Provide processed data information

Summary

The system must provide information about the personal data that it processes. Additionally, this information should be presented to the user before requesting their consent for its collection or processing.

Description

Systems usually request information from their users, obtain it from third parties or collect it based on their interactions with the application. They should have a mechanism that allows users to find out about the following aspects of the personal information that they process:

• The purpose of the processing of the data. - The categories of processed data. - The actors who will have access to the information. - If possible, the time for which the data will be managed/processed. - The possibility to request erasure or rectification. - If the data was obtained from a third party, information about the third party. Furthermore, the data should be presented in a clear manner, in a structured format and using easily understandable language.

Supported In

This requirement is verified in following services

Plan	Supported
Machine	🔴
Squad	🟢

References

• ePrivacy Directive-6_4. Traffic data
• ePrivacy Directive-9_1. Location data other than traffic data
• GDPR-11_2. Processing which does not require identification
• GDPR-15_1ag. Right of access by the data subject
• GDPR-20_1. Right to data portability
• GDPR-89_2. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
• GDPR-89_3. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
• SOC2®-P4_1. Additional criteria for privacy (related to use, retention, and disposal)
• CCPA-1798_100. General duties of businesses that collect personal information
• CCPA-1798_106. Consumer's right to correct inaccurate personal information
• CCPA-1798_110. Consumer's right to know what personal information is being collected. Right to access personal information
• CPRA-1798_101. Consumer's right to know what personal information is sold or shared and to whom
• CPRA-1798_104. Compliance with right to know and disclosure requirements
• GLBA-502_A. Obligations with respect to disclosures of personal information – Notice requirements
• NYDFS-500_10. Cybersecurity personnel and intelligence
• PDPA-4_20. Notification of purpose
• POPIA-3A_15. Further processing to be compatible with purpose of collection
• POPIA-3A_18. Notification to data subject when collecting personal information
• PDPO-S1_2. Accuracy and duration of retention of personal data
• PDPO-S1_3. Use of personal data
• PDPO-S1_5. Information to be generally available
• CMMC-MP_L1-3_8_3. Media disposal
• HITRUST CSF-01_e. Review of user access rights
• HITRUST CSF-05_d. Authorization process for information assets and facilities
• HITRUST CSF-09_e. Service delivery
• HITRUST CSF-09_q. Information handling procedures
• HITRUST CSF-13_a. Privacy notice
• HITRUST CSF-13_b. Openness and transparency
• HITRUST CSF-13_c. Accounting of disclosures
• HITRUST CSF-13_h. Purpose specification
• HITRUST CSF-13_m. Accuracy and quality
• LGPD-7_VI. Requirements for the Processing of Personal Data
• LGPD-7_X-3. Requirements for the Processing of Personal Data
• LGPD-7_X-5. Requirements for the Processing of Personal Data
• LGPD-7_X-7. Requirements for the Processing of Personal Data
• LGPD-8-4. Requirements for the Processing of Personal Data
• LGPD-9. Requirements for the Processing of Personal Data
• LGPD-14-2. Processing of Children and Adolescents Personal Data
• LGPD-23_I. Rules
• OWASP Top 10 Privacy Risks-P5. Non-transparent policies, terms and conditions
• OWASP Top 10 Privacy Risks-P6. Insufficient deletion of personal data
• OWASP Top 10 Privacy Risks-P10. Collection of data not required for the user-consented purpose
• OWASP MASVS-V2_4. Security verification requirements
• OWASP ASVS-8_3_4. Sensitive private data
• PCI DSS-3_3_1. Sensitive authentication data (SAD) is not stored after authorization
• PCI DSS-12_9_1. Third-party service providers support their customers
• SIG Lite-SL_98. Are mobile applications that access scoped systems and data developed?
• SIG Lite-SL_154. Do agreements with third parties who have access or potential access to scoped data, address confidentiality, audit, security, and privacy, including but not limited to incident response, monitoring, data sharing and secure disposal of scoped data?
• SIG Core-D_4_4. Asset and information management
• SIG Core-P_2_1. Privacy
• SIG Core-P_3_3. Privacy
• SIG Core-P_4_1. Privacy
• SIG Core-P_7_1. Privacy
• SIG Core-P_8_5. Privacy

Vulnerabilities

• 088. Privacy violation

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.