Notify third parties of changes
Summary
The system must notify third parties when it rectifies or erases shared personal information.
Description
Systems usually request information from their users, obtain it from third parties or collect it based on their interactions with the application. They sometimes share personal information with third parties after having requested consent from its owner. Whenever this information is rectified or erased upon request from its owner, the system must notify said third parties so that they do the same. This is also the case when the user requests that the system stop processing their data.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🔴 |
| Advanced | 🟢 |
References
- GDPR-19. Notification obligation regarding rectification or erasure of personal data or restriction of processing
- GDPR-89_3. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
- SOC2®-CC2_3. Communication and information
- SOC2®-P4_3. Additional criteria for privacy (related to use, retention, and disposal)
- SOC2®-P6_5. Additional criteria for privacy (related to disclosure and notification)
- CCPA-1798_106. Consumer's right to correct inaccurate personal information
- NY SHIELD Act-5575_B_4. Personal and private information
- NYDFS-500_10. Cybersecurity personnel and intelligence
- PDPA-6A_26E. Obligations of data intermediary of public agency
- PDPO-5_23. Compliance with data correction request
- PDPO-S1_2. Accuracy and duration of retention of personal data
- CMMC-AC_L2-3_1_9. Privacy & security notices
- CMMC-MP_L1-3_8_3. Media disposal
- HITRUST CSF-05_k. Addressing security in third party agreements
- HITRUST CSF-09_g. Managing changes to third party services
- HITRUST CSF-13_m. Accuracy and quality
- FedRAMP-PS-7. Third-party personnel security
- FedRAMP-SI-5. Security alerts, advisories, and directives
- LGPD-8-6. Requirements for the Processing of Personal Data
- LGPD-9_VII-2. Requirements for the Processing of Personal Data
- OWASP Top 10 Privacy Risks-P7. Insufficient data quality
- SIG Core-A_4_1_8. Risk assessment and treatment
Vulnerabilities
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.