ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A multinational retailer plans to move all Apache access logs into a centralized Amazon S3 bucket in the us-east-1 Region so its data-science team can perform long-term analytics. The logs store client IP addresses and occasionally customer email addresses collected from stores in Germany and France. The company has confirmed that the chosen U.S. cloud account is not certified under the EU-US Data Privacy Framework. Before exporting the logs to the United States, which legal limitation imposed by the GDPR must the security team address?
The GDPR requires explicit consent from each customer for any analytical processing of their data, regardless of other lawful bases such as legitimate interest.
International transfers of EU personal data are restricted unless an approved mechanism-such as the EU-US Data Privacy Framework, Standard Contractual Clauses, or another appropriate safeguard-is in place before the data leaves the EU.
The GDPR limits retention of any web-server log containing personal data to no more than 30 days, so the logs must be deleted after that period.
EU law completely prohibits the collection of IP addresses because they are classified as special-category (sensitive) personal data.
Because the logs contain IP addresses and email addresses, they include personal data under the GDPR. Moving that data from the EU to a third country requires a valid transfer mechanism under Chapter V. Although some U.S. organizations benefit from the EU-US Data Privacy Framework adequacy decision, the specific recipient in this scenario is not certified. Therefore, the transfer is considered restricted and the controller must implement an alternative mechanism-such as Standard Contractual Clauses, Binding Corporate Rules, or another approved safeguard-before the data can leave the EU. The GDPR does not impose a universal 30-day log-retention limit, does not treat IP addresses as special-category data, and does not always require explicit consent when another lawful basis (e.g., legitimate interest) applies. Ensuring an appropriate cross-border transfer mechanism is the primary legal requirement that must be satisfied.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the EU-US Data Privacy Framework?
Open an interactive chat with Bash
What are Standard Contractual Clauses (SCCs)?
Open an interactive chat with Bash
Why does GDPR classify IP addresses and email addresses as personal data?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Risk Identification, Monitoring and Analysis
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .