Provide processing confirmation
Summary
The system must provide confirmation to its users of whether or not it is storing and/or processing their personal data.
Description
Systems usually request information from their users, obtain it from third parties or collect it based on their interactions with the application. They should have a mechanism that allows users to request confirmation of whether or not the system is managing their personal information, even if it was not obtained from the users but from a third party.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🔴 |
| Advanced | 🟢 |
References
- GDPR-11_2. Processing which does not require identification
- GDPR-15_1. Right of access by the data subject
- GDPR-89_2. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
- GDPR-89_3. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
- SOC2®-P4_1. Additional criteria for privacy (related to use, retention, and disposal)
- CCPA-1798_110. Consumer's right to know what personal information is being collected. Right to access personal information
- CCPA-1798_115. Consumer's right to know what personal information is sold or shared and to whom
- CPRA-1798_104. Compliance with right to know and disclosure requirements
- GLBA-502_A. Obligations with respect to disclosures of personal information – Notice requirements
- NYDFS-500_10. Cybersecurity personnel and intelligence
- HITRUST CSF-05_d. Authorization process for information assets and facilities
- HITRUST CSF-09_e. Service delivery
- HITRUST CSF-09_q. Information handling procedures
- HITRUST CSF-13_a. Privacy notice
- HITRUST CSF-13_b. Openness and transparency
- HITRUST CSF-13_c. Accounting of disclosures
- FedRAMP-CA-2_3. Security assessment - External organizations
- LGPD-7_III. Requirements for the Processing of Personal Data
- LGPD-14-2. Processing of Children and Adolescents Personal Data
- LGPD-18_I. Data Subjects Rights
- LGPD-19. Data Subjects Rights
- PCI DSS-3_3_1. Sensitive authentication data (SAD) is not stored after authorization
- SIG Core-D_4_4. Asset and information management
- SIG Core-P_2. Privacy
- SIG Core-P_2_4. Privacy
Vulnerabilities
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.