shieldCISSP Practice Domain 1 — Security and Risk Management Q52 of 120

Under the EU's GDPR, who is the entity that determines the purposes and means of personal data processing?

A CISSP practice question covering Domain 1: Security and Risk Management. Try answering before reading the explanation below.

▶ Show options & answer

Data subject

Data processor

Data controller

✓ Correct answer

Supervisory authority

Why "Data controller" is the right answer

Data controllers decide why and how data is processed and bear primary accountability. Processors act on the controller's instructions. Data subjects are the individuals. Supervisory authorities are the regulators.

Study videos for this topic

Want to go deeper on Domain 1? Watch the full breakdown — every video is free, no account, no upsell.

CISSP Domain 1: Ethics & the 5 Pillars (Canon Order)

Domain 1 — Security and Risk Management

CISSP Domain 1: Governance, Roles & Due Care (2026)

Domain 1 — Security and Risk Management

CISSP Domain 1: Laws, IP & GDPR (Compliance)

Domain 1 — Security and Risk Management

CISSP Domain 1: Investigation Types & Security Docs

Domain 1 — Security and Risk Management

Take the full CISSP practice test

120 questions, instant explanations, study-video links on every miss. No account.

Start full test →

Under the EU's GDPR, who is the entity that determines the purposes and means of personal data processing?

Study videos for this topic

Other practice tests