Question 21
Domain 3: The Privacy Technologist’s Role in the OrganizationA SaaS provider silently enables model training on customer prompts after a product update. What should the customer organization have required?
Correct answer: B
Explanation
Organizations should require change-management notice and approval for vendor updates that affect privacy, because a provider’s silent switch to training on customer prompts changes data use and increases risk. Privacy-impacting features should be disabled by default so the customer can review and authorize them before activation.
Why each option is right or wrong
A. An unlimited right for the vendor to change any processing purpose
B. Change-management notice and approval for privacy-impacting vendor changes, with risky features disabled by default
Under GDPR Art. 28(3) and Art. 32, the controller must ensure the processor only acts on documented instructions and that appropriate technical and organizational measures are in place; a vendor’s post-update shift to training on customer prompts is a material change in processing purpose and risk, so it should trigger prior notice and customer approval. In practice, privacy-impacting functionality should be off by default until the customer has reviewed the change, because silent activation would bypass the controller’s ability to assess lawful basis, data minimization, and any required DPIA under Art. 35.
C. A longer implementation timeline with no review checkpoints
D. A marketing webinar before each release