Domain 6: Legal, Risk & Compliance Review — 65 of 70

Domain 6 – Section A Review: Legal & Privacy

CCSP Domain 6 — Legal, Risk & Compliance Section Review 15–20 min
Section A tested your understanding of how law and privacy intersect with cloud computing. Before moving to audit and risk, verify that you can navigate jurisdictional complexity and privacy requirements the way the exam expects.

These questions span international law, eDiscovery, privacy rights, and privacy standards. Focus on jurisdiction, accountability, and preparation.

Scenario questions (10)

Question 1

A US company processes EU residents' personal data using a cloud provider with servers exclusively in the United States. The company has no EU office or employees.

Does GDPR apply?

A. Only if the cloud provider has EU data centers
B. Yes, because GDPR applies extraterritorially to any organization processing EU residents' personal data
C. Only if the EU residents have given explicit consent
D. No, because the company has no EU presence

Answer & reasoning

Correct: B

GDPR Article 3 gives the regulation extraterritorial scope. Processing EU residents' data triggers GDPR obligations regardless of where the organization is located or where the data is stored.

Question 2

An organization receives a legal hold notice. Their cloud email service has a 30-day auto-deletion policy for deleted items.

What is the FIRST action?

A. Begin collecting potentially relevant emails immediately
B. Notify the cloud email provider to stop all services
C. Inform employees to save important emails manually
D. Suspend the auto-deletion policy to prevent spoliation of potentially relevant evidence

Answer & reasoning

Correct: D

A legal hold requires preserving all potentially relevant data. Auto-deletion policies must be suspended immediately to prevent destruction of evidence (spoliation), which carries severe legal consequences.

Question 3

A data subject requests erasure of their personal data under GDPR. The cloud application deletes the record from the production database.

What critical verification step remains?

A. Verifying deletion across all copies including backups, replicas, and cached versions in the cloud environment
B. Confirming the data subject's identity
C. Logging the deletion request
D. Sending a confirmation email to the data subject

Answer & reasoning

Correct: A

Cloud storage maintains multiple copies across backups, replicas, and caches. Complete erasure requires verification that data is removed from all copies, not just the production database.

Question 4

A cloud provider receives a law enforcement request in Country A for customer data stored in Country B. Country B's privacy law prohibits such disclosure without customer notification.

What should the provider do?

A. Delete the data to prevent any disclosure
B. Engage legal counsel to analyze the conflicting requirements before taking action
C. Comply immediately with Country A's request
D. Refuse the request entirely

Answer & reasoning

Correct: B

Conflicting jurisdictional requirements require legal analysis. Neither automatic compliance nor automatic refusal is appropriate. Legal counsel assesses obligations, consequences, and available challenge mechanisms.

Question 5

An organization uses cloud-based AI services that process personal data for automated decision-making. No privacy impact assessment has been conducted.

What privacy principle is violated?

A. The requirement to conduct a Data Protection Impact Assessment before high-risk processing begins
B. Data minimization
C. Purpose limitation
D. Storage limitation

Answer & reasoning

Correct: A

GDPR requires DPIAs for high-risk processing, including automated decision-making involving personal data. The assessment must be completed before processing begins, not after.

Question 6

A cloud customer's contract with their SaaS provider does not specify data processing locations. The provider migrates data to a new region in a country with weaker data protection laws.

What contractual provision was missing?

A. A pricing guarantee for the contract term
B. Technical support availability hours
C. An SLA for application performance
D. Data residency and location requirements specifying where data can be stored and processed

Answer & reasoning

Correct: D

Without data location provisions, the provider can move data to any jurisdiction. This can create regulatory compliance failures, especially under GDPR and similar frameworks that restrict cross-border data transfers.

Question 7

An organization pseudonymizes customer data by hashing names with a salted algorithm. The salt and hash mapping are stored on a separate system.

Is this data still personal data under GDPR?

A. No, hashing makes data anonymous
B. Only if the separate system is in the EU
C. Yes, because the data can be re-identified using the mapping, making it pseudonymized rather than anonymized
D. Only if the data subject can reverse the hash

Answer & reasoning

Correct: C

Pseudonymized data remains personal data under GDPR because re-identification is possible. True anonymization would require that re-identification is not reasonably possible.

Question 8

A company needs to transfer employee data from their EU headquarters to a cloud service in Australia. No adequacy decision exists for Australia under GDPR.

What mechanism enables this lawful transfer?

A. Standard Contractual Clauses between the EU entity and the Australian cloud provider
B. The company's global privacy policy
C. The employees' employment contracts automatically authorize all transfers
D. A verbal agreement with the cloud provider

Answer & reasoning

Correct: A

Standard Contractual Clauses (SCCs) are EU-approved contractual provisions that provide appropriate safeguards for data transfers to countries without adequacy decisions.

Question 9

During eDiscovery, a legal team discovers that relevant data was automatically deleted by a cloud service's retention policy three weeks after litigation was anticipated.

What legal concept describes this situation?

A. Normal business operations
B. Data minimization compliance
C. Spoliation — destruction of potentially relevant evidence after a duty to preserve arose
D. Privacy by Design implementation

Answer & reasoning

Correct: C

Spoliation is the destruction of evidence after a duty to preserve has arisen. When litigation is anticipated, a legal hold must suspend automated deletion.

Question 10

A cloud provider notifies a customer of a personal data breach at 10:00 AM Monday.

Under GDPR, when must the customer notify the supervisory authority?

A. Within 30 days
B. Within 24 hours — by 10:00 AM Tuesday
C. Within 72 hours of becoming aware — by 10:00 AM Thursday
D. Only if more than 1,000 records are affected

Answer & reasoning

Correct: C

GDPR Article 33 requires notification to the supervisory authority within 72 hours of the controller becoming aware of the breach. The clock starts when the customer received notification from the provider.

Section A master pattern

When answering Domain 6 Section A questions, ask yourself:

  • Which jurisdictions are involved, and do their requirements conflict?
  • Who is the data controller and who is the data processor?
  • Was privacy considered before or after processing began?
  • Are preparation and readiness in place, or is this reactive?
  • Does the answer require legal counsel involvement?

If you think about jurisdiction first, accountability second, and preparation always, you will answer correctly.

Next Module Module 65: Audit Processes and Methodologies