According to the GDPR, which actions must be taken in case of a data breach?

The choice that states a data processor must notify the data controller is correct because under the General Data Protection Regulation (GDPR), there are specific obligations placed on both data controllers and data processors in the event of a personal data breach.

When a data breach occurs, the GDPR mandates that data processors are required to inform the data controller without undue delay. This notification process is crucial as it allows the data controller to assess the breach and determine the appropriate response, including whether to notify supervisory authorities and affected individuals, which is necessary to comply with GDPR's accountability and transparency requirements.

This framework establishes clear responsibilities to protect personal data and ensures that there is prompt communication between parties handling data, thus enhancing the overall security and management of personal data. Creating a chain of responsibility helps organizations react swiftly to mitigate any potential harm arising from a data breach.

The importance of immediate notification cannot be overstated, as delays could lead to increased risks for individuals whose data may have been compromised, and could also expose the data controller to regulatory penalties for non-compliance with GDPR obligations.