314 – Provide processing confirmation

Summary

The system must provide confirmation to its users of whether or not it is storing and/or processing their personal data.

Description

Systems usually request information from their users, obtain it from third parties or collect it based on their interactions with the application. They should have a mechanism that allows users to request confirmation of whether or not the system is managing their personal information, even if it was not obtained from the users but from a third party.

Supported In

Advanced: True

References

• GDPR-11_2. Processing which does not require identification
• GDPR-15_1. Right of access by the data subject
• GDPR-89_2. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
• GDPR-89_3. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
• SOC2-P4_1. Additional criteria for privacy (related to use, retention, and disposal)
• CCPA-1798_110. Consumer's right to know what personal information is being collected. Right to access personal information
• CCPA-1798_115. Consumer's right to know what personal information is sold or shared and to whom
• CPRA-1798_104. Compliance with right to know and disclosure requirements
• GLBA-502_A. Obligations with respect to disclosures of personal information – Notice requirements
• NYDFS-500_10. Cybersecurity personnel and intelligence
• HITRUST-05_d. Authorization process for information assets and facilities
• HITRUST-09_e. Service delivery
• HITRUST-09_q. Information handling procedures
• HITRUST-13_a. Privacy notice
• HITRUST-13_b. Openness and transparency
• HITRUST-13_c. Accounting of disclosures
• FEDRAMP-CA-2_3. Security assessment - External organizations
• LGPD-7_III. Requirements for the Processing of Personal Data
• LGPD-14-2. Processing of Children and Adolescents Personal Data
• LGPD-18_I. Data Subjects Rights
• LGPD-19. Data Subjects Rights
• PCI-3_3_1. Sensitive authentication data (SAD) is not stored after authorization
• SIG-D_4_4. Asset and information management
• SIG-P_2. Privacy
• SIG-P_2_4. Privacy

Weaknesses

• 088 – Privacy violation

Last updated

2023/09/18