CISSP · Question #15
Which of the following elements MUST a compliant EU-US Safe Harbor Privacy Policy contain?
The correct answer is B. An explanation of who can be contacted at the organization collecting the information if. EU-US Safe Harbor Privacy Policies must meet specific notice requirements, including identifying a contact point for complaints and inquiries from data subjects.
Question
Options
- AAn explanation of how long the data subject's collected information will be retained for and how it
- BAn explanation of who can be contacted at the organization collecting the information if
- CAn explanation of the regulatory frameworks and compliance standards the information collecting
- DAn explanation of all the technologies employed by the collecting organization in gathering
How the community answered
(25 responses)- A4% (1)
- B92% (23)
- D4% (1)
Why each option
EU-US Safe Harbor Privacy Policies must meet specific notice requirements, including identifying a contact point for complaints and inquiries from data subjects.
While data retention periods are considered good privacy practice and are required under GDPR, the original EU-US Safe Harbor framework's seven principles (Notice, Choice, Onward Transfer, Security, Data Integrity, Access, Enforcement) did not specifically mandate disclosure of retention timelines.
Under the EU-US Safe Harbor framework, organizations must provide 'Notice' to individuals about how their data is collected and used, which explicitly requires identifying a contact person or department (such as a privacy officer) that individuals can reach for questions, complaints, or to exercise their rights. This contact information requirement ensures accountability and gives data subjects a mechanism to seek redress, which is a core principle of the Safe Harbor framework.
The Safe Harbor framework does not require organizations to enumerate all regulatory frameworks or compliance standards they adhere to; the framework itself is the compliance mechanism, and listing other standards is not among its seven required principles.
Disclosure of all technologies used to collect data is not a required element of a Safe Harbor-compliant privacy policy; the framework focuses on data handling principles rather than technical implementation details of collection methods.
Concept tested: EU-US Safe Harbor Privacy Policy required notice elements
Source: https://www.ftc.gov/business-guidance/privacy-security/safe-harbor-privacy-framework
Topics
Community Discussion
No community discussion yet for this question.