Provide processing confirmation
Summary
The system must provide confirmation to its users of whether or not it is storing and/or processing their personal data.
Description
Systems usually request information from their users, obtain it from third parties or collect it based on their interactions with the application. They should have a mechanism that allows users to request confirmation of whether or not the system is managing their personal information, even if it was not obtained from the users but from a third party.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🔴 |
| Squad | 🟢 |
References
- GDPR-11_2. Processing which does not require identification
- GDPR-15_1. Right of access by the data subject
- GDPR-89_2. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
- GDPR-89_3. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
- SOC2®-P4_1. Additional criteria for privacy (related to use, retention, and disposal)
- CCPA-1798_110. Consumer's right to know what personal information is being collected. Right to access personal information
- CCPA-1798_115. Consumer's right to know what personal information is sold or shared and to whom
- CPRA-1798_104. Compliance with right to know and disclosure requirements
- GLBA-502_A. Obligations with respect to disclosures of personal information – Notice requirements
- NYDFS-500_10. Cybersecurity personnel and intelligence
- HITRUST CSF-05_d. Authorization process for information assets and facilities
- HITRUST CSF-09_e. Service delivery
- HITRUST CSF-09_q. Information handling procedures
- HITRUST CSF-13_a. Privacy notice
- HITRUST CSF-13_b. Openness and transparency
- HITRUST CSF-13_c. Accounting of disclosures
- FedRAMP-CA-2_3. Security assessment - External organizations
- LGPD-7_III. Requirements for the Processing of Personal Data
- LGPD-14-2. Processing of Children and Adolescents Personal Data
- LGPD-18_I. Data Subjects Rights
- LGPD-19. Data Subjects Rights
- PCI DSS-3_3_1. Sensitive authentication data (SAD) is not stored after authorization
- SIG Core-D_4_4. Asset and information management
- SIG Core-P_2. Privacy
- SIG Core-P_2_4. Privacy
Vulnerabilities
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.