PII controllers' obligations to inform third parties

The organization should implement policies, procedures and/or mechanisms to inform third parties with whom the PII has been shared of any modification, withdrawal or objections pertaining... ... - Licensed content not shown -

GDPR (EU)

19: Article(19): Notification obligation regarding rectification or erasure of personal data or restriction of processing: The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

LGPD (BRA)

Art.39: The processor must carry out the processing of the data in accordance with the instructions provided by the controller, which will verify the observance of these instructions and rules on the matter.

Art.46: Processing agents must adopt security measures, both technical and administrative, suitable to protect personal data from unauthorized access and accidental or illegal destruction, loss, change, communication, or dissemination events, or any other occurrence resulting from inappropriate or illegal processing. § 1 The National Data Protection Authority may determine minimum technical standards for the purposes of the provisions this Article, considering the nature of the information processed, the specific. characteristics of the processing, and the current state of technology, especially in the case of sensitive personal data, as well as the principles outlined in Article 6 of this Law.§ 2 The measures contemplated in the head provision of this Article must be considered from the phase of the development of the good or service until its execution.

CCPA (US, CA)

S.1798.105.c: (c) A business that receives a verifiable request from a consumer to delete the consumer’s personal information pursuant to subdivision (a) of this section shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.

APP (Australian Privacy Principles)

APP.10.2: Must take reasonable steps to ensure personal information used or disclosed is up-to-date, complete and relevant (APP 10.2)

APP.13.2: Where personal information is disclosed and that information is subsequently corrected, if requested, reasonable steps must be taken to notify the recipient of the correction (APP 13.2)

PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada

4.9.5: Must amend the personal information held once individual demonstrates it is inaccurate or incomplete and, where appropriate, notify third parties of the amendment (4.9.5)

Personal Data (Privacy) Ordinance - Hong Kong

S.23: Must take all practicable steps to supply the third party with a copy of the corrected data (disclosed within prior 12 months) and a notice in writing stating the reasons for the correction

Personal Data Protection Act - Singapore

S.22: On request must, as soon as practical, correct an error or omission in the personal data (in possession or under your control) unless satisfied on reasonable grounds that the correction should not be made and send the correct information to every other organisation to which the personal data was disclosed in the past year

Personal Information Protection Act - South Korea

A.4: Data subjects have specified rights in relation to the process of his/her personal data (A.4)

A.38: Must publish directions for how to exercise rights (A.38)

Turkish Data Protection Law numbered 6698

A.11.1: (1) Each person has the right to apply to the controller and a) to learn whether his personal data are processed or not, b) to request information if his personal data are processed, c) to learn the purpose of his data processing and whether this data is used for intended purposes, ç) to know the third parties to whom his personal data is transferred at home or abroad, d) to request the rectification of the incomplete or inaccurate data, if any, e) to request the erasure or destruction of his personal data under the conditions laid down in Article 7, f) to request notification of the operations carried out in compliance with sub-paragraphs (d) and (e) to third parties to whom his personal data has been transferred,