CDPSE · Question #232
Which of the following MUST be included in a contract with a vendor that will be processing personal data?
The correct answer is C. A clause to report breaches in a timely manner to the organization. Privacy regulations such as GDPR require data processing agreements (DPAs) to include breach notification obligations. Vendors (data processors) must notify the controller in a timely manner when a breach occurs so the organization can fulfill its own regulatory reporting deadlin
Question
Which of the following MUST be included in a contract with a vendor that will be processing personal data?
Options
- AA clause to hash all data that is processed or stored by the vendor
- BA clause to prohibit the vendor from sending data to third parties
- CA clause to report breaches in a timely manner to the organization
- DA clause to require the vendor to comply with industry best practices
How the community answered
(31 responses)- A3% (1)
- B3% (1)
- C94% (29)
Explanation
Privacy regulations such as GDPR require data processing agreements (DPAs) to include breach notification obligations. Vendors (data processors) must notify the controller in a timely manner when a breach occurs so the organization can fulfill its own regulatory reporting deadlines (e.g., GDPR's 72-hour window). While hashing (A), prohibiting third-party transfers (B), and industry best practices (D) may be desirable, they are not universally mandated contractual requirements - breach reporting is a core legal obligation in most privacy frameworks.
Topics
Community Discussion
No community discussion yet for this question.