A restaurant stores customer credit card numbers on a spreadsheet on their office computer. They do not encrypt this data.

A European online store collects customer names and email addresses. They provide a clear privacy policy and obtain explicit consent for marketing emails.

A company experiences a data breach involving credit card information. They notify the affected cardholders and their acquiring bank within 72 hours.

A company operating in the EU collects employee biometric data without a legal basis or explicit consent.

A small business only processes a few credit card transactions per month. They are exempt from all PCI DSS requirements.

A website uses cookies to track user browsing behavior. They provide a cookie consent banner with an option to opt-out.

A company stores customer data in a cloud environment. They are not responsible for the security of that data.