315 – Provide processed data information

Summary

The system must provide information about the personal data that it processes. Additionally, this information should be presented to the user before requesting their consent for its collection or processing.

Description

Systems usually request information from their users, obtain it from third parties or collect it based on their interactions with the application. They should have a mechanism that allows users to find out about the following aspects of the personal information that they process: - The purpose of the processing of the data. - The categories of processed data. - The actors who will have access to the information. - If possible, the time for which the data will be managed/processed. - The possibility to request erasure or rectification. - If the data was obtained from a third party, information about the third party. Furthermore, the data should be presented in a clear manner, in a structured format and using easily understandable language.

Supported In

Advanced: True

References

• EPRIVACY-6_4. Traffic data
• EPRIVACY-9_1. Location data other than traffic data
• GDPR-11_2. Processing which does not require identification
• GDPR-15_1ag. Right of access by the data subject
• GDPR-20_1. Right to data portability
• GDPR-89_2. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
• GDPR-89_3. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
• SOC2-P4_1. Additional criteria for privacy (related to use, retention, and disposal)
• CCPA-1798_100. General duties of businesses that collect personal information
• CCPA-1798_106. Consumer's right to correct inaccurate personal information
• CCPA-1798_110. Consumer's right to know what personal information is being collected. Right to access personal information
• CPRA-1798_101. Consumer's right to know what personal information is sold or shared and to whom
• CPRA-1798_104. Compliance with right to know and disclosure requirements
• GLBA-502_A. Obligations with respect to disclosures of personal information – Notice requirements
• NYDFS-500_10. Cybersecurity personnel and intelligence
• PDPA-4_20. Notification of purpose
• POPIA-3A_15. Further processing to be compatible with purpose of collection
• POPIA-3A_18. Notification to data subject when collecting personal information
• PDPO-S1_2. Accuracy and duration of retention of personal data
• PDPO-S1_3. Use of personal data
• PDPO-S1_5. Information to be generally available
• CMMC-MP_L1-3_8_3. Media disposal
• HITRUST-01_e. Review of user access rights
• HITRUST-05_d. Authorization process for information assets and facilities
• HITRUST-09_e. Service delivery
• HITRUST-09_q. Information handling procedures
• HITRUST-13_a. Privacy notice
• HITRUST-13_b. Openness and transparency
• HITRUST-13_c. Accounting of disclosures
• HITRUST-13_h. Purpose specification
• HITRUST-13_m. Accuracy and quality
• LGPD-7_VI. Requirements for the Processing of Personal Data
• LGPD-7_X-3. Requirements for the Processing of Personal Data
• LGPD-7_X-5. Requirements for the Processing of Personal Data
• LGPD-7_X-7. Requirements for the Processing of Personal Data
• LGPD-8-4. Requirements for the Processing of Personal Data
• LGPD-9. Requirements for the Processing of Personal Data
• LGPD-14-2. Processing of Children and Adolescents Personal Data
• LGPD-23_I. Rules
• OWASPRISKS-P5. Non-transparent policies, terms and conditions
• OWASPRISKS-P6. Insufficient deletion of personal data
• OWASPRISKS-P10. Collection of data not required for the user-consented purpose
• ASVS-8_3_4. Sensitive private data
• PCI-3_3_1. Sensitive authentication data (SAD) is not stored after authorization
• PCI-12_9_1. Third-party service providers support their customers
• SIGLITE-SL_98. Are mobile applications that access scoped systems and data developed?
• SIGLITE-SL_154. Do agreements with third parties who have access or potential access to scoped data, address confidentiality, audit, security, and privacy, including but not limited to incident response, monitoring, data sharing and secure disposal of scoped data?
• SIG-D_4_4. Asset and information management
• SIG-P_2_1. Privacy
• SIG-P_3_3. Privacy
• SIG-P_4_1. Privacy
• SIG-P_7_1. Privacy
• SIG-P_8_5. Privacy
• OWASPMASVS-PRIVACY-3. The app is transparent about data collection and usage
• OWASPMASVS-PRIVACY-4. The app offers user control over their data

Weaknesses

• 088 – Privacy violation

Last updated

2024/01/18