combination โ€” scan to find candidates, pentest to confirm exploitability โ€” is standard security practice.
Ch 115 ยท Agreement Types
Question 9 of 20
Two public universities sign a document agreeing to share cybersecurity threat intelligence. The document describes the scope of information to be shared (malware indicators, phishing domains), identifies primary contacts at each institution, and states that both parties intend to act in good faith. The document specifies no financial penalties, has no fixed term, and was not filed with any legal authority. What type of agreement is this, and what is its primary limitation?
โœ… A โ€” MOU; limited to good-faith compliance. An MOU documents intent and shared goals without creating a binding legal contract. The identifying features are all present: describes intent (not mandatory obligations), no financial penalties, no fixed term, not legally filed. MOUs are appropriate for government-to-government and interagency relationships where formal contracting is impractical or unnecessary, and where both parties have reputational or mission-driven motivation to comply without legal compulsion. The key limitation is exactly that: a party can walk away from an MOU without legal consequence. For relationships where performance guarantees matter, a formal contract with financial penalties (an SLA or MOA) is required instead.
Ch 115 ยท Agreement Types
Question 10 of 20
A company's cloud disaster recovery contract specifies: 99.95% uptime for recovery infrastructure, failover initiation within 15 minutes of a declared disaster, full system restoration within 4 hours, and a 20% service credit for any month where declared-disaster response times are missed. Which type of agreement best describes these terms, and what is the defining characteristic?
โœ… B โ€” SLA; measurable standards with financial penalties. A Service Level Agreement is identified by two characteristics present here: (1) specific, measurable performance standards (99.95% uptime, 15-minute failover initiation, 4-hour full restoration) and (2) financial consequences for non-performance (20% service credit). SLAs are the appropriate mechanism whenever the organization needs contractually enforceable guarantees about service performance. The distinction from an MSA: the MSA establishes the foundational relationship terms; SLAs define specific performance obligations within that relationship. An MSA can exist without any SLA; an SLA typically operates under an MSA.
Ch 115 ยท Agreement Types
Question 11 of 20
A startup plans to present its proprietary AI algorithm to three potential investors simultaneously. All three will receive identical confidential technical documentation. Rather than negotiating three separate bilateral agreements, the startup's attorney recommends a single agreement that legally binds all three investors under identical confidentiality terms at the same time. What type of NDA is this, and why is it preferable in this scenario?
โœ… C โ€” Multilateral NDA; efficient and simultaneous binding. NDAs come in three types: unilateral (one party discloses, one receives), bilateral (both parties disclose to each other), and multilateral (three or more parties bound under a single agreement). The multilateral NDA is the correct tool when one disclosing party needs to bind multiple receiving parties simultaneously. Its advantages over three bilateral NDAs: executed once instead of three times, all investors bound from the same date with identical terms, and no risk of inconsistency between separate agreements. Option B misidentifies this as unilateral โ€” while the startup is the only discloser, the document structure (single agreement binding 3+ parties) is what defines it as multilateral.
Ch 115 ยท Agreement Types
Question 12 of 20
A security consulting firm has a long-term Master Service Agreement with a client. The client now needs an urgent web application assessment and a separate cloud configuration review. Instead of drafting a new MSA, the client issues two new documents โ€” one per project โ€” each referencing the existing MSA and specifying scope, deliverables, timeline, and payment for that specific engagement. What are these two documents, and what role does the MSA play?
โœ… D โ€” SOWs under a parent MSA; avoids renegotiating foundational terms. The MSA + SOW model is the standard structure for long-term professional services relationships: the MSA is signed once and establishes all fundamental terms (payment conditions, intellectual property, liability caps, governing law, dispute resolution). Each time a specific project is needed, a SOW (also called a Work Order) is issued under the MSA โ€” it specifies scope, deliverables, timeline, and payment for that engagement without reopening the foundational legal terms. This dramatically speeds project initiation; the client and consulting firm negotiate scope and price, not legal frameworks, for each new project. The MSA is the governance layer; SOWs are the operational layer.
Ch 116 ยท Compliance
Question 13 of 20
A credit union offering checking accounts, savings accounts, car loans, and mortgage services receives a regulatory letter requiring: a comprehensive information security program, a written information security plan, a designated employee to coordinate the program, and privacy notices informing customers how their financial data is shared. Which regulation mandates these specific requirements?
โœ… A โ€” GLBA; applies to all financial institutions. The Gramm-Leach-Bliley Act (1999) applies to financial institutions โ€” banks, credit unions, insurers, mortgage brokers, and related entities. Its Safeguards Rule requires: a written information security program, designation of an employee(s) to coordinate it, risk assessments, and controls protecting customer financial data. Its Privacy Rule requires privacy notices to customers explaining how their nonpublic personal information is collected and shared. The credit union matches this profile exactly. SOX applies to publicly traded companies (not credit unions). PCI DSS applies to payment card processing, not general financial services. HIPAA applies to health information, not financial data.
Ch 116 ยท Compliance
Question 14 of 20
A Chief Compliance Officer's annual report categorizes the company's security activities in two groups: Group 1 โ€” quarterly access reviews, monthly vulnerability scans of all internal servers, annual security training for employees, and 24/7 SIEM monitoring; Group 2 โ€” annual security questionnaires sent to all vendors, review of the cloud provider's SOC 2 report, and an annual on-site security assessment of the top 10 vendors by revenue. Which correctly categorizes these activity groups?
โœ… B โ€” Due care = internal; due diligence = external verification of third parties. Due care refers to the reasonable security practices an organization implements for its own operations โ€” the internal standard of care. Access reviews, vulnerability scans, training, and SIEM monitoring all demonstrate that the organization is managing its own security obligations responsibly. Due diligence refers to the investigation and evaluation of external parties โ€” verifying that vendors, partners, and suppliers also meet security standards. Sending questionnaires, reviewing SOC 2 reports, and conducting on-site vendor assessments are all due diligence activities. Memory aid: due care = internal operations; due diligence = external evaluation. A complete compliance program requires both.
Ch 116 ยท Compliance
Question 15 of 20
A hospital billing clerk accessed a celebrity patient's medical records 47 times over three months with no treatment-related justification. The clerk knew each access was improper โ€” there was no clinical reason to view this patient's records โ€” but never shared the records with anyone and received no financial benefit. The access was driven entirely by curiosity. Which HIPAA criminal penalty tier applies?
