Provide processing confirmation
Summary
The system must provide confirmation to its users of whether or not it is storing and/or processing their personal data.
Description
Systems usually request information from their users, obtain it from third parties or collect it based on their interactions with the application. They should have a mechanism that allows users to request confirmation of whether or not the system is managing their personal information, even if it was not obtained from the users but from a third party.
References
- GDPR-11_2. Processing which does not require identification
- GDPR-15_1. Right of access by the data subject
- GDPR-89_2. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
- GDPR-89_3. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
- SOC2-P4_1. Additional criteria for privacy (related to use, retention, and disposal)
- CCPA-1798_110. Consumer's right to know what personal information is being collected. Right to access personal information
- CCPA-1798_115. Consumer's right to know what personal information is sold or shared and to whom
- CPRA-1798_104. Compliance with right to know and disclosure requirements
- GLBA-502_A. Obligations with respect to disclosures of personal information – Notice requirements
- NYDFS-500_10. Cybersecurity personnel and intelligence
- HITRUST-05_d. Authorization process for information assets and facilities
- HITRUST-09_e. Service delivery
- HITRUST-09_q. Information handling procedures
- HITRUST-13_a. Privacy notice
- HITRUST-13_b. Openness and transparency
- HITRUST-13_c. Accounting of disclosures
- FEDRAMP-CA-2_3. Security assessment - External organizations
- LGPD-7_III. Requirements for the Processing of Personal Data
- LGPD-14-2. Processing of Children and Adolescents Personal Data
- LGPD-18_I. Data Subjects Rights
- LGPD-19. Data Subjects Rights
- PCI-3_3_1. Sensitive authentication data (SAD) is not stored after authorization
- SIG-D_4_4. Asset and information management
- SIG-P_2. Privacy
- SIG-P_2_4. Privacy
Weaknesses
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan