0002799
EU-U.S. Privacy Shield Framework Principles
US Department of Commerce
Regulation or Statute
Free
EU-US Privacy Shield Framework Principles Annex II
EU-U.S. Privacy Shield Framework Principles
2016-07-07
The document as a whole was last reviewed and released on 2016-12-09T00:00:00-0800.
0002799
Free
US Department of Commerce
Regulation or Statute
EU-US Privacy Shield Framework Principles Annex II
EU-U.S. Privacy Shield Framework Principles
2016-07-07
The document as a whole was last reviewed and released on 2016-12-09T00:00:00-0800.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within EU-U.S. Privacy Shield Framework Principles that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for EU-U.S. Privacy Shield Framework Principles are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Acquisition or sale of facilities, technology, and services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
| Acquire or sell an organization. CC ID 12421 | Acquisition/Sale of Assets or Services | Preventive | |
| Conduct a due diligence assessment as part of an organization's acquisition. CC ID 12424 [{due diligence review} {statutory requirements} The activities of auditors and investment bankers may involve processing personal data without the consent or knowledge of the individual. This is permitted by the Notice, Choice, and Access Principles under the circumstances described below. Public stock corporations and closely held companies, including Privacy Shield organizations, are regularly subject to audits. Such audits, particularly those looking into potential wrongdoing, may be jeopardized if disclosed prematurely. Similarly, a Privacy Shield organization involved in a potential merger or takeover will need to perform, or be the subject of, a "due diligence" review. This will often entail the collection and processing of personal data, such as information on senior executives and other key personnel. Premature disclosure could impede the transaction or even violate applicable securities regulation. Investment bankers and attorneys engaged in due diligence, or auditors conducting an audit, may process information without knowledge of the individual only to the extent and for the period necessary to meet statutory or public interest requirements and in other circumstances in which the application of these Principles would prejudice the legitimate interests of the organization. These legitimate interests include the monitoring of organizations' compliance with their legal obligations and legitimate accounting activities, and the need for confidentiality connected with possible acquisitions, mergers, joint ventures, or other similar transactions carried out by investment bankers or auditors. § III.4.b.] | Business Processes | Preventive | |
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to comply with recommendations from applicable statutory bodies in the Statement of Compliance. CC ID 12371 [{Department of Commerce} Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information. In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities. The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees. § III.6.c.] | Establish/Maintain Documentation | Preventive | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 [{self-certification submission} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. Where the organization has chosen outside compliance review, such a review must demonstrate that its privacy policy regarding personal information received from the EU conforms to the Privacy Shield Principles, that it is being complied with, and that individuals are informed of the mechanisms through which they may pursue complaints. The methods of review may include, without limitation, auditing, random reviews, use of "decoys", or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed must be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about compliance. § III.7.d. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c. The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self-certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self-certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. Independent recourse mechanisms must publish an annual report providing aggregate statistics regarding their dispute resolution services. The annual report must include: (1) the total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received; (3) dispute resolution quality measures, such as the length of time taken to process complaints; and (4) the outcomes of the complaints received, notably the number and types of remedies or sanctions imposed. § III.11.d.iii. {Department of Commerce} Persistent failure to comply arises where an organization that has self-certified to the Department refuses to comply with a final determination by any privacy self-regulatory, independent dispute resolution, or government body, or where such a body determines that an organization frequently fails to comply with the Principles to the point where its claim to comply is no longer credible. In these cases, the organization must promptly notify the Department of such facts. Failure to do so may be actionable under the False Statements Act (18 U.S.C. § 1001). An organization's withdrawal from a private-sector privacy self-regulatory program or independent dispute resolution mechanism does not relieve it of its obligation to comply with the Principles and would constitute a persistent failure to comply. § III.11.g.ii. {Department of Commerce} The result of any remedies provided by the dispute resolution body should be that the effects of non-compliance are reversed or corrected by the organization, insofar as feasible, and that future processing by the organization will be in conformity with the Principles and, where appropriate, that processing of the personal data of the individual who brought the complaint will cease. Sanctions need to be rigorous enough to ensure compliance by the organization with the Principles. A range of sanctions of varying degrees of severity will allow dispute resolution bodies to respond appropriately to varying degrees of non-compliance. Sanctions should include both publicity for findings of non-compliance and the requirement to delete data in certain circumstances. Other sanctions could include suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance and injunctive awards. Private sector dispute resolution bodies and self-regulatory bodies must notify failures of Privacy Shield organizations to comply with their rulings to the governmental body with applicable jurisdiction or to the courts, as appropriate, and to notify the Department. § III.11.e.i. {Department of Commerce} The result of any remedies provided by the dispute resolution body should be that the effects of non-compliance are reversed or corrected by the organization, insofar as feasible, and that future processing by the organization will be in conformity with the Principles and, where appropriate, that processing of the personal data of the individual who brought the complaint will cease. Sanctions need to be rigorous enough to ensure compliance by the organization with the Principles. A range of sanctions of varying degrees of severity will allow dispute resolution bodies to respond appropriately to varying degrees of non-compliance. Sanctions should include both publicity for findings of non-compliance and the requirement to delete data in certain circumstances. Other sanctions could include suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance and injunctive awards. Private sector dispute resolution bodies and self-regulatory bodies must notify failures of Privacy Shield organizations to comply with their rulings to the governmental body with applicable jurisdiction or to the courts, as appropriate, and to notify the Department. § III.11.e.i. {law enforcement reasons} In order to provide transparency in respect of lawful requests by public authorities to access personal information, Privacy Shield organizations may voluntarily issue periodic transparency reports on the number of requests for personal information they receive by public authorities for law enforcement or national security reasons, to the extent such disclosures are permissible under applicable law. § III.16.a.] | Communicate | Preventive | |
| Include a commitment to cooperate with applicable statutory bodies in the Statement of Compliance. CC ID 12370 [{Department of Commerce} Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information. In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities. The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees. § III.6.c.] | Establish/Maintain Documentation | Preventive | |
| Include the statutory bodies having jurisdiction over privacy rights violations in the Statement of Compliance. CC ID 12369 [{Department of Commerce} Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information. In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities. The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees. § III.6.c.] | Establish/Maintain Documentation | Preventive | |
| Include a description of the organization's privacy policy in the Statement of Compliance. CC ID 12362 [To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: description of the organization's privacy policy for such personal information, including: § III.6.b.iii. The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self-certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d.] | Establish/Maintain Documentation | Preventive | |
| Include the privacy programs the organization is a member of in the Statement of Compliance. CC ID 16818 | Actionable Reports or Measurements | Preventive | |
| Include the outcomes of privacy rights violation complaints received in the Statement of Compliance. CC ID 12534 [Independent recourse mechanisms must publish an annual report providing aggregate statistics regarding their dispute resolution services. The annual report must include: (1) the total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received; (3) dispute resolution quality measures, such as the length of time taken to process complaints; and (4) the outcomes of the complaints received, notably the number and types of remedies or sanctions imposed. § III.11.d.iii.] | Establish/Maintain Documentation | Preventive | |
| Include dispute resolution quality measures in the Statement of Compliance. CC ID 12533 [Independent recourse mechanisms must publish an annual report providing aggregate statistics regarding their dispute resolution services. The annual report must include: (1) the total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received; (3) dispute resolution quality measures, such as the length of time taken to process complaints; and (4) the outcomes of the complaints received, notably the number and types of remedies or sanctions imposed. § III.11.d.iii.] | Establish/Maintain Documentation | Preventive | |
| Include the type of privacy rights violation complaints received in the Statement of Compliance. CC ID 12532 [Independent recourse mechanisms must publish an annual report providing aggregate statistics regarding their dispute resolution services. The annual report must include: (1) the total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received; (3) dispute resolution quality measures, such as the length of time taken to process complaints; and (4) the outcomes of the complaints received, notably the number and types of remedies or sanctions imposed. § III.11.d.iii.] | Establish/Maintain Documentation | Preventive | |
| Include the number of privacy rights violation complaints received in the Statement of Compliance. CC ID 12530 [Independent recourse mechanisms must publish an annual report providing aggregate statistics regarding their dispute resolution services. The annual report must include: (1) the total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received; (3) dispute resolution quality measures, such as the length of time taken to process complaints; and (4) the outcomes of the complaints received, notably the number and types of remedies or sanctions imposed. § III.11.d.iii.] | Establish/Maintain Documentation | Preventive | |
| Include the organization's fax number in the Statement of Compliance. CC ID 12361 [{telephone number} To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: name of organization, mailing address, e-mail address, telephone, and fax numbers; § III.6.b.i.] | Establish/Maintain Documentation | Preventive | |
| Include the organization's telephone number in the Statement of Compliance. CC ID 12360 [{telephone number} To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: name of organization, mailing address, e-mail address, telephone, and fax numbers; § III.6.b.i.] | Establish/Maintain Documentation | Preventive | |
| Include the organization's e-mail address in the Statement of Compliance. CC ID 12359 [{telephone number} To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: name of organization, mailing address, e-mail address, telephone, and fax numbers; § III.6.b.i.] | Establish/Maintain Documentation | Preventive | |
| Include the organization's name in the Statement of Compliance. CC ID 12351 [{telephone number} To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: name of organization, mailing address, e-mail address, telephone, and fax numbers; § III.6.b.i.] | Establish/Maintain Documentation | Preventive | |
| Include the organization's mailing address in the Statement of Compliance. CC ID 12358 [{telephone number} To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: name of organization, mailing address, e-mail address, telephone, and fax numbers; § III.6.b.i.] | Establish/Maintain Documentation | Preventive | |
| Describe how the organization processes personal data in the Statement of Compliance. CC ID 12377 [To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: description of the activities of the organization with respect to personal information received from the EU; and § III.6.b.ii.] | Establish/Maintain Documentation | Preventive | |
| Approve and sign the Statement of Compliance. CC ID 12392 [Where the organization has chosen outside compliance review, such a review must demonstrate that its privacy policy regarding personal information received from the EU conforms to the Privacy Shield Principles, that it is being complied with, and that individuals are informed of the mechanisms through which they may pursue complaints. The methods of review may include, without limitation, auditing, random reviews, use of "decoys", or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed must be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about compliance. § III.7.d.] | Establish/Maintain Documentation | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Establish Roles | Preventive | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [{is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Establish Roles | Preventive | |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources Management | Preventive | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Establish/Maintain Documentation | Preventive | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources Management | Preventive | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Establish/Maintain Documentation | Preventive | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Establish/Maintain Documentation | Preventive | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources Management | Preventive | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources Management | Preventive | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Establish Roles | Preventive | |
| Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources Management | Preventive | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources Management | Preventive | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources Management | Preventive | |
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources Management | Corrective | |
| Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 | Establish/Maintain Documentation | Preventive | |
| Refrain from using employees' privacy choices to restrict employment. CC ID 12425 [{Notice Principle}{Choice Principle} A U.S. organization that has received employee information from the EU under the Privacy Shield may disclose it to third parties or use it for different purposes only in accordance with the Notice and Choice Principles. For example, where an organization intends to use personal information collected through the employment relationship for non-employment-related purposes, such as marketing communications, the U.S. organization must provide the affected individuals with the requisite choice before doing so, unless they have already authorized the use of the information for such purposes. Moreover, such choices must not be used to restrict employment opportunities or take any punitive action against such employees. § III.9.b.i. {Notice Principle}{Choice Principle} A U.S. organization that has received employee information from the EU under the Privacy Shield may disclose it to third parties or use it for different purposes only in accordance with the Notice and Choice Principles. For example, where an organization intends to use personal information collected through the employment relationship for non-employment-related purposes, such as marketing communications, the U.S. organization must provide the affected individuals with the requisite choice before doing so, unless they have already authorized the use of the information for such purposes. Moreover, such choices must not be used to restrict employment opportunities or take any punitive action against such employees. § III.9.b.i.] | Human Resources Management | Preventive | |
| Establish, implement, and maintain a Code of Conduct. CC ID 04897 | Establish/Maintain Documentation | Preventive | |
| Take disciplinary actions against individuals who violate the Code of Conduct. CC ID 06435 [{Department of Commerce} The result of any remedies provided by the dispute resolution body should be that the effects of non-compliance are reversed or corrected by the organization, insofar as feasible, and that future processing by the organization will be in conformity with the Principles and, where appropriate, that processing of the personal data of the individual who brought the complaint will cease. Sanctions need to be rigorous enough to ensure compliance by the organization with the Principles. A range of sanctions of varying degrees of severity will allow dispute resolution bodies to respond appropriately to varying degrees of non-compliance. Sanctions should include both publicity for findings of non-compliance and the requirement to delete data in certain circumstances. Other sanctions could include suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance and injunctive awards. Private sector dispute resolution bodies and self-regulatory bodies must notify failures of Privacy Shield organizations to comply with their rulings to the governmental body with applicable jurisdiction or to the courts, as appropriate, and to notify the Department. § III.11.e.i.] | Behavior | Preventive | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
| Include the effective date on all organizational policies. CC ID 06820 [description of the organization's privacy policy for such personal information, including: its effective date of implementation; § III.6.b.iii.2.] | Establish/Maintain Documentation | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a compliance testing strategy. CC ID 00659 [To meet the verification requirements of the Recourse, Enforcement and Liability Principle, an organization must verify such attestations and assertions either through self-assessment or outside compliance reviews. § III.7.b. To meet the verification requirements of the Recourse, Enforcement and Liability Principle, an organization must verify such attestations and assertions either through self-assessment or outside compliance reviews. § III.7.b. Where the organization has chosen outside compliance review, such a review must demonstrate that its privacy policy regarding personal information received from the EU conforms to the Privacy Shield Principles, that it is being complied with, and that individuals are informed of the mechanisms through which they may pursue complaints. The methods of review may include, without limitation, auditing, random reviews, use of "decoys", or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed must be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about compliance. § III.7.d. Where the organization has chosen outside compliance review, such a review must demonstrate that its privacy policy regarding personal information received from the EU conforms to the Privacy Shield Principles, that it is being complied with, and that individuals are informed of the mechanisms through which they may pursue complaints. The methods of review may include, without limitation, auditing, random reviews, use of "decoys", or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed must be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about compliance. § III.7.d. At a minimum such mechanisms must include: follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of non-compliance; and § II.7.a.ii. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 | Testing | Preventive | |
| Test compliance controls for proper functionality. CC ID 00660 [Organizations must provide follow up procedures for verifying that the attestations and assertions they make about their Privacy Shield privacy practices are true and those privacy practices have been implemented as represented and in accordance with the Privacy Shield Principles. § III.7.a. Organizations must provide follow up procedures for verifying that the attestations and assertions they make about their Privacy Shield privacy practices are true and those privacy practices have been implemented as represented and in accordance with the Privacy Shield Principles. § III.7.a. At a minimum such mechanisms must include: follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of non-compliance; and § II.7.a.ii.] | Testing | Detective | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [{is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain risk management metrics. CC ID 01656 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Actionable Reports or Measurements | Detective | |
| Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Business Processes | Preventive | |
| Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Audits and Risk Management | Preventive | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitor and Evaluate Occurrences | Detective | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Establish/Maintain Documentation | Preventive | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Business Processes | Detective | |
| Determine the causes of compliance violations. CC ID 12401 | Investigate | Corrective | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Establish/Maintain Documentation | Preventive | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Investigate | Detective | |
| Correct compliance violations. CC ID 13515 | Process or Activity | Corrective | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Investigate | Detective | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [{is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Behavior | Corrective | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 [Dispute resolution bodies have discretion about the circumstances in which they use these sanctions. The sensitivity of the data concerned is one factor to be taken into consideration in deciding whether deletion of data should be required, as is whether an organization has collected, used, or disclosed information in blatant contravention of the Privacy Shield Principles. § III.11.e.i. Footnote 3 Dispute resolution bodies have discretion about the circumstances in which they use these sanctions. The sensitivity of the data concerned is one factor to be taken into consideration in deciding whether deletion of data should be required, as is whether an organization has collected, used, or disclosed information in blatant contravention of the Privacy Shield Principles. § III.11.e.i. Footnote 3] | Human Resources Management | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Establish/Maintain Documentation | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Establish/Maintain Documentation | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Establish/Maintain Documentation | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Establish/Maintain Documentation | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Establish/Maintain Documentation | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Communicate | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Establish/Maintain Documentation | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Establish/Maintain Documentation | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Establish/Maintain Documentation | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Establish/Maintain Documentation | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a security program metrics program. CC ID 01660 | Establish/Maintain Documentation | Preventive | |
| Report on the policies and controls that have been implemented by management. CC ID 01670 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of security management roles that have been assigned. CC ID 01671 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Actionable Reports or Measurements | Detective | |
| Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an audit metrics program. CC ID 01664 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Establish/Maintain Documentation | Preventive | |
| Convert data into standard units before reporting metrics. CC ID 15507 | Process or Activity | Corrective | |
| Monitor compliance with the Quality Control system. CC ID 01023 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Actionable Reports or Measurements | Detective | |
| Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Business Processes | Preventive | |
| Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Business Processes | Preventive | |
| Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Business Processes | Preventive | |
| Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of servers located in controlled access areas. CC ID 02067 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain waste management metrics. CC ID 16152 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain emissions management metrics. CC ID 16145 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain financial management metrics. CC ID 16749 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Business Processes | Preventive | |
| Report on the percentage of unique active user identifiers. CC ID 02074 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Business Processes | Preventive | |
| Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of users with access to shared accounts. CC ID 04573 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Business Processes | Preventive | |
| Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Log Management | Preventive | |
| Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Log Management | Detective | |
| Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Log Management | Detective | |
| Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Log Management | Detective | |
| Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Business Processes | Preventive | |
| Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Business Processes | Preventive | |
| Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Business Processes | Preventive | |
| Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with all approved patches installed. CC ID 02113 | Actionable Reports or Measurements | Detective | |
| Report on the mean time from patch availability to patch installation. CC ID 02114 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Business Processes | Preventive | |
| Establish, implement, and maintain a network activity baseline. CC ID 13188 | Technical Security | Detective | |
| Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Business Processes | Preventive | |
| Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Business Processes | Preventive | |
| Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Business Processes | Preventive | |
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Actionable Reports or Measurements | Detective | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Actionable Reports or Measurements | Detective | |
| Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Actionable Reports or Measurements | Detective | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Communicate | Preventive | |
| Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a log management program. CC ID 00673 | Establish/Maintain Documentation | Preventive | |
| Deploy log normalization tools, as necessary. CC ID 12141 | Technical Security | Preventive | |
| Restrict access to logs to authorized individuals. CC ID 01342 | Log Management | Preventive | |
| Restrict access to audit trails to a need to know basis. CC ID 11641 | Technical Security | Preventive | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Log Management | Preventive | |
| Back up audit trails according to backup procedures. CC ID 11642 | Systems Continuity | Preventive | |
| Back up logs according to backup procedures. CC ID 01344 | Log Management | Preventive | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Log Management | Preventive | |
| Identify hosts with logs that are not being stored. CC ID 06314 | Log Management | Preventive | |
| Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Log Management | Preventive | |
| Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Log Management | Preventive | |
| Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Log Management | Preventive | |
| Protect logs from unauthorized activity. CC ID 01345 | Log Management | Preventive | |
| Perform testing and validating activities on all logs. CC ID 06322 | Log Management | Preventive | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Log Management | Preventive | |
| Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Configuration | Preventive | |
| Preserve the identity of individuals in audit trails. CC ID 10594 | Log Management | Preventive | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Establish/Maintain Documentation | Preventive | |
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Audits and Risk Management | Preventive | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [{comply}{privacy rights violation complaint}{legal authority} The Recourse, Enforcement and Liability Principle sets out the requirements for Privacy Shield enforcement. How to meet the requirements of point (a)(ii) of the Principle is set out in the Supplemental Principle on Verification. This Supplemental Principle addresses points (a)(i) and (a)(iii), both of which require independent recourse mechanisms. These mechanisms may take different forms, but they must meet the Recourse, Enforcement and Liability Principle's requirements. Organizations satisfy the requirements through the following: (i) compliance with private sector developed privacy programs that incorporate the Privacy Shield Principles into their rules and that include effective enforcement mechanisms of the type described in the Recourse, Enforcement and Liability Principle; (ii) compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or (iii) commitment to cooperate with data protection authorities located in the European Union or their authorized representatives. § III.11.a. {comply}{privacy rights violation complaint}{legal authority} The Recourse, Enforcement and Liability Principle sets out the requirements for Privacy Shield enforcement. How to meet the requirements of point (a)(ii) of the Principle is set out in the Supplemental Principle on Verification. This Supplemental Principle addresses points (a)(i) and (a)(iii), both of which require independent recourse mechanisms. These mechanisms may take different forms, but they must meet the Recourse, Enforcement and Liability Principle's requirements. Organizations satisfy the requirements through the following: (i) compliance with private sector developed privacy programs that incorporate the Privacy Shield Principles into their rules and that include effective enforcement mechanisms of the type described in the Recourse, Enforcement and Liability Principle; (ii) compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or (iii) commitment to cooperate with data protection authorities located in the European Union or their authorized representatives. § III.11.a. Airline passenger reservation and other travel information, such as frequent flyer or hotel reservation information and special handling needs, such as meals to meet religious requirements or physical assistance, may be transferred to organizations located outside the EU in several different circumstances. Under Article 26 of the Directive, personal data may be transferred "to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2)" on the condition that it (i) is necessary to provide the services requested by the consumer or to fulfill the terms of an agreement, such as a "frequent flyer" agreement; or (ii) has been unambiguously consented to by the consumer. U.S. organizations subscribing to the Privacy Shield provide adequate protection for personal data and may therefore receive data transfers from the EU without meeting these conditions or other conditions set out in Article 26 of the Directive. Since the Privacy Shield includes specific rules for sensitive information, such information (which may need to be collected, for example, in connection with customers' needs for physical assistance) may be included in transfers to Privacy Shield participants. In all cases, however, the organization transferring the information has to respect the law in the EU Member State in which it is operating, which may inter alia impose special conditions for the handling of sensitive data. § III.13.a. Organizations are obligated to arbitrate claims and follow the terms as set forth in Annex I, provided that an individual has invoked binding arbitration by delivering notice to the organization at issue and following the procedures and subject to conditions set forth in Annex I. § II.7.c.] | Business Processes | Preventive | |
| Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Process or Activity | Preventive | |
| Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Process or Activity | Preventive | |
| Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Process or Activity | Preventive | |
| Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Process or Activity | Preventive | |
| Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Process or Activity | Preventive | |
| Analyze the organizational culture. CC ID 12899 | Process or Activity | Preventive | |
| Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Process or Activity | Detective | |
| Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Process or Activity | Detective | |
| Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Process or Activity | Detective | |
| Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Behavior | Preventive | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Business Processes | Preventive | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Business Processes | Preventive | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Business Processes | Preventive | |
| Include skill development in the analysis of the organizational culture. CC ID 12913 | Behavior | Preventive | |
| Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Behavior | Preventive | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Business Processes | Preventive | |
| Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Behavior | Preventive | |
| Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Behavior | Preventive | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [{Department of Commerce} The result of any remedies provided by the dispute resolution body should be that the effects of non-compliance are reversed or corrected by the organization, insofar as feasible, and that future processing by the organization will be in conformity with the Principles and, where appropriate, that processing of the personal data of the individual who brought the complaint will cease. Sanctions need to be rigorous enough to ensure compliance by the organization with the Principles. A range of sanctions of varying degrees of severity will allow dispute resolution bodies to respond appropriately to varying degrees of non-compliance. Sanctions should include both publicity for findings of non-compliance and the requirement to delete data in certain circumstances. Other sanctions could include suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance and injunctive awards. Private sector dispute resolution bodies and self-regulatory bodies must notify failures of Privacy Shield organizations to comply with their rulings to the governmental body with applicable jurisdiction or to the courts, as appropriate, and to notify the Department. § III.11.e.i. {Department of Commerce} The result of any remedies provided by the dispute resolution body should be that the effects of non-compliance are reversed or corrected by the organization, insofar as feasible, and that future processing by the organization will be in conformity with the Principles and, where appropriate, that processing of the personal data of the individual who brought the complaint will cease. Sanctions need to be rigorous enough to ensure compliance by the organization with the Principles. A range of sanctions of varying degrees of severity will allow dispute resolution bodies to respond appropriately to varying degrees of non-compliance. Sanctions should include both publicity for findings of non-compliance and the requirement to delete data in certain circumstances. Other sanctions could include suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance and injunctive awards. Private sector dispute resolution bodies and self-regulatory bodies must notify failures of Privacy Shield organizations to comply with their rulings to the governmental body with applicable jurisdiction or to the courts, as appropriate, and to notify the Department. § III.11.e.i.] | Process or Activity | Corrective | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 | Establish/Maintain Documentation | Preventive | |
| Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Communicate | Preventive | |
| Review systems for compliance with organizational information security policies. CC ID 12004 | Business Processes | Preventive | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Behavior | Preventive | |
| Document the organization's local environments. CC ID 06726 [Given U.S. constitutional protections for freedom of the press and the Directive's exemption for journalistic material, where the rights of a free press embodied in the First Amendment of the U.S. Constitution intersect with privacy protection interests, the First Amendment must govern the balancing of these interests with regard to the activities of U.S. persons or organizations. § III.2.a. Privacy Shield benefits are assured from the date on which the Department has placed the organization's self-certification submission on the Privacy Shield List after having determined that the submission is complete. § III.6.a. The Privacy Shield Principles are relevant only when individually identified records are transferred or accessed. Statistical reporting relying on aggregate employment data and containing no personal data or the use of anonymized data does not raise privacy concerns. § III.9.a.ii. The FTC has committed to reviewing on a priority basis referrals alleging non-compliance with the Principles received from: (i) privacy self-regulatory organizations and other independent dispute resolution bodies; (ii) EU Member States; and (iii) the Department, to determine whether Section 5 of the FTC Act prohibiting unfair or deceptive acts or practices in commerce has been violated. If the FTC concludes that it has reason to believe Section 5 has been violated, it may resolve the matter by seeking an administrative cease and desist order prohibiting the challenged practices or by filing a complaint in a federal district court, which if successful could result in a federal court order to same effect. This includes false claims of adherence to the Privacy Shield Principles or participation in the Privacy Shield by organizations, which either are no longer on the Privacy Shield List or have never self-certified to the Department. The FTC may obtain civil penalties for violations of an administrative cease and desist order and may pursue civil or criminal contempt for violation of a federal court order. The FTC will notify the Department of any such actions it takes. The Department encourages other government bodies to notify it of the final disposition of any such referrals or other rulings determining adherence to the Privacy Shield Principles. § III.11.f.ii. Where an organization is found to have intentionally made personal information public in contravention of the Principles so that it or others may benefit from these exceptions, it will cease to qualify for the benefits of the Privacy Shield. § III.15.c. The information provided by the Privacy Shield organizations in these reports together with information that has been released by the intelligence community, along with other information, can be used to inform the annual joint review of the functioning of the Privacy Shield in accordance with the Principles. § III.16.b. The activities of auditors and investment bankers may involve processing personal data without the consent or knowledge of the individual. This is permitted by the Notice, Choice, and Access Principles under the circumstances described below. § III.4.a. Because adequate protection is provided by Privacy Shield participants, contracts with Privacy Shield participants for mere processing do not require prior authorization (or such authorization will be granted automatically by the EU Member States), as would be required for contracts with recipients not participating in the Privacy Shield or otherwise not providing adequate protection. § III.10.a.iii. The Department will remove an organization from the Privacy Shield List in response to any notification it receives of persistent failure to comply, whether it is received from the organization itself, from a privacy self-regulatory body or another independent dispute resolution body, or from a government body, but only after first providing 30 days' notice and an opportunity to respond to the organization that has failed to comply. Accordingly, the Privacy Shield List maintained by the Department will make clear which organizations are assured and which organizations are no longer assured of Privacy Shield benefits. § III.11.g.iii.] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain local environment security profiles. CC ID 07037 | Establish/Maintain Documentation | Preventive | |
| Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 | Establish/Maintain Documentation | Preventive | |
| Include security requirements in the local environment security profile. CC ID 15717 | Establish/Maintain Documentation | Preventive | |
| Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 | Establish/Maintain Documentation | Preventive | |
| Include the technology used in the local environment in the local environment security profile. CC ID 07040 | Establish/Maintain Documentation | Preventive | |
| Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 | Establish/Maintain Documentation | Preventive | |
| Include facility information for the local environment in the local environment security profile. CC ID 07042 | Establish/Maintain Documentation | Preventive | |
| Include facility access information for the local environment in the local environment security profile. CC ID 11773 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 | Communicate | Preventive | |
| Update the local environment security profile, as necessary. CC ID 07043 | Establish/Maintain Documentation | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [{unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a. {unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a. {unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a. {unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a. {unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a. {unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a. Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must include: § II.7.a.] | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 [An organization must inform individuals about: its commitment to subject to the Principles all personal data received from the EU in reliance on the Privacy Shield, § II.1.a.iii {Department of Commerce} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. {Department of Commerce} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. {Department of Commerce} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. {Department of Commerce} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. {law enforcement reasons} In order to provide transparency in respect of lawful requests by public authorities to access personal information, Privacy Shield organizations may voluntarily issue periodic transparency reports on the number of requests for personal information they receive by public authorities for law enforcement or national security reasons, to the extent such disclosures are permissible under applicable law. § III.16.a.] | Data and Information Management | Preventive | |
| Establish and maintain privacy notices, as necessary. CC ID 13443 | Establish/Maintain Documentation | Preventive | |
| Include the purpose of the privacy notice in the privacy notice. CC ID 13526 | Establish/Maintain Documentation | Preventive | |
| Include the processing purpose in the privacy notice. CC ID 16543 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the privacy notice. CC ID 14432 | Establish/Maintain Documentation | Preventive | |
| Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 | Establish/Maintain Documentation | Preventive | |
| Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Establish/Maintain Documentation | Preventive | |
| Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 | Establish/Maintain Documentation | Preventive | |
| Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 | Establish/Maintain Documentation | Preventive | |
| Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 | Establish/Maintain Documentation | Preventive | |
| Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 | Establish/Maintain Documentation | Preventive | |
| Include the personal data collection categories in the privacy notice. CC ID 13457 | Establish/Maintain Documentation | Preventive | |
| Include disclosure exceptions in the privacy notice. CC ID 13447 | Establish/Maintain Documentation | Preventive | |
| Include the types of personal data disclosed in the privacy notice. CC ID 13446 | Establish/Maintain Documentation | Preventive | |
| Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Establish/Maintain Documentation | Preventive | |
| Specify the time frame that notice will be given. CC ID 00385 | Establish/Maintain Documentation | Preventive | |
| Include the information about the appeal process in the privacy notice. CC ID 15312 | Establish/Maintain Documentation | Preventive | |
| Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 | Establish/Maintain Documentation | Preventive | |
| Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 | Communicate | Preventive | |
| Deliver privacy notices to data subjects, as necessary. CC ID 13444 | Communicate | Preventive | |
| Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Establish/Maintain Documentation | Preventive | |
| Update privacy notices, as necessary. CC ID 13474 | Communicate | Preventive | |
| Redeliver privacy notices, as necessary. CC ID 14850 | Communicate | Preventive | |
| Deliver privacy notices to third parties, as necessary. CC ID 13473 | Communicate | Preventive | |
| Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 | Communicate | Preventive | |
| Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 | Establish/Maintain Documentation | Corrective | |
| Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 | Establish/Maintain Documentation | Preventive | |
| Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 | Establish/Maintain Documentation | Preventive | |
| Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 | Establish/Maintain Documentation | Preventive | |
| Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain opt-out notices. CC ID 13448 | Establish/Maintain Documentation | Preventive | |
| Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 | Establish/Maintain Documentation | Preventive | |
| Include the opt out method for data subjects in the opt-out notice. CC ID 13467 | Establish/Maintain Documentation | Preventive | |
| Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 | Establish/Maintain Documentation | Preventive | |
| Explain the right to opt out in the opt-out notice. CC ID 13462 | Establish/Maintain Documentation | Preventive | |
| Include the organization's right to share personal data in the opt-out notice. CC ID 13450 | Establish/Maintain Documentation | Preventive | |
| Deliver opt-out notices, as necessary. CC ID 13449 | Communicate | Preventive | |
| Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 | Communicate | Preventive | |
| Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 [{Department of Commerce} To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; (iv) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (v) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. § II.3.b.] | Communicate | Preventive | |
| Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 [{Department of Commerce} {adequate protection} An organization must subject to the Privacy Shield Principles all personal data received from the EU in reliance upon the Privacy Shield. The undertaking to adhere to the Privacy Shield Principles is not time-limited in respect of personal data received during the period in which the organization enjoys the benefits of the Privacy Shield. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Privacy Shield for any reason. An organization that withdraws from the Privacy Shield but wants to retain such data must affirm to the Department on an annual basis its commitment to continue to apply the Principles or provide "adequate" protection for the information by another authorized means (for example, using a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission); otherwise, the organization must return or delete the information. An organization that withdraws from the Privacy Shield must remove from any relevant privacy policy any references to the Privacy Shield that imply that the organization continues to actively participate in the Privacy Shield and is entitled to its benefits. § III.6.f.] | Communicate | Preventive | |
| Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 [{Department of Commerce} An organization that will cease to exist as a separate legal entity as a result of a merger or a takeover must notify the Department of this in advance. The notification should also indicate whether the acquiring entity or the entity resulting from the merger will (i) continue to be bound by the Privacy Shield Principles by the operation of law governing the takeover or merger or (ii) elect to self-certify its adherence to the Privacy Shield Principles or put in place other safeguards, such as a written agreement that will ensure adherence to the Privacy Shield Principles. Where neither (i) nor (ii) applies, any personal data that has been acquired under the Privacy Shield must be promptly deleted. § III.6.g.] | Communicate | Preventive | |
| Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 | Data and Information Management | Preventive | |
| Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 [{Department of Commerce} An organization that will cease to exist as a separate legal entity as a result of a merger or a takeover must notify the Department of this in advance. The notification should also indicate whether the acquiring entity or the entity resulting from the merger will (i) continue to be bound by the Privacy Shield Principles by the operation of law governing the takeover or merger or (ii) elect to self-certify its adherence to the Privacy Shield Principles or put in place other safeguards, such as a written agreement that will ensure adherence to the Privacy Shield Principles. Where neither (i) nor (ii) applies, any personal data that has been acquired under the Privacy Shield must be promptly deleted. § III.6.g.] | Communicate | Preventive | |
| Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 [{investigatory powers} An organization must inform individuals about: being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body, § II.1.a.x.] | Communicate | Preventive | |
| Provide the data subject with a notice of participation procedures. CC ID 06241 [Personal data developed in specific medical or pharmaceutical research studies often play a valuable role in future scientific research. Where personal data collected for one research study are transferred to a U.S. organization in the Privacy Shield, the organization may use the data for a new scientific research activity if appropriate notice and choice have been provided in the first instance. Such notice should provide information about any future specific uses of the data, such as periodic follow-up, related studies, or marketing. § III.14.b.i. It is understood that not all future uses of the data can be specified, since a new research use could arise from new insights on the original data, new medical discoveries and advances, and public health and regulatory developments. Where appropriate, the notice should therefore include an explanation that personal data may be used in future medical and pharmaceutical research activities that are unanticipated. If the use is not consistent with the general research purpose(s) for which the personal data were originally collected, or to which the individual has consented subsequently, new consent must be obtained. § III.14.b.ii.] | Establish/Maintain Documentation | Preventive | |
| Deliver notices to the intended parties. CC ID 06240 | Data and Information Management | Preventive | |
| Notify data subjects about their privacy rights. CC ID 12989 | Communicate | Preventive | |
| Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 [An organization must inform individuals about: the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles, § II.1.a.ii.] | Communicate | Preventive | |
| Require a data protection impact assessment when profiling the data subject. CC ID 12680 | Process or Activity | Detective | |
| Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Data and Information Management | Preventive | |
| Provide public proof the organization participates in a privacy program. CC ID 12349 [An organization must inform individuals about: its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List, § II.1.a.i.] | Communicate | Preventive | |
| Publish a description of processing activities in an official register. CC ID 00379 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a records request manual. CC ID 00381 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 | Establish/Maintain Documentation | Preventive | |
| Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 [An organization applying to participate in a self-regulatory body for the purposes of requalifying for the Privacy Shield must provide that body with full information about its prior participation in the Privacy Shield. § III.11.g.iv.] | Behavior | Preventive | |
| Define what is included in registration notices. CC ID 00386 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the registration notice. CC ID 16803 | Establish Roles | Preventive | |
| Include the verification method in the registration notice. CC ID 16798 | Establish/Maintain Documentation | Preventive | |
| Include the statutory authority in the registration notice. CC ID 16799 | Establish/Maintain Documentation | Preventive | |
| Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Establish/Maintain Documentation | Preventive | |
| Include a purpose specification description in the registration notice. CC ID 00388 | Establish/Maintain Documentation | Preventive | |
| Include information about the dispute resolution body in the registration notice. CC ID 16800 | Establish/Maintain Documentation | Preventive | |
| Include the data subject category being processed in the registration notice. CC ID 00389 | Establish/Maintain Documentation | Preventive | |
| Include the time period for data processing in the registration notice. CC ID 00390 | Establish/Maintain Documentation | Preventive | |
| Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Establish/Maintain Documentation | Preventive | |
| Provide legal authorities access to personal data, upon request. CC ID 06818 | Data and Information Management | Preventive | |
| Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 | Process or Activity | Preventive | |
| Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 [An organization must inform individuals about: its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List, § II.1.a.i. An organization must inform individuals about: the choices and means the organization offers individuals for limiting the use and disclosure of their personal data, § II.1.a.viii. {unfair act or practice} {deceptive act or practice} description of the organization's privacy policy for such personal information, including: the specific statutory body that has jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices and violations of laws or regulations governing privacy (and that is listed in the Principles or a future annex to the Principles); § III.6.b.iii.4.] | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 | Process or Activity | Preventive | |
| Document the countries where restricted data may be stored. CC ID 12750 | Data and Information Management | Preventive | |
| Protect the rights of students and their parents or legal representatives. CC ID 00222 | Data and Information Management | Preventive | |
| Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 | Technical Security | Preventive | |
| Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 | Records Management | Preventive | |
| Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 | Records Management | Preventive | |
| Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 | Records Management | Corrective | |
| Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 | Records Management | Corrective | |
| Define the criteria for waivers of data subjects' rights. CC ID 16858 | Behavior | Preventive | |
| Revoke waivers of data subject's rights, as necessary. CC ID 16859 | Behavior | Preventive | |
| Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 | Establish/Maintain Documentation | Preventive | |
| Disclose educational data, as necessary. CC ID 00223 | Data and Information Management | Preventive | |
| Grant access to education records in support of educational program audits. CC ID 13032 | Records Management | Preventive | |
| Grant access to education records in support of external requirements. CC ID 13033 | Records Management | Preventive | |
| Disclose statements added to education records, as necessary. CC ID 12990 | Communicate | Preventive | |
| Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 | Data and Information Management | Preventive | |
