nerdexam
Isaca

CDPSE · Question #232

Which of the following MUST be included in a contract with a vendor that will be processing personal data?

The correct answer is C. A clause to report breaches in a timely manner to the organization. Privacy regulations such as GDPR require data processing agreements (DPAs) to include breach notification obligations. Vendors (data processors) must notify the controller in a timely manner when a breach occurs so the organization can fulfill its own regulatory reporting deadlin

Privacy Governance

Question

Which of the following MUST be included in a contract with a vendor that will be processing personal data?

Options

  • AA clause to hash all data that is processed or stored by the vendor
  • BA clause to prohibit the vendor from sending data to third parties
  • CA clause to report breaches in a timely manner to the organization
  • DA clause to require the vendor to comply with industry best practices

How the community answered

(31 responses)
  • A
    3% (1)
  • B
    3% (1)
  • C
    94% (29)

Explanation

Privacy regulations such as GDPR require data processing agreements (DPAs) to include breach notification obligations. Vendors (data processors) must notify the controller in a timely manner when a breach occurs so the organization can fulfill its own regulatory reporting deadlines (e.g., GDPR's 72-hour window). While hashing (A), prohibiting third-party transfers (B), and industry best practices (D) may be desirable, they are not universally mandated contractual requirements - breach reporting is a core legal obligation in most privacy frameworks.

Topics

#Vendor Contracts#Data Processing Agreements#Breach Reporting#Third-Party Risk Management

Community Discussion

No community discussion yet for this question.

Full CDPSE Practice