Exam CIPM All QuestionsBrowse all questions from this exam
Question 18

SCENARIO -

Please use the following to answer the next question:

John is the new privacy officer at the prestigious international law firm – A&M LLP. A&M LLP is very proud of its reputation in the practice areas of Trusts & Estates and Merger & Acquisition in both U.S. and Europe. During lunch with a colleague from the Information Technology department, John heard that the Head of IT, Derrick, is about to outsource the firm's email continuity service to their existing email security vendor – MessageSafe. Being successful as an email hygiene vendor, MessageSafe is expanding its business by leasing cloud infrastructure from Cloud Inc. to host email continuity service for A&M LLP.

John is very concerned about this initiative. He recalled that MessageSafe was in the news six months ago due to a security breach. Immediately, John did a quick research of MessageSafe's previous breach and learned that the breach was caused by an unintentional mistake by an IT administrator. He scheduled a meeting with Derrick to address his concerns.

At the meeting, Derrick emphasized that email is the primary method for the firm's lawyers to communicate with clients, thus it is critical to have the email continuity service to avoid any possible email downtime. Derrick has been using the anti-spam service provided by MessageSafe for five years and is very happy with the quality of service provided by MessageSafe. In addition to the significant discount offered by MessageSafe, Derrick emphasized that he can also speed up the onboarding process since the firm already has a service contract in place with MessageSafe. The existing on-premises email continuity solution is about to reach its end of life very soon and he doesn't have the time or resource to look for another solution. Furthermore, the off- premises email continuity service will only be turned on when the email service at A&M LLP's primary and secondary data centers are both down, and the email messages stored at MessageSafe site for continuity service will be automatically deleted after 30 days.

Which of the following is a TRUE statement about the relationship among the organizations?

    Correct Answer: B

    MessageSafe is the direct vendor to A&M LLP and is responsible for ensuring that any subcontractor it engages, such as Cloud Inc., complies with data protection obligations. If Cloud Inc. fails to protect A&M LLP's data, MessageSafe, as the data processor, bears liability for the breach. This is in line with standard data protection regulations which hold the primary processor accountable for the actions of its sub-processors.

Discussion
baranikumar_vOption: B

B may be the right answer.

Alex951Option: B

I suggest B

thecheaterzOption: B

without information on jurisdictions we can exclude D

Habeeb007

The questions has references to US & EU therefore D is the correct answer

MaritzTeeOption: B

MessageSafe is the direct vendor to A&M LLP and is responsible for the subcontractors it engages. If Cloud Inc. fails to protect A&M LLP's data, MessageSafe, as the data processor, is liable to A&M LLP. This aligns with standard data protection regulations where the primary processor retains responsibility for the actions of its sub-processors.

humhainOption: A

Cloud Inc. must notify A&M LLP of a data breach immediately.

szopenowaOption: B

maybe B?

BevMeOption: D

When a data processor (MessageSafe) engages another party (Cloud Inc.) to process data on behalf of the data controller (A&M LLP), GDPR requires that the sub-processing be approved by the data controller. This typically involves amending the service contract to explicitly list the sub-processor

MaritzTeeOption: D

D. A&M LLP's service contract must be amended to list Cloud Inc. as a sub-processor. This is because Cloud Inc., as the provider of the cloud infrastructure that MessageSafe uses to host the email continuity service, is effectively acting as a sub-processor of A&M LLP's data. To comply with data protection regulations, such as the GDPR, it is important to have clear contractual agreements that identify all parties involved in the processing of personal data, including sub-processors. The contract should outline the responsibilities and obligations of each party to ensure data protection and compliance.

DPRamoneOption: B

Under the GDPR, a sub-processor will remain liable to the processor for its own data processing operations. Ref. https://incorporated.zone/sub-processor-compliance-obligations-under-gdpr/

katizetiOption: C

C maybe??

katizeti

D. A&M LLP's service contract must be amended to list Cloud Inc. as a sub-processor. This option accurately reflects the data processing flow and legal obligations within the scenario.

[Removed]Option: B

Should be B