CIPT Exam QuestionsBrowse all questions from this exam
Go to Exam

CIPT Exam - Question 48

SCENARIO -

Clean-Q is a company that offers house-hold and office cleaning services. The company receives requests from consumers via their website and telephone, to book cleaning services. Based on the type and size of service, Clean-Q then contracts individuals that are registered on its resource database - currently managed in-house by Clean-Q IT Support. Because of Clean-Q's business model, resources are contracted as needed instead of permanently employed.

The table below indicates some of the personal information Clean-Q requires as part of its business operations:

Clean-Q has an internal employee base of about 30 people. A recent privacy compliance exercise has been conducted to align employee data management and human resource functions with applicable data protection regulation. Therefore, the Clean-Q permanent employee base is not included as part of this scenario.

With an increase in construction work and housing developments, Clean-Q has had an influx of requests for cleaning services. The demand has overwhelmed

Clean-Q's traditional supply and demand system that has caused some overlapping bookings.

In a business strategy session held by senior management recently, Clear-Q invited vendors to present potential solutions to their current operational issues.

These vendors included Application developers and cloud solution providers, presenting their proposed solutions and platforms.

The Managing Director opted to initiate the process to integrate Clean-Q's operations with a cloud solution (LeadOps) that will provide the following solution one single online platform: A web interface that Clean-Q accesses for the purposes of resource and customer management. This would entail uploading resource and customer information.

✑ A customer facing web interface that enables customers to register, manage and submit cleaning service requests online.

✑ A resource facing web interface that enables resources to apply and manage their assigned jobs.

✑ An online payment facility for customers to pay for services.

If Clean-Q were to utilize LeadOps' services, what is a contract clause that may be included in the agreement entered into with LeadOps?

Show Answer
Correct Answer: C

A contract clause that requires LeadOps to notify Clean-Q of any suspected breaches involving customer or resource information is essential. This clause aligns with data protection regulations, which mandate prompt notification to the data controller (Clean-Q) in the event of a breach. This enables Clean-Q to take timely action to mitigate any potential damage. Ensuring such a provision in the contract helps maintain the integrity and security of the data while ensuring compliance with regulatory requirements.

Discussion

7 comments
Sign in to comment
k4d4v4rOption: C
Dec 6, 2021

C is the best answer. Never saw a D situation in real life scenarios.

ChaBum
Mar 7, 2022

There is no reason to inform an external party about a SUSPECTED breach

837vq3Option: D
Oct 20, 2021

The part that I do not like in "D" is this: "at LeadOpsג€™ cost and at any time that Clean-Q requires". As far as I know, audits are not performed at the expense of the vendor. If the client wants to audit a vendor, the client pays for it, correct?

ChaBum
Mar 7, 2022

It could be part of the contract to have the vendor pass through audits on regular basis. But those audits are conducted by third party company and not the client. If a client want to audit a vendor, the vendor will normally charge the client for the resources provided to conduct the audit. What I find non-realistic is the "at any time that Clean-Q requires", the audit should happen at a time which is convenient for both parties.

ChaBumOption: B
Mar 7, 2022

B, the TOMs Technical and Organisational Measures (GDPR Art 32 & Recital 78),

Magim1920Option: A
Jun 26, 2022

It's almost as if the question is wrong and should read "What is NOT a contractual clause.. .." All of these are commonly found in SSCs in European Union countries, except A - you cannot outsource your liability as data controller to a processor.

pipzzOption: C
Jul 10, 2022

Best answer. The GDPR requires a processor to notify a controller if it becomes aware of a breach of personal data it is processing on behalf of the controller. The governing legal document may provide for a stricter notification requirement, including notification if the processor even merely “suspects” a breach has occurred.

Ame123456789Option: C
Mar 14, 2023

Poor question scribing, I feel. A. A provision that holds LeadOps liable for a data breach involving Clean-Q's information. is probably true. Contracts is about liability and indemities. So "liable" word is used with a different meaning. B. A provision prescribing technical and organizational controls that LeadOps must implement. not right - DC may not be in the position to scribe. C. A provision that requires LeadOps to notify Clean-Q of any suspected breaches of information that involves customer or resource information managed on behalf of Clean-Q. maybe right - the "on behalf of Clean Q" is just saying that LeadOps is managing the data on behalf. not reporting to regulator on behalf. D. A provision that allows Clean-Q to conduct audits of LeadOps' information processing and information security environment, at LeadOps' cost and at any time that Clean-Q requires. in reality, this clause is common, but "not any time that Clean Q requires" - impractical. So C is likely to be the right answer

PaigeH7Option: C
Mar 23, 2024

Clean Q is the Controller , Lead OPS operator