ISC2 Certified Cloud Security Professional (CCSP) Practice Question
A U.S.-based Software-as-a-Service (SaaS) provider that hosts human-resources data for several European customers detects indicators that attackers have downloaded personnel records containing employee names, national ID numbers, and salary details. The master services agreements name each customer as the data controller and the provider as the data processor under the EU General Data Protection Regulation (GDPR). To meet mandatory regulatory requirements, which communication action must the provider take first?
Notify each affected data controller without undue delay, providing all relevant breach details so they can report to the supervisory authority within 72 hours.
Complete a full forensic investigation within 30 days, then deliver a comprehensive incident report to controllers and regulators.
Issue an immediate public statement to reassure users and defer regulator notification until after remediation is finished.
Report the breach directly to the appropriate EU supervisory authority within 24 hours, bypassing the data controllers.
Under GDPR Article 33, when a personal data breach occurs, the data processor must notify the affected data controller "without undue delay" after becoming aware of the incident and must provide sufficient information to allow the controller to meet its own obligation to notify the competent supervisory authority within 72 hours. The processor has no direct reporting duty to the regulator unless the contract explicitly delegates that task. Therefore, promptly informing each controller-and equipping them with details needed for the regulatory report-fulfills the processor's legal responsibility.
The other actions either bypass the controller (directly contacting the authority), delay notification until a full investigation is complete, or focus on public relations. All would risk non-compliance with GDPR reporting timelines or contractual obligations.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the role of a data processor under GDPR?
Open an interactive chat with Bash
What is the significance of the 72-hour breach reporting requirement in GDPR?
Open an interactive chat with Bash
How does the GDPR define 'undue delay' for notifying data controllers?
Open an interactive chat with Bash
What is the role of a data controller versus a data processor under GDPR?
Open an interactive chat with Bash
What happens if the processor fails to notify the controller of a data breach promptly?
Open an interactive chat with Bash
Why is the 72-hour window critical for GDPR compliance?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Security Operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .