Determining information for PII principals
The organization should determine and document the information which is to be provided to PII principals
regarding the processing of their PII and the timing of...
...
- Licensed content not shown - LGPD (BRA)
Art.6: The operations of personal data processing
must be performed in good faith and follow these
principles:
I – Purpose: Performing the processing for legitimate,
specific, and explicit purposes that the data subject
is informed of, without the possibility of further
processing in a manner that is incompatible with
those purposes;
II – Adequacy: Compatibility of the processing with
the purposes that the data subject was informed of,
according to the context of the processing;
III – Necessity: Limitation of processing to the
minimum necessary for fulfilling its purposes, using
pertinent, proportional and non-excessive data in
relation to the purposes of processing;
IV – Free Access: Guarantee, to the data subjects, of
the ability to easily query free of charge the means
and duration of processing, as well as the integrity
of their personal data;
V – Data Quality: Guarantee, to the data subjects,
of accuracy, clarity, relevance, and updating of data,
according to the need and to fulfill the purpose of its
processing;
VI – Transparency: Guarantee, to the data subjects,
of clear, precise, and easily-accessible information
regarding the processing and the respective
processing agents, respecting commercial and
industrial secrecy;
VII – Security: Use of technical and administrative measures suitable to protect personal data from
unauthorized access and accidental or illicit
destruction, loss, change, communication, or
dissemination events;
VIII – Prevention: Adoption of measures to prevent
the occurrence of damage as result of the
processing of personal data;
IX – Non-Discrimination: Impossibility of processing
for illegal or abusive discriminatory purposes;
X – Liability and Accountability: Demonstration,
by the processing agent, that effective measures
capable of proving the observance and compliance
with personal data protection rules, including the
efficacy of these measures, is adopted.
Processing of personal data activities must be in good faith and, among others, be for notified purpose(s), necessary and transparent (Art 6)
If testing is not... Art.9: The data subject has the right to easily
access information regarding the processing of data,
which must be made available in a clear, adequate,
and ostensive manner, among other characteristics
outlined in regulations to comply with the principle of
free access:
I – Specific purpose of processing;
II – Form and duration of processing, respecting
commercial and industrial secrecy;
III – Identification of the controller;
IV – The controller’s contact information;
V – Information regarding the shared use of data by
the controller and the purpose of the sharing;
VI – Liabilities of the processing agents; and
VII – The data subject’s rights with explicit mention
of the rights contemplated in Article 18 of this Law. § 1 If consent is requested, such consent will be
considered void in case the information provided to
the data subject have misleading or abusive content or
were not previously presented in a transparent, clear,
and unambiguous manner.
§ 2 If consent is requested, if there is a change in the
purpose of the processing of personal data that is not
compatible with the original consent, the controller
must inform the data subjects beforehand, who may
revoke the consent, if they disagree with the changes.
§ 3 When the processing of personal data is a
condition for the provision of a good or service or the
exercise of a right, the data subjects will be informed in
a highlighted manner regarding this fact and the means
through which they may exercise the rights identified in
Article 18 of this Law. CCPA (US, CA)
S.1798.130: (a) In order to comply with Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125, in a form that is reasonably accessible to consumers, a business shall:
(1) Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.
(2) Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from the consumer. The business shall promptly take steps to determine whether the request is a verifiable request, but this shall not extend the business’s duty to disclose and deliver the information within 45 days of receipt of the consumer’s request. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period. The disclosure shall cover the 12-month period preceding the business’s receipt of the verifiable request and shall be made in writing and delivered through the consumer’s account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance. The business shall not require the consumer to create an account with the business in order to make a verifiable request.
(3) For purposes of subdivision (b) of Section 1798.110:
(A) To identify the consumer, associate the information provided by the consumer in the verifiable request to any personal information previously collected by the business about the consumer.
(B) Identify by category or categories the personal information collected about the consumer in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information collected.
(4) For purposes of subdivision (b) of Section 1798.115:
(A) Identify the consumer and associate the information provided by the consumer in the verifiable request to any personal information previously collected by the business about the consumer.
(B) Identify by category or categories the personal information of the consumer that the business sold in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely describes the personal information, and provide the categories of third parties to whom the consumer’s personal information was sold in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information sold. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (C).
(C) Identify by category or categories the personal information of the consumer that the business disclosed for a business purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information, and provide the categories of third parties to whom the consumer’s personal information was disclosed for a business purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information disclosed. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (B).
(5) Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its Internet Web site, and update that information at least once every 12 months:
(A) A description of a consumer’s rights pursuant to Sections 1798.110, 1798.115, and 1798.125 and one or more designated methods for submitting requests.
(B) For purposes of subdivision (c) of Section 1798.110, a list of the categories of personal information it has collected about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information collected.
(C) For purposes of paragraphs (1) and (2) of subdivision (c) of Section 1798.115, two separate lists:
(i) A list of the categories of personal information it has sold about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information sold, or if the business has not sold consumers’ personal information in the preceding 12 months, the business shall disclose that fact.
(ii) A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely describe the personal information disclosed, or if the business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business shall disclose that fact.
(6) Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Sections 1798.110, 1798.115, 1798.125, and this section, and how to direct consumers to exercise their rights under those sections.
(7) Use any personal information collected from the consumer in connection with the business’s verification of the consumer’s request solely for the purposes of verification.
(b) A business is not obligated to provide the information required by Sections 1798.110 and 1798.115 to the same consumer more than twice in a 12-month period.
(c) The categories of personal information required to be disclosed pursuant to Sections 1798.110 and 1798.115 shall follow the definition of personal information in Section 1798.140. S.1798.135: (a) A business that is required to comply with Section 1798.120 shall, in a form that is reasonably accessible to consumers:
(1) Provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.
(2) Include a description of a consumer’s rights pursuant to Section 1798.120, along with a separate link to the “Do Not Sell My Personal Information” Internet Web page in:
(A) Its online privacy policy or policies if the business has an online privacy policy or policies.
(B) Any California-specific description of consumers’ privacy rights.
(3) Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Section 1798.120 and this section and how to direct consumers to exercise their rights under those sections.
(4) For consumers who exercise their right to opt out of the sale of their personal information, refrain from selling personal information collected by the business about the consumer.
(5) For a consumer who has opted out of the sale of the consumer’s personal information, respect the consumer’s decision to opt out for at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.
(6) Use any personal information collected from the consumer in connection with the submission of the consumer’s opt-out request solely for the purposes of complying with the opt-out request.
(b) Nothing in this title shall be construed to require a business to comply with the title by including the required links and text on the homepage that the business makes available to the public generally, if the business maintains a separate and additional homepage that is dedicated to California consumers and that includes the required links and text, and the business takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally.
(c) A consumer may authorize another person solely to opt out of the sale of the consumer’s personal information on the consumer’s behalf, and a business shall comply with an opt out request received from a person authorized by the consumer to act on the consumer’s behalf, pursuant to regulations adopted by the Attorney General. APP (Australian Privacy Principles)
PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada
DPP (Data Protection Principles) - Hong Kong
Personal Data Protection Act - Singapore
Personal Information Protection Act - South Korea
Turkish Data Protection Law numbered 6698