Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

PECB Exam GDPR Topic 3 Question 8 Discussion

Actual exam question for PECB's GDPR exam
Question #: 8
Topic #: 3
[All GDPR Questions]

Scenario 4:

Berc is a pharmaceutical company headquartered in Paris, France, known for developing inexpensive improved healthcare products. They want to expand to developing life-saving treatments. Berc has been engaged in many medical researches and clinical trials over the years. These projects required the processing of large amounts of data, including personal information. Since 2019, Berc has pursued GDPR compliance to regulate data processing activities and ensure data protection. Berc aims to positively impact human health through the use of technology and the power of collaboration. They recently have created an innovative solution in participation with Unty, a pharmaceutical company located in Switzerland. They want to enable patients to identify signs of strokes or other health-related issues themselves. They wanted to create a medical wrist device that continuously monitors patients' heart rate and notifies them about irregular heartbeats. The first step of the project was to collect information from individuals aged between 50 and 65. The purpose and means of processing were determined by both companies. The information collected included age, sex, ethnicity, medical history, and current medical status. Other information included names, dates of birth, and contact details. However, the individuals, who were mostly Berc's and Unty's customers, were not aware that there was an arrangement between Berc and Unty and that both companies have access to their personal data and share it between them. Berc outsourced the marketing of their new product to an international marketing company located in a country that had not adopted the adequacy decision from the EU commission. However, since they offered a good marketing campaign, following the DPO's advice, Berc contracted it. The marketing campaign included advertisement through telephone, emails, and social medi

a. Berc requested that Berc's and Unty's clients be first informed about the product. They shared the contact details of clients with the marketing company. Based on this scenario, answer the following Questio n:

Questio n:

Based on scenario 4, Berc shared personal information of its clients with an international marketing company even though an adequacy decision was absent. Which of the following is a valid reason to do so?

Show Suggested Answer Hide Answer
Suggested Answer: C

Under Article 46 of GDPR, in the absence of an adequacy decision, controllers can transfer data only if appropriate safeguards (e.g., Standard Contractual Clauses, Binding Corporate Rules) are in place.

Option C is correct because safeguards such as SCCs allow data transfers when no adequacy decision exists.

Option A is incorrect because adequacy decisions are a legal requirement, not optional.

Option B is incorrect because a CISO cannot authorize GDPR data transfers.

Option D is incorrect because reputation does not ensure GDPR compliance.


GDPR Article 46(1) (Appropriate safeguards for data transfers)

Recital 108 (Legally binding commitments for data protection)

Contribute your Thoughts:

Jeanice
15 hours ago
I think the valid reason could be that the controller or processor provides appropriate safeguards for data protection.
upvoted 0 times
...
Annamaria
3 days ago
Hmm, this seems like a tricky scenario. I'm not sure if the marketing company's reputation alone can ensure compliance with data protection standards. There might be more safeguards needed.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77
a