Obligations to PII principals

The organization should provide the customer with the means to comply with its obligations related to PII principals. ... - Licensed content not shown -

GDPR (EU)

15.3: Article(15)(3): The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

17.2: Article(17)(2): Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

28.3.e: Article(28)(3)(e): Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor: (e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;

LGPD (BRA)

Art.9: The data subject has the right to easily access information regarding the processing of data, which must be made available in a clear, adequate, and ostensive manner, among other characteristics outlined in regulations to comply with the principle of free access: I – Specific purpose of processing; II – Form and duration of processing, respecting commercial and industrial secrecy; III – Identification of the controller; IV – The controller’s contact information; V – Information regarding the shared use of data by the controller and the purpose of the sharing; VI – Liabilities of the processing agents; and VII – The data subject’s rights with explicit mention of the rights contemplated in Article 18 of this Law. § 1 If consent is requested, such consent will be considered void in case the information provided to the data subject have misleading or abusive content or were not previously presented in a transparent, clear, and unambiguous manner. § 2 If consent is requested, if there is a change in the purpose of the processing of personal data that is not compatible with the original consent, the controller must inform the data subjects beforehand, who may revoke the consent, if they disagree with the changes. § 3 When the processing of personal data is a condition for the provision of a good or service or the exercise of a right, the data subjects will be informed in a highlighted manner regarding this fact and the means through which they may exercise the rights identified in Article 18 of this Law.

Art.49: The systems used to process the personal data must be structured in order to meet security requirements, best practice and governance standards and the general principles outlined in this Law and other regulatory rules.

CCPA (US, CA)

S.1798.110.b.and.c: (b) A business that collects personal information about a consumer shall disclose to the consumer, pursuant to paragraph (3) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) upon receipt of a verifiable request from the consumer. (c) A business that collects personal information about consumers shall disclose, pursuant to subparagraph (B) of paragraph (5) of subdivision (a) of Section 1798.130: (1) The categories of personal information it has collected about that consumer. (2) The categories of sources from which the personal information is collected. (3) The business or commercial purpose for collecting or selling personal information. (4) The categories of third parties with whom the business shares personal information. (5) The specific pieces of personal information the business has collected about that consumer. (d) This section does not require a business to do the following: (1) Retain any personal information about a consumer collected for a single one-time transaction if, in the ordinary course of business, that information about the consumer is not retained. (2) Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.

S.1798.120: (a) A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out. (b) A business that sells consumers’ personal information to third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the right to opt out of the sale of their personal information. (c) A business that has received direction from a consumer not to sell the consumer’s personal information or, in the case of a minor consumer’s personal information has not received consent to sell the minor consumer’s personal information shall be prohibited, pursuant to paragraph (4) of subdivision (a) of Section 1798.135, from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information. (d) Notwithstanding subdivision (a), a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. This right may be referred to as the “right to opt in.”

APA (Australian Privacy Act)

APA.15: Must not do an act, or engage in a practice, that breaches an APP (S.15)

PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada

Division 1 5 (1): Every organisation must comply with the obligations (i.e. principles) in Schedule 1

Personal Data Protection Act - Singapore

S.4.3: Organisations have the same obligations in respect of personal data processed for them by a 'data intermediary' as if it was processed by them (S.4(3))

Personal Information Protection Act - South Korea

A.26: On outsourcing the processing of personal information to a third party, must satisfy certain formalities in writing and prevent processing for purposes other than the purposes for which the processing was outsourced and ensure technical and managerial safeguards