โœ… C โ€” False pretenses tier ($100K, 5 years). HIPAA criminal penalties operate in three tiers based on intent. Unknowing tier: the violator did not know they were violating HIPAA ($50K, 1yr). False pretenses tier: the violator knew the access was improper but without commercial motive ($100K, 5yr). Commercial gain / malicious harm tier: the violator accessed or disclosed PHI to sell it, for personal financial gain, or to cause harm ($250K, 10yr). The clerk knew each of the 47 accesses was improper โ€” that is the definition of "under false pretenses." But curiosity without financial gain or intent to harm doesn't reach the highest tier. Criminal liability applies to unauthorized access regardless of whether records were shared โ€” access itself is the violation.
Ch 116 ยท Compliance
Question 16 of 20
A fintech company's automated compliance dashboard reports 98.7% patch compliance across 3,200 servers and 99.2% MFA enrollment, and the internal security team has zero flagged incidents for the quarter. The CEO argues: "Our metrics are excellent โ€” we don't need the cost of an external compliance audit this year; our automated tools produce objective, unbiased data." What is the fundamental flaw in this reasoning?
โœ… D โ€” Automation cannot provide independence. The CEO's error is conflating objectivity with independence. Automated tools are objective within their configured scope โ€” but that scope is defined by the security team itself. An independent external auditor examines things the internal team may not have thought to measure, tests whether the monitoring tools are correctly configured (a tool that miscounts compliant patches provides objectively wrong data), and brings external benchmarks from assessing many other organizations. Familiarity bias is the specific risk: internal teams stop noticing gaps they've seen so often they're used to them. External auditors provide a fresh perspective that no amount of internal automation can replicate. This is why compliance frameworks mandate independent external review.
Ch 117 ยท Privacy
Question 17 of 20
A social media platform (headquartered in Ireland) uses a California-based advertising analytics company to analyze user behavior and serve targeted ads. The platform decides what user data is collected, for what advertising purposes, and for how long. The analytics company processes user behavioral data according to the platform's specifications without independently determining the purpose or use of that data. Under GDPR, what roles do these two organizations hold?
โœ… A โ€” Platform = controller; analytics company = processor. Under GDPR, the data controller is the entity that determines the purpose (why the data is processed) and the means (how it is processed). The social media platform decides what to collect, why, and for how long โ€” that is the controller. The analytics company processes data per the platform's specifications without independently deciding the purpose โ€” that is the processor. The controller holds primary GDPR accountability and cannot fully delegate that accountability to processors. The processor must be bound by a Data Processing Agreement (DPA) under GDPR Article 28. Physical custody of the data (option B's logic) does not determine controller vs. processor status โ€” purpose and means determination does.
Ch 117 ยท Privacy
Question 18 of 20
A former customer of an online bank submits a GDPR erasure request (right to be forgotten). The account was closed 4 years ago, there is no pending legal dispute, no outstanding debt, and no regulatory retention obligation applicable to this customer's records. The bank deletes the records from its active customer database but leaves them in 7-year monthly backup archives and in a behavioral analytics data warehouse. Is the erasure request fulfilled?
โœ… B โ€” Erasure must cover all storage locations. The GDPR right to erasure (Article 17) requires an organization to delete personal data from all systems where it exists โ€” not just the primary production database. The data minimization principle requires that personal data not be retained longer than necessary for its original purpose. When no retention obligation exists, backup archives and analytics warehouses are equally subject to the erasure requirement because the data remains in the organization's custody and is still being "processed" (stored is a form of processing under GDPR). Option C's logic would only apply if a genuine regulatory retention obligation covered this specific customer's records โ€” the scenario explicitly states there is no such obligation. Incomplete erasure maintains regulatory exposure.
Ch 117 ยท Privacy
Question 19 of 20
A Japanese e-commerce company sells electronics to customers in Austria, Belgium, and Sweden, collecting names, addresses, credit card details, and browsing history from those customers. Following a data breach, a German data protection authority initiates an investigation. The company's legal team argues that GDPR applies only to companies physically located in EU member states and that a Japanese company is therefore exempt. Is this argument correct?
โœ… C โ€” GDPR applies extraterritorially to any org processing EU residents' data. GDPR Article 3 establishes extraterritorial scope: it applies to any organization that processes personal data of EU residents in connection with offering goods or services to them, regardless of the organization's physical location. The Japanese e-commerce company actively sells to Austrian, Belgian, and Swedish customers โ€” it is offering goods to EU residents and collecting their personal data in that connection. All of the collected data types (names, addresses, credit card details, browsing history) qualify as personal data under GDPR's broad definition. The company must comply with GDPR for those customers' data. Fines can reach 4% of global annual turnover โ€” the non-EU location does not reduce the penalty.
Ch 117 ยท Privacy
Question 20 of 20
A ransomware attack simultaneously encrypts 23 servers across multiple data centers. Within 15 minutes, the security team identifies which of the 23 servers held personal data subject to GDPR notification requirements, the accountable business data owner for each affected dataset, and the sensitivity classification of each server's contents. This rapid scoping was made possible by a single document that had been prepared and maintained in advance. Which document provided this information?
โœ… D โ€” Data inventory (data map). A data inventory (also called a data map, or Records of Processing Activities under GDPR Article 30) is the authoritative reference for breach response scoping. It documents: what personal data exists, where it is stored (every system, including backups and secondary stores), who the accountable data owner is, what sensitivity classification applies, and what retention period governs the data. Without it, incident responders must conduct time-consuming manual discovery under pressure during an active incident. With a current data inventory, the team can immediately answer the three breach notification questions: Is personal data subject to GDPR notification affected? Who is accountable? What was the scope? BCPs focus on recovery operations; IRPs guide response procedures; risk registers track risks โ€” none of these catalog personal data locations comprehensively.
Part B โ€” Scenario Questions (unscored โ€” self-assess)
Ch 113โ€“115 ยท Scenario
Scenario Question A
A mid-sized e-commerce company relies on a SaaS provider for its order management platform. The company's BIA defines a 1-hour RTO and a 15-minute RPO for the order management system. During a power failure at the SaaS provider's data center, the order management platform is offline for 4 hours and 20 minutes. Investigation reveals: (1) the most recent backup available for restoration was 2 hours old at the time of failure; (2) the SaaS contract contains an uptime guarantee but no RTO or RPO commitment; (3) the power failure originated at a colocation facility that the SaaS provider used โ€” a dependency the e-commerce company was unaware of; and (4) the SaaS provider refuses to provide documentation of the colocation vendor's security controls, citing confidentiality.

