Question 39
UnclassifiedWhat is the best reason to include privacy terms in vendor contracts even after diligence is complete?
Correct answer: A
Explanation
Vendor contracts still matter because they set enforceable privacy obligations after diligence ends. They can require "purpose limits, deletion, incident notice, and downstream sharing restrictions," which are specific controls that diligence alone does not guarantee.
Why each option is right or wrong
A. Contracts can define purpose limits, deletion, incident notice, and downstream sharing restrictions
Under GDPR Article 28(3), a controller-processor contract must specify that the vendor processes personal data only on documented instructions, implements appropriate security, assists with breach response, and deletes or returns data at the end of the service. It also must prohibit sub-processing without authorization and bind any subprocessor to equivalent obligations, so the contract is the enforceable mechanism for limiting use, requiring deletion, mandating incident notice, and controlling downstream sharing after diligence is finished.
B. Contracts let the company avoid all public disclosures
C. Contracts transform the vendor into a government authority
D. Contracts eliminate the need for technical safeguards