OneTrust Certified Privacy Professional Practice Exam

What must be included in a GDPR-compliant Privacy Policy?

• A. Marketing strategies
• B. Employee information
• C. Data subject rights and processing purposes
• D. Financial auditing reports

The correct answer is: Data subject rights and processing purposes

A GDPR-compliant Privacy Policy is essential in ensuring transparency and informing individuals about how their personal data is handled. One of the core requirements of the General Data Protection Regulation (GDPR) is that organizations must clearly communicate the rights of data subjects as well as the specific purposes for which their personal data will be processed. Including data subject rights is crucial because the GDPR grants individuals various rights—such as the right to access, the right to rectification, the right to erasure, and the right to data portability—empowering them to manage their personal information effectively. Furthermore, outlining the purposes for processing personal data helps to build trust and ensures that individuals are fully informed about how their information will be used, which is a key principle of the regulation. The other options, while potentially relevant in certain contexts, do not directly correlate with the mandatory elements of a GDPR-compliant Privacy Policy. Marketing strategies and employee information may be included in the broader context of an organization’s operations but are not specifically required by GDPR. Financial auditing reports are not relevant to the content of a Privacy Policy under GDPR guidelines. Thus, the correct answer comprehensively addresses the essential components necessary for compliance with the GDPR.