A company has implemented organisational and technical measures (such as staff training, internal data access controls, and encryption) to protect personal data, and notifies clients of a data breach two weeks after detection. What is the most accurate assessment of its GDPR compliance?

Question

BlackTom AI · Accepted Answer

GDPR requires controllers to notify the relevant supervisory authority of a personal data breach “without undue delay and, where feasible, not later than 72 hours” after becoming aware of it. If a breach is likely to result in a high risk to individuals’ rights and freedoms, the controller must also inform affected data subjects without undue delay.

1) Relevant knowledge points and concepts
- 72-hour mandatory notification to the supervisory authority (Article 33 GDPR).
- Obligation to notify data subjects if there is a high risk to their rights (Article 34 GDPR) “without undue delay.”
- Technical and organisational measures (encryption, access controls, training) are required by GDPR (Article 32) and reduce risk, but they do not remove the notification duty unless the data are rendered unintelligible to unauthorized parties and risk is effectively mitigated.

2) Step‑by‑step reasoning
- The company has implemented organisational and technical safeguards (positive for GDPR compliance under Article 32).
- The company notified clients two weeks (≈14 days) after detection. This exceeds the 72‑hour supervisory authority deadline and is not “without undue delay” for data subjects.
- Because the company missed the 72‑hour window, it failed to meet mandatory breach reporting obligations regardless of its security measures.
- There is therefore partial compliance: organisational/technical measures are present (good), but procedural/legal obligation on breach reporting was not met (bad).

3) Calculations / intermediate steps
- 72 hours = 3 days; the company waited 14 days → 14 days > 3 days, so deadline missed.

4) Why the correct answer is correct
Answer d correctly identifies that the firm has implemented required measures (partial compliance on security) but failed the mandatory, time‑bound reporting requirement, so overall compliance is only partial.

5) Why other options are incorrect
- a) Says both reporting and measures are insufficient — incorrect because measures were described as implemented.
- b) Claims notification was within an acceptable timeframe — incorrect; 14 days is not within the 72‑hour requirement.
- c) Claims full compliance — incorrect because the reporting deadline was missed.

Conclusion: The most accurate assessment is d. Partial compliance due to failure to meet mandatory breach reporting obligations despite having organisational and technical measures in place.

类似问题

Name the Supreme Court decision that removed financial constraints on PACs.

Political scientists Joshua Kalla and David Broockman find that senior policy makers made themselves available to _____ between three and four times more often than they did to constituents.

Name the political scientist who argues that parties are designed to serve the needs of ambitious politicians (namely candidates and officeholders).

Name the political scientist who said this famous quote about the problems of pluralism: “The flaw in the pluralist heaven is that the heavenly choir sings with a strong upper-class accent.”

What is the name of the third party candidate in 2000 who was not allowed to participate in the presidential debates? Hint: We watched a video clip with him in class.

E.E. Schattshneider said, "Democracy is ________ save in terms of the parties."

Who was the most recently appointed justice to the Supreme Court?

Name the landmark Supreme Court case that struck down spending limits in federal elections.

更多留学生实用工具

智能学习助手

风格化写作助手

论文查重助手

文献引用助手

课堂转译助手

课堂笔记助手

Quiz搜索助手

学校历年真题

智能刷题助手

智能匹配练习

希望你的学习变得更简单