Access, correction and/or erasure

The organization should implement policies, procedures and/or mechanisms to meet their obligations to PII principals to access, correct and/or erase their PII. ... - Licensed content not shown -

GDPR (EU)

5.1.d: Article(5)(1)(d): Personal data shall be: (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

13.2.b: Article(13)(2)(b): In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: (b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

14.2.c: Article(14)(2)(c): In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject: (c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;

16: Article(16): The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement

17.1.a: Article(17)(1)(a): The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed

17.1.b: Article(17)(1)(b): The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

17.1.c: Article(17)(1)(c): The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

17.1.d: Article(17)(1)(d): The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (d) the personal data have been unlawfully processed;

17.1.e: Article(17)(1)(e): The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject

17.1.f: Article(17)(1)(f): The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

17.2: Article(17)(2): Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

LGPD (BRA)

Art.6: The operations of personal data processing must be performed in good faith and follow these principles: I – Purpose: Performing the processing for legitimate, specific, and explicit purposes that the data subject is informed of, without the possibility of further processing in a manner that is incompatible with those purposes; II – Adequacy: Compatibility of the processing with the purposes that the data subject was informed of, according to the context of the processing; III – Necessity: Limitation of processing to the minimum necessary for fulfilling its purposes, using pertinent, proportional and non-excessive data in relation to the purposes of processing; IV – Free Access: Guarantee, to the data subjects, of the ability to easily query free of charge the means and duration of processing, as well as the integrity of their personal data; V – Data Quality: Guarantee, to the data subjects, of accuracy, clarity, relevance, and updating of data, according to the need and to fulfill the purpose of its processing; VI – Transparency: Guarantee, to the data subjects, of clear, precise, and easily-accessible information regarding the processing and the respective processing agents, respecting commercial and industrial secrecy; VII – Security: Use of technical and administrative measures suitable to protect personal data from unauthorized access and accidental or illicit destruction, loss, change, communication, or dissemination events; VIII – Prevention: Adoption of measures to prevent the occurrence of damage as result of the processing of personal data; IX – Non-Discrimination: Impossibility of processing for illegal or abusive discriminatory purposes; X – Liability and Accountability: Demonstration, by the processing agent, that effective measures capable of proving the observance and compliance with personal data protection rules, including the efficacy of these measures, is adopted. Processing of personal data activities must be in good faith and, among others, be for notified purpose(s), necessary and transparent (Art 6) If testing is not...

Art.18: The data subject has the right to obtain from the controller, relating to the data subject’s data that is processed by the controller, at any time, and upon request: I – Confirmation of the existence of the processing; II – Access to the data; III – Rectification of incomplete, inaccurate, or outdated data; IV – Anonymization, blocking, or elimination of data that is unnecessary, excessive, or processed noncompliant with the provisions of this Law; V – Portability of the data to other providers of services or goods, through express request, in accordance with the regulations of the national authority, observing trade and industrial secrets; (New wording included by Law No. 13,853 of 2019) VI – Elimination of data processed with the data subject’s consent, except in the scenarios outlined in Article 16 of this Law; VII – Information regarding public and private legal entities with which the controller has performed shared use of data; VIII – Information on the possibility of not providing consent and on the effects of consent denial; IX – Withdrawal of consent under the terms of § 5 of Article 8 of this Law. § 1 The data subjects has the right to petition to the National Data Protection Authority against the controller in connection their data. § 2 The data subject may object to the processing performed on the basis of one of the consent waiver scenarios, in case of violation of the provisions of this Law. § 3 The rights outlined in this Article will be exercised through express request by the data subject or their legally-empowered representative, to the processing agent. § 4 If the immediate adoption of the measures referred to in § 3 of this Article is impossible, the controller will send to the data subject a response in which it may: I – Inform that it is not the processing agent and specify, whenever possible, the processing agent; or II – Specify the factual and legal reasons that prevent the adoption of immediate measures. § 5 Requests referred to in § 3 of this Article will be fulfilled without costs for the data subject, within the terms established in regulations. § 6 The responsible must immediately inform processing agents with which it shared use of data regarding the rectification, elimination, anonymization, and blocking of such data, so that processing agents may repeat the same proceeding. (New wording included by Law No. 13,853 of 2019) § 7 The portability of personal data mentioned in item V of the head provision of this Article does not include data that have already been anonymized by the controller. § 8 The right mentioned in § 1 of this Article may also be exercised before consumer protection agencies.