Address: (1) Which BIA metrics were violated and by how much? (2) What contract terms should the company require in a renegotiated SaaS agreement, and what agreement types are appropriate for each requirement? (3) What type of third-party risk does the unknown colocation vendor represent, and how does the vendor's refusal to provide documentation factor into the risk assessment?
1. BIA metric violations:

RTO violated: The 1-hour RTO was exceeded by 3 hours and 20 minutes. The platform was offline for 4 hours 20 minutes against a 1-hour maximum. This represents a 260-minute violation of the business's stated downtime tolerance.

RPO violated: The 15-minute RPO was exceeded by 1 hour and 45 minutes. The most recent backup was 2 hours old at failure, meaning up to 2 hours of order data was potentially lost โ€” 7.75ร— the acceptable 15-minute data loss limit. To meet a 15-minute RPO, backups must run every 15 minutes or continuous replication must be used.

2. Contract terms and agreement types required:

SLA additions needed: The renegotiated SLA must include explicit RTO and RPO commitments matching the company's BIA: maximum 1-hour restoration time (RTO) and 15-minute maximum data loss (RPO), with financial penalties (service credits) when these are violated. The current uptime-only SLA does not protect the company's recovery objectives.

Right-to-audit clause (in the MSA): The company must negotiate a right-to-audit clause giving it the contractual right to verify the SaaS provider's security controls โ€” and require the provider to extend equivalent audit rights for any material subcontractors such as colocation facilities. This belongs in the Master Service Agreement as a perpetual provision.

