A multinational retailer replicates its EU customer database from Frankfurt to several cloud regions worldwide for disaster-recovery analytics. During a GDPR compliance audit, the assessor finds that (1) the data is copied daily to U.S. and APAC regions without any approved transfer mechanism and (2) snapshots of the replicated database have been kept for three years because no retention policy exists. Which set of compliance measures would BEST remediate both findings while still allowing the business to keep a global backup?
Adopt Standard Contractual Clauses (or another Article 46 safeguard) for the international transfers, restrict replication to approved regions, and create a documented retention schedule that deletes or anonymises snapshots once the business purpose expires.
Require unit and user-acceptance testing for each region and tag every snapshot with metadata to identify its business owner.
Encrypt the database in transit and at rest, mask sensitive columns, and enable automated data-quality profiling to detect drift.
Tokenise cardholder data, reclassify the database under PCI DSS, and increase snapshot frequency so that no records are lost.
Under GDPR, personal data may only be transferred outside the European Economic Area if the controller applies an approved safeguard such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules. This directly addresses the cross-border replication that the auditor flagged. GDPR's storage-limitation principle also requires organisations to delete or anonymise personal data when it is no longer needed, so a documented retention schedule for snapshots is necessary. Restricting or geo-fencing replication to approved regions ensures ongoing jurisdictional compliance while still permitting a disaster-recovery copy. The distractors focus on security controls (encryption, masking), PCI-specific requirements, or testing activities; none of those controls by themselves fix both the unlawful transfer and the indefinite retention issues that triggered the compliance finding.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Standard Contractual Clauses (SCCs) under GDPR?
Open an interactive chat with Bash
What is the GDPR storage limitation principle?
Open an interactive chat with Bash
How does geo-fencing aid in GDPR compliance for data replication?
Open an interactive chat with Bash
CompTIA Data+ DA0-002 (V2)
Data Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .