Question 11
Domain 4: Individual Requests, Complaints and Privacy IncidentsA controller relies on a processor to search archived data for deletion requests. What is the best way to keep response times under legal deadlines?
Correct answer: B
Explanation
A controller remains responsible for meeting legal deadlines even when using a processor, so it should build in buffer time. Setting an internal SLA and escalation path shorter than the external deadline ensures the processor search is completed early enough to satisfy the required response window.
Why each option is right or wrong
A. Let the processor decide its own timing
B. Set an internal SLA and escalation path shorter than the external deadline
Under GDPR Articles 12(3) and 17(1), the controller must respond to a deletion request without undue delay and in any event within 1 month, extendable by up to 2 further months only where necessary and with notice within the first month. Because Article 28(3) makes the processor act only on documented instructions and the controller remains accountable for the deadline, an internal SLA and escalation route set earlier than the statutory window is the practical control that preserves compliance if archived searches run late.
C. Exclude archived systems from every deletion request
D. Respond only after the processor sends a final certification