Art.19: The confirmation of the existence of processing or the access to personal data will be provided through request of the data subject: I – In a simplified format and immediately; or II – Through a clear and complete statement specifying the origin of the data, the nonexistence of records, and criteria used for processing, as well as its purpose, respecting commercial and industrial secrecy, provided within at least fifteen (15) days, counting from the date of the data subject’s request. § 1 The personal data will be stored in a format that promotes the exercise of the right to access. § 2 The information and data may be provided, at the discretion of the data subject: I – Through electronic means that are secure and appropriate for such purpose; or II – Through printed means. § 3 When the processing originates from the data subject’s consent or from a contract, the data subjects may request a full electronic copy of their personal data, respecting commercial and industrial secrecy, under the terms of the National Data Protection Authority ‘s regulations, in a format that allows it to be used subsequently, including in other processing operations. § 4 For specific industries, the National Data Protection Authority may establish different terms than those provided in items I and II of the head provision of this Article.

CCPA (US, CA)

S.1798.105.a: (a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.

S.1798.105.c: (c) A business that receives a verifiable request from a consumer to delete the consumer’s personal information pursuant to subdivision (a) of this section shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.

APP (Australian Privacy Principles)

APP.12.1: On request, an individual must be given access to their personal information (APP 12.1)

APP.13.1: Must take reasonable steps to correct personal information of an individual if it is out-of-date, incomplete, irrelevant or misleading or if the individual requests it to be corrected (APP 13.1)

PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada

4.9.5: Must amend the personal information held once individual demonstrates it is inaccurate or incomplete and, where appropriate, notify third parties of the amendment (4.9.5)

DPP (Data Protection Principles) - Hong Kong

DPP.6: A data subject is entitled to ascertain whether personal data is held about them, request access to and correction of it (DPP 6)

Personal Data (Privacy) Ordinance - Hong Kong

S.22: On request by the individual, must correct personal data (S.22)

S.23: Must take all practicable steps to supply the third party with a copy of the corrected data (disclosed within prior 12 months) and a notice in writing stating the reasons for the correction

Personal Data Protection Act - Singapore

S.21: On request must, as soon as reasonably possible provide the personal data about that individual in the organisation's possession or under its control (S.21)

S.22: On request must, as soon as practical, correct an error or omission in the personal data (in possession or under your control) unless satisfied on reasonable grounds that the correction should not be made and send the correct information to every other organisation to which the personal data was disclosed in the past year

Personal Information Protection Act - South Korea

A.4: Data subjects have specified rights in relation to the process of his/her personal data (A.4)

A.36: A data subject who has accessed his/her personal information pursuant to Article 35 may request a correction or erasure of such personal information from the relevant personal information controller

A.38: Must publish directions for how to exercise rights (A.38)

Turkish Data Protection Law numbered 6698

A.11.1: (1) Each person has the right to apply to the controller and a) to learn whether his personal data are processed or not, b) to request information if his personal data are processed, c) to learn the purpose of his data processing and whether this data is used for intended purposes, ç) to know the third parties to whom his personal data is transferred at home or abroad, d) to request the rectification of the incomplete or inaccurate data, if any, e) to request the erasure or destruction of his personal data under the conditions laid down in Article 7, f) to request notification of the operations carried out in compliance with sub-paragraphs (d) and (e) to third parties to whom his personal data has been transferred,