318 – Notify third parties of changes

Summary

The system must notify third parties when it rectifies or erases shared personal information.

Description

Systems usually request information from their users, obtain it from third parties or collect it based on their interactions with the application. They sometimes share personal information with third parties after having requested consent from its owner. Whenever this information is rectified or erased upon request from its owner, the system must notify said third parties so that they do the same. This is also the case when the user requests that the system stop processing their data.

Supported In

Advanced: True

References

• GDPR-19. Notification obligation regarding rectification or erasure of personal data or restriction of processing
• GDPR-89_3. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
• SOC2-CC2_3. Communication and information
• SOC2-P4_3. Additional criteria for privacy (related to use, retention, and disposal)
• SOC2-P6_5. Additional criteria for privacy (related to disclosure and notification)
• CCPA-1798_106. Consumer's right to correct inaccurate personal information
• NYSHIELD-5575_B_4. Personal and private information
• NYDFS-500_10. Cybersecurity personnel and intelligence
• PDPA-6A_26E. Obligations of data intermediary of public agency
• PDPO-5_23. Compliance with data correction request
• PDPO-S1_2. Accuracy and duration of retention of personal data
• CMMC-AC_L2-3_1_9. Privacy & security notices
• CMMC-MP_L1-3_8_3. Media disposal
• HITRUST-05_k. Addressing security in third party agreements
• HITRUST-09_g. Managing changes to third party services
• HITRUST-13_m. Accuracy and quality
• FEDRAMP-PS-7. Third-party personnel security
• FEDRAMP-SI-5. Security alerts, advisories, and directives
• LGPD-8-6. Requirements for the Processing of Personal Data
• LGPD-9_VII-2. Requirements for the Processing of Personal Data
• OWASPRISKS-P7. Insufficient data quality
• SIG-A_4_1_8. Risk assessment and treatment

Weaknesses

• 399 – Security controls absence - Monitoring
• 088 – Privacy violation

Last updated

2023/09/18