During a routine audit, a data analyst at a U.S.-based retailer discovers that a spreadsheet containing EU customers' names, email addresses, and purchase histories has been visible to all employees on an internal collaboration wiki for the last 36 hours. Under the General Data Protection Regulation (GDPR), a controller must notify the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of a personal data breach-but only if one specific criterion is met. Which criterion triggers the 72-hour notification obligation?
The exposed file includes personal data for more than 10,000 EU data subjects.
Data subjects have not yet been informed of the incident within 24 hours.
The compromised dataset was pseudonymized before the exposure occurred.
The breach is likely to result in a risk to the rights and freedoms of the affected individuals.
Article 33 of the GDPR states that a controller must notify the supervisory authority within 72 hours of becoming aware of a personal data breach unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Therefore, the deciding factor is the likelihood and severity of potential harm to data subjects.
Large volumes of data can heighten risk, but size alone is not the legal trigger.
Notifying individuals within 24 hours is good practice, but the GDPR sets no such separate threshold for notifying the authority.
Pseudonymization may lower risk, yet the controller still has to assess whether re-identification is possible; the obligation hinges on the outcome of that risk assessment, not merely on the presence of pseudonymization. Because only the potential impact on the data subjects' rights and freedoms activates the requirement, the correct choice is the option that references that risk.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does ‘risk to the rights and freedoms of natural persons’ mean under the GDPR?
Open an interactive chat with Bash
What is pseudonymization, and how does it impact GDPR compliance?
Open an interactive chat with Bash
When does the 72-hour notification rule NOT apply under GDPR?
Open an interactive chat with Bash
CompTIA Data+ DA0-002 (V2)
Data Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .