nerdexam
(ISC)2

CISSP · Question #15

Which of the following elements MUST a compliant EU-US Safe Harbor Privacy Policy contain?

The correct answer is B. An explanation of who can be contacted at the organization collecting the information if. EU-US Safe Harbor Privacy Policies must meet specific notice requirements, including identifying a contact point for complaints and inquiries from data subjects.

Submitted by tyler.j· Mar 5, 2026Governance, Risk, and Compliance

Question

Which of the following elements MUST a compliant EU-US Safe Harbor Privacy Policy contain?

Options

  • AAn explanation of how long the data subject's collected information will be retained for and how it
  • BAn explanation of who can be contacted at the organization collecting the information if
  • CAn explanation of the regulatory frameworks and compliance standards the information collecting
  • DAn explanation of all the technologies employed by the collecting organization in gathering

How the community answered

(25 responses)
  • A
    4% (1)
  • B
    92% (23)
  • D
    4% (1)

Why each option

EU-US Safe Harbor Privacy Policies must meet specific notice requirements, including identifying a contact point for complaints and inquiries from data subjects.

AAn explanation of how long the data subject's collected information will be retained for and how it

While data retention periods are considered good privacy practice and are required under GDPR, the original EU-US Safe Harbor framework's seven principles (Notice, Choice, Onward Transfer, Security, Data Integrity, Access, Enforcement) did not specifically mandate disclosure of retention timelines.

BAn explanation of who can be contacted at the organization collecting the information ifCorrect

Under the EU-US Safe Harbor framework, organizations must provide 'Notice' to individuals about how their data is collected and used, which explicitly requires identifying a contact person or department (such as a privacy officer) that individuals can reach for questions, complaints, or to exercise their rights. This contact information requirement ensures accountability and gives data subjects a mechanism to seek redress, which is a core principle of the Safe Harbor framework.

CAn explanation of the regulatory frameworks and compliance standards the information collecting

The Safe Harbor framework does not require organizations to enumerate all regulatory frameworks or compliance standards they adhere to; the framework itself is the compliance mechanism, and listing other standards is not among its seven required principles.

DAn explanation of all the technologies employed by the collecting organization in gathering

Disclosure of all technologies used to collect data is not a required element of a Safe Harbor-compliant privacy policy; the framework focuses on data handling principles rather than technical implementation details of collection methods.

Concept tested: EU-US Safe Harbor Privacy Policy required notice elements

Source: https://www.ftc.gov/business-guidance/privacy-security/safe-harbor-privacy-framework

Topics

#privacy policy#Safe Harbor#data privacy#compliance

Community Discussion

No community discussion yet for this question.

Full CISSP Practice