Obligations to PII principals
The organization should provide the customer with the means to comply with its obligations related to PII principals.
- Licensed content not shown -
Art.9: The data subject has the right to easily
access information regarding the processing of data,
which must be made available in a clear, adequate,
and ostensive manner, among other characteristics
outlined in regulations to comply with the principle of
I – Specific purpose of processing;
II – Form and duration of processing, respecting
commercial and industrial secrecy;
III – Identification of the controller;
IV – The controller’s contact information;
V – Information regarding the shared use of data by
the controller and the purpose of the sharing;
VI – Liabilities of the processing agents; and
VII – The data subject’s rights with explicit mention
of the rights contemplated in Article 18 of this Law. § 1 If consent is requested, such consent will be
considered void in case the information provided to
the data subject have misleading or abusive content or
were not previously presented in a transparent, clear,
and unambiguous manner.
§ 2 If consent is requested, if there is a change in the
purpose of the processing of personal data that is not
compatible with the original consent, the controller
must inform the data subjects beforehand, who may
revoke the consent, if they disagree with the changes.
§ 3 When the processing of personal data is a
condition for the provision of a good or service or the
exercise of a right, the data subjects will be informed in
a highlighted manner regarding this fact and the means
through which they may exercise the rights identified in
Article 18 of this Law.
CCPA (US, CA)
S.1798.120: (a) A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out.
(b) A business that sells consumers’ personal information to third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the right to opt out of the sale of their personal information.
(c) A business that has received direction from a consumer not to sell the consumer’s personal information or, in the case of a minor consumer’s personal information has not received consent to sell the minor consumer’s personal information shall be prohibited, pursuant to paragraph (4) of subdivision (a) of Section 1798.135, from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information.
(d) Notwithstanding subdivision (a), a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. This right may be referred to as the “right to opt in.”
APA (Australian Privacy Act)
PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada
Personal Data Protection Act - Singapore
Personal Information Protection Act - South Korea