Understanding the needs and expectations of interested parties

The organization shall include among its interested parties (see ISO/IEC 27001:2013, 4.2), those parties having interests or responsibilities associated with the processing of PII, including the PII principals. ... - Licensed content not shown -

GDPR (EU)

31: Article(31): Cooperation with the supervisory authority: The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.

35.9: Article(35)(9): Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.

36.1: Article(36)(1): The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

36.3.a: Article(36)(3)(a): When consulting the supervisory authority pursuant to paragraph 1, the controller shall provide the supervisory authority with: (a) where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings

36.3.b: Article(36)(3)(b): When consulting the supervisory authority pursuant to paragraph 1, the controller shall provide the supervisory authority with: (b) the purposes and means of the intended processing;

36.3.c: Article(36)(3)(c): When consulting the supervisory authority pursuant to paragraph 1, the controller shall provide the supervisory authority with: (c) the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation

36.3.d: Article(36)(3)(d): When consulting the supervisory authority pursuant to paragraph 1, the controller shall provide the supervisory authority with: (d) where applicable, the contact details of the data protection officer;

36.3.e: Article(36)(3)(e): When consulting the supervisory authority pursuant to paragraph 1, the controller shall provide the supervisory authority with: (e) the data protection impact assessment provided for in Article 35; and

36.3.f: Article(36)(3)(f): When consulting the supervisory authority pursuant to paragraph 1, the controller shall provide the supervisory authority with: (f) any other information requested by the supervisory authority

36.5: Article(36)(5): Notwithstanding paragraph 1, Member State law may require controllers to consult with, and obtain prior authorisation from, the supervisory authority in relation to processing by a controller for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health.

LGPD (BRA)

Art.6: The operations of personal data processing must be performed in good faith and follow these principles: I – Purpose: Performing the processing for legitimate, specific, and explicit purposes that the data subject is informed of, without the possibility of further processing in a manner that is incompatible with those purposes; II – Adequacy: Compatibility of the processing with the purposes that the data subject was informed of, according to the context of the processing; III – Necessity: Limitation of processing to the minimum necessary for fulfilling its purposes, using pertinent, proportional and non-excessive data in relation to the purposes of processing; IV – Free Access: Guarantee, to the data subjects, of the ability to easily query free of charge the means and duration of processing, as well as the integrity of their personal data; V – Data Quality: Guarantee, to the data subjects, of accuracy, clarity, relevance, and updating of data, according to the need and to fulfill the purpose of its processing; VI – Transparency: Guarantee, to the data subjects, of clear, precise, and easily-accessible information regarding the processing and the respective processing agents, respecting commercial and industrial secrecy; VII – Security: Use of technical and administrative measures suitable to protect personal data from unauthorized access and accidental or illicit destruction, loss, change, communication, or dissemination events; VIII – Prevention: Adoption of measures to prevent the occurrence of damage as result of the processing of personal data; IX – Non-Discrimination: Impossibility of processing for illegal or abusive discriminatory purposes; X – Liability and Accountability: Demonstration, by the processing agent, that effective measures capable of proving the observance and compliance with personal data protection rules, including the efficacy of these measures, is adopted. Processing of personal data activities must be in good faith and, among others, be for notified purpose(s), necessary and transparent (Art 6) If testing is not...

Art.13: In conducting studies and research in public health, the research organizations may have access to personal database, which will be processed exclusively within the body and strictly for the purpose of conducting the studies and research and kept in a controlled and secured environment, according to practices outlined in specific regulations and including, whenever possible, anonymization or pseudonymization of the data, as well as considering the due ethical standards related to studies and research. § 1 The disclosure of results or of any excerpt of the study or research contemplated in the head provision of this Article shall not reveal personal data in any case.

Art.44: The processing of personal data is considered irregular when legislation is not followed or when the security that the data subject can expect is not provided, considering relevant circumstances, including: I – The way the processing was performed; II – The result and the risks that can be reasonably expected from the processing; III – The processing techniques available at the time it was performed. Sole Paragraph. The controller or processor that, when failing to adopt the security measures outlined in Article 46 of this Law, cause damage, will be held responsible for a violation of data security.

CCPA (US, CA)

S.1798.125: (a) (1) A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by: (A) Denying goods or services to the consumer. (B) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties. (C) Providing a different level or quality of goods or services to the consumer, if the consumer exercises the consumer’s rights under this title. (D) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services. (2) Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data. (b) (1) A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data. (2) A business that offers any financial incentives pursuant to subdivision (a), shall notify consumers of the financial incentives pursuant to Section 1798.135. (3) A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 1798.135 which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time. (4) A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.

PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada

Division 1 5 (1): Every organisation must comply with the obligations (i.e. principles) in Schedule 1

Personal Data Protection Act - Singapore

S.4.3: Organisations have the same obligations in respect of personal data processed for them by a 'data intermediary' as if it was processed by them (S.4(3))

Turkish Data Protection Law numbered 6698

A.1: The obligations, principles and procedures under the law are binding on all who process personal data (A.1)