Access, correction and/or erasure
The organization should implement policies, procedures and/or mechanisms to meet their obligations to PII
principals to access, correct and/or erase their PII.
...
- Licensed content not shown - LGPD (BRA)
Art.6: The operations of personal data processing
must be performed in good faith and follow these
principles:
I – Purpose: Performing the processing for legitimate,
specific, and explicit purposes that the data subject
is informed of, without the possibility of further
processing in a manner that is incompatible with
those purposes;
II – Adequacy: Compatibility of the processing with
the purposes that the data subject was informed of,
according to the context of the processing;
III – Necessity: Limitation of processing to the
minimum necessary for fulfilling its purposes, using
pertinent, proportional and non-excessive data in
relation to the purposes of processing;
IV – Free Access: Guarantee, to the data subjects, of
the ability to easily query free of charge the means
and duration of processing, as well as the integrity
of their personal data;
V – Data Quality: Guarantee, to the data subjects,
of accuracy, clarity, relevance, and updating of data,
according to the need and to fulfill the purpose of its
processing;
VI – Transparency: Guarantee, to the data subjects,
of clear, precise, and easily-accessible information
regarding the processing and the respective
processing agents, respecting commercial and
industrial secrecy;
VII – Security: Use of technical and administrative measures suitable to protect personal data from
unauthorized access and accidental or illicit
destruction, loss, change, communication, or
dissemination events;
VIII – Prevention: Adoption of measures to prevent
the occurrence of damage as result of the
processing of personal data;
IX – Non-Discrimination: Impossibility of processing
for illegal or abusive discriminatory purposes;
X – Liability and Accountability: Demonstration,
by the processing agent, that effective measures
capable of proving the observance and compliance
with personal data protection rules, including the
efficacy of these measures, is adopted.
Processing of personal data activities must be in good faith and, among others, be for notified purpose(s), necessary and transparent (Art 6)
If testing is not... Art.18: The data subject has the right to obtain from
the controller, relating to the data subject’s data that
is processed by the controller, at any time, and upon
request:
I – Confirmation of the existence of the processing;
II – Access to the data;
III – Rectification of incomplete, inaccurate, or
outdated data;
IV – Anonymization, blocking, or elimination of data
that is unnecessary, excessive, or processed noncompliant
with the provisions of this Law;
V – Portability of the data to other providers of
services or goods, through express request, in
accordance with the regulations of the national
authority, observing trade and industrial secrets;
(New wording included by Law No. 13,853 of 2019)
VI – Elimination of data processed with the data
subject’s consent, except in the scenarios outlined
in Article 16 of this Law;
VII – Information regarding public and private legal
entities with which the controller has performed
shared use of data;
VIII – Information on the possibility of not providing
consent and on the effects of consent denial;
IX – Withdrawal of consent under the terms of § 5 of
Article 8 of this Law.
§ 1 The data subjects has the right to petition to
the National Data Protection Authority against the
controller in connection their data.
§ 2 The data subject may object to the processing
performed on the basis of one of the consent waiver
scenarios, in case of violation of the provisions of this
Law.
§ 3 The rights outlined in this Article will be exercised
through express request by the data subject or their
legally-empowered representative, to the processing
agent.
§ 4 If the immediate adoption of the measures referred
to in § 3 of this Article is impossible, the controller will
send to the data subject a response in which it may: I – Inform that it is not the processing agent and
specify, whenever possible, the processing agent; or
II – Specify the factual and legal reasons that
prevent the adoption of immediate measures.
§ 5 Requests referred to in § 3 of this Article will be
fulfilled without costs for the data subject, within the
terms established in regulations.
§ 6 The responsible must immediately inform
processing agents with which it shared use of data
regarding the rectification, elimination, anonymization,
and blocking of such data, so that processing agents
may repeat the same proceeding. (New wording
included by Law No. 13,853 of 2019)
§ 7 The portability of personal data mentioned in
item V of the head provision of this Article does not
include data that have already been anonymized by the
controller.
§ 8 The right mentioned in § 1 of this Article may also
be exercised before consumer protection agencies. Art.19: The confirmation of the existence of
processing or the access to personal data will be
provided through request of the data subject:
I – In a simplified format and immediately; or
II – Through a clear and complete statement
specifying the origin of the data, the nonexistence
of records, and criteria used for processing, as well
as its purpose, respecting commercial and industrial
secrecy, provided within at least fifteen (15) days,
counting from the date of the data subject’s
request.
§ 1 The personal data will be stored in a format that
promotes the exercise of the right to access.
§ 2 The information and data may be provided, at the
discretion of the data subject:
I – Through electronic means that are secure and
appropriate for such purpose; or
II – Through printed means.
§ 3 When the processing originates from the data
subject’s consent or from a contract, the data subjects
may request a full electronic copy of their personal
data, respecting commercial and industrial secrecy,
under the terms of the National Data Protection
Authority ‘s regulations, in a format that allows it to
be used subsequently, including in other processing
operations. § 4 For specific industries, the National Data Protection
Authority may establish different terms than those
provided in items I and II of the head provision of this
Article. APP (Australian Privacy Principles)
PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada
DPP (Data Protection Principles) - Hong Kong
Personal Data (Privacy) Ordinance - Hong Kong
Personal Data Protection Act - Singapore
Personal Information Protection Act - South Korea
Turkish Data Protection Law numbered 6698