Supply chain disclosure requirement: The contract should require the SaaS provider to disclose all material third-party dependencies (colocation vendors, infrastructure subcontractors) and notify the company of changes to those dependencies. Unknowing dependency on an undisclosed colocation facility is precisely the supply chain risk that contract terms must address.

3. Third-party risk โ€” colocation vendor:

Risk type: This is a supply chain risk โ€” the e-commerce company's service is dependent on a vendor's vendor that it had no knowledge of, no contractual relationship with, and no visibility into. The failure of the colocation facility propagated through the SaaS provider to the e-commerce company without warning.

Refusal to provide documentation: A vendor who refuses to share security control documentation for their own infrastructure should be treated as a significant risk indicator. The analogous principle applies: a vendor comfortable with independent verification has nothing to hide. This refusal means the e-commerce company cannot assess whether the colocation facility represents an acceptable risk โ€” it must either negotiate audit-right provisions through the SaaS provider's contract or treat the undisclosed and unverifiable dependency as elevated risk. Ongoing vendor monitoring must account for these hidden infrastructure dependencies.
Ch 116โ€“117 ยท Scenario
Scenario Question B
A pharmaceutical company runs clinical trials involving 12,000 participants across 8 EU countries. The company uses a third-party data analytics vendor to process trial outcome data. A ransomware attack encrypts three servers. During incident response, the team discovers: (1) the company has never maintained a data inventory โ€” responders cannot determine which servers held participant personal data subject to GDPR notification; (2) the analytics vendor's last security assessment was 4 years ago; (3) employees with access to participant data were never trained on GDPR data handling obligations; and (4) trial participants were never informed their data would be shared with an analytics vendor.

Address: (1) Categorize each gap as a due care failure or due diligence failure and explain why. (2) What GDPR data roles do the pharmaceutical company and analytics vendor hold, and what documentation must exist between them? (3) What GDPR obligations arise from the breach and the undisclosed data sharing with the analytics vendor?
1. Categorizing each compliance gap:

No data inventory (due care failure): Maintaining a data inventory is an internal security management obligation โ€” it is the organization's responsibility to know where its own data lives. The inability to identify which servers held personal data means the organization cannot determine its own GDPR breach notification obligations. This is a failure to exercise reasonable internal security practices.

Analytics vendor assessment 4 years ago (due diligence failure): Due diligence requires ongoing evaluation of third parties who process the organization's data. A single assessment 4 years ago does not reflect the vendor's current security posture, especially given how quickly the threat environment and vendor infrastructure change. Ongoing vendor monitoring is a due diligence obligation, not a one-time event.

No employee GDPR training (due care failure): Training employees with access to personal data on their GDPR obligations is an internal security management responsibility. Employees who don't understand data handling requirements represent a compliance risk within the organization's own operations โ€” this is a due care gap.

Participants never informed of analytics vendor sharing (GDPR transparency failure / due care): GDPR requires that data subjects be informed of the purposes for which their data is processed and any third parties with whom it is shared. Failure to provide this transparency is a breach of the controller's direct GDPR obligations โ€” an internal compliance failure (due care).

2. GDPR data roles and required documentation:

The pharmaceutical company is the data controller โ€” it determines the purpose (clinical trial) and means of processing participant personal data, and holds primary GDPR accountability for that data.

The analytics vendor is a data processor โ€” it processes trial outcome data on the pharmaceutical company's behalf, under the company's instructions, without independently determining the purpose.

GDPR Article 28 requires a Data Processing Agreement (DPA) between the controller and processor. The DPA must specify: the subject matter and duration of processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the controller's obligations and rights, and security obligations binding the processor. If no DPA exists, this is itself a GDPR violation.

3. GDPR obligations arising from the breach and undisclosed sharing:

Breach notification: Under GDPR Article 33, the pharmaceutical company (as controller) must notify the supervisory authority (in the relevant EU member states) within 72 hours of becoming aware of the breach โ€” if the breach is likely to result in a risk to individuals' rights and freedoms. The inability to determine which servers held personal data due to the absent data inventory directly impairs this 72-hour assessment.

Data subject notification: If the breach is likely to result in a high risk to participants' rights and freedoms, GDPR Article 34 requires notification to the affected data subjects (trial participants) without undue delay.

Remediation of undisclosed sharing: Trial participants had a right to be informed their data would be shared with an analytics vendor (transparency obligation under GDPR Articles 13/14). The company must update its privacy notices, potentially obtain fresh consent or establish another valid legal basis for the processing, and consider whether the undisclosed sharing constitutes a separate GDPR violation reportable to supervisory authorities. Fines can reach 4% of global annual turnover for serious transparency violations.
โ† Back to Study Hub
โ€”
Pass threshold: 80% (16 / 20 correct)
โ† Back to Study Hub