PII transmission controls

The organization should subject PII transmitted (e.g. sent to another organization) over a data-transmission network to appropriate controls designed to ensure that the data reaches... ... - Licensed content not shown -

GDPR (EU)

5.1.f: Article(5)(1)(f): Personal data shall be: (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

LGPD (BRA)

Art.46: Processing agents must adopt security measures, both technical and administrative, suitable to protect personal data from unauthorized access and accidental or illegal destruction, loss, change, communication, or dissemination events, or any other occurrence resulting from inappropriate or illegal processing. § 1 The National Data Protection Authority may determine minimum technical standards for the purposes of the provisions this Article, considering the nature of the information processed, the specific. characteristics of the processing, and the current state of technology, especially in the case of sensitive personal data, as well as the principles outlined in Article 6 of this Law.§ 2 The measures contemplated in the head provision of this Article must be considered from the phase of the development of the good or service until its execution.

CCPA (US, CA)

S.1798.150.a: (a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following: (A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater. (B) Injunctive or declaratory relief. (C) Any other relief the court deems proper. (2) In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.

APP (Australian Privacy Principles)

APP.11.1: Must take reasonable steps to protect personal information held from misuse, interference and loss, unauthorised access, modification or disclosure (APP 11.1)

PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada

4.6: Personal information must be accurate, complete and up-to-date (4.6)

DPP (Data Protection Principles) - Hong Kong

DPP.4.2: The data user must adopt contractual or other means to ensure data processors take appropriate security measures (DDP 4)

Personal Data Protection Act - Singapore

S.24: Must make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks for personal data held or under their control

Personal Information Protection Act - South Korea

A.29: Must take such technical, managerial, and physical measures (e.g. management plans and access logs) to ensure the protection of personal information (A.29)

Turkish Data Protection Law numbered 6698

A.11.1: (1) Each person has the right to apply to the controller and a) to learn whether his personal data are processed or not, b) to request information if his personal data are processed, c) to learn the purpose of his data processing and whether this data is used for intended purposes, ç) to know the third parties to whom his personal data is transferred at home or abroad, d) to request the rectification of the incomplete or inaccurate data, if any, e) to request the erasure or destruction of his personal data under the conditions laid down in Article 7, f) to request notification of the operations carried out in compliance with sub-paragraphs (d) and (e) to third parties to whom his personal data has been transferred,