| Disclose education records when written consent is received. CC ID 00224 | Data and Information Management | Preventive | |
| Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 | Establish/Maintain Documentation | Preventive | |
| Specify the purpose of the disclosure in the written consent. CC ID 13001 | Establish/Maintain Documentation | Preventive | |
| Specify which education records may be disclosed in the written consent. CC ID 13000 | Establish/Maintain Documentation | Preventive | |
| Document the conditions when consent is not required to disclose educational data. CC ID 00225 | Establish/Maintain Documentation | Preventive | |
| Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 | Communicate | Preventive | |
| Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 | Communicate | Preventive | |
| Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 | Communicate | Preventive | |
| Disclose educational data absent consent to other school officials. CC ID 00226 | Data and Information Management | Preventive | |
| Disclose educational data absent consent to another institution's school officials. CC ID 00227 | Data and Information Management | Preventive | |
| Disclose educational data absent consent in connection with financial aid. CC ID 00229 | Data and Information Management | Preventive | |
| Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 | Data and Information Management | Preventive | |
| Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 | Communicate | Preventive | |
| Disclose educational data absent consent to accrediting organizations. CC ID 00231 | Data and Information Management | Preventive | |
| Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 | Data and Information Management | Preventive | |
| Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 | Data and Information Management | Preventive | |
| Disclose educational data absent consent for a health and safety emergency. CC ID 00234 | Data and Information Management | Preventive | |
| Disclose educational data absent consent when it is merely directory information. CC ID 00235 | Data and Information Management | Preventive | |
| Disclose educational data absent consent to a crime victim. CC ID 00236 | Data and Information Management | Preventive | |
| Record the health and safety threats of students when disclosing personal data. CC ID 12997 | Establish/Maintain Documentation | Preventive | |
| Refrain from providing information to the data subject, as necessary. CC ID 12625 | Communicate | Preventive | |
| Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 | Communicate | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Communicate | Preventive | |
| Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Communicate | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Communicate | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Communicate | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Communicate | Preventive | |
| Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Communicate | Preventive | |
| Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Communicate | Preventive | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 [An organization must inform individuals about: the right of individuals to access their personal data, § II.1.a.vii.] | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the data retention period for personal data. CC ID 12587 | Process or Activity | Preventive | |
| Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 | Process or Activity | Preventive | |
| Provide the data subject with the adequacy decision. CC ID 12586 | Process or Activity | Preventive | |
| Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 | Process or Activity | Preventive | |
| Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 | Process or Activity | Preventive | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [{database} Access can be provided in the form of disclosure of the relevant personal information by an organization to the individual and does not require access by the individual to an organization's data base. § III.8.d.i. Access needs to be provided only to the extent that an organization stores the personal information. The Access Principle does not itself create any obligation to retain, maintain, reorganize, or restructure personal information files. § III.8.d.ii. Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated. § II.6.a. {personal data} The Access Principle means that individuals have the right to: have communicated to them such data so that they could verify its accuracy and the lawfulness of the processing; and § III.8.a.i.2.] | Data and Information Management | Preventive | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Business Processes | Preventive | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Business Processes | Preventive | |
| Notify the data subject of the right to data portability. CC ID 12603 | Process or Activity | Preventive | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Process or Activity | Preventive | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [An organization must inform individuals about: the purposes for which it collects and uses personal information about them, § II.1.a.iv. An organization must inform individuals about: the purposes for which it collects and uses personal information about them, § II.1.a.iv. An organization must inform individuals about: the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles, § II.1.a.ii. An organization must inform individuals about: the type or identity of third parties to which it discloses personal information, and the purposes for which it does so, § II.1.a.vi. The organization should answer requests from an individual concerning the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data is disclosed. § III.8.a.i.1. Footnote 1 An individual has the right to obtain confirmation of whether or not this organization has personal data relating to him or her. An individual also has the right to have communicated to him or her personal data relating to him or her. An organization may charge a fee that is not excessive. § III.8.f.i. The Access Principle means that individuals have the right to: obtain from an organization confirmation of whether or not the organization is processing personal data relating to them; § III.8.a.i.1.] | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 [The organization should answer requests from an individual concerning the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data is disclosed. § III.8.a.i.1. Footnote 1] | Data and Information Management | Preventive | |
| Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a disclosure accounting record. CC ID 13022 | Establish/Maintain Documentation | Preventive | |
| Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 | Establish/Maintain Documentation | Preventive | |
| Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 | Establish/Maintain Documentation | Preventive | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [An organization must inform individuals about: the type or identity of third parties to which it discloses personal information, and the purposes for which it does so, § II.1.a.vi.] | Establish/Maintain Documentation | Preventive | |
| Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Establish/Maintain Documentation | Preventive | |
| Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Establish/Maintain Documentation | Preventive | |
| Include the disclosure date in the disclosure accounting record. CC ID 07133 | Establish/Maintain Documentation | Preventive | |
| Include the disclosure recipient in the disclosure accounting record. CC ID 07134 | Establish/Maintain Documentation | Preventive | |
| Include the disclosure purpose in the disclosure accounting record. CC ID 07135 | Establish/Maintain Documentation | Preventive | |
| Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Establish/Maintain Documentation | Preventive | |
| Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Establish/Maintain Documentation | Preventive | |
| Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Establish/Maintain Documentation | Preventive | |
| Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Establish/Maintain Documentation | Preventive | |
| Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Establish/Maintain Documentation | Preventive | |
| Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Establish/Maintain Documentation | Preventive | |
| Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 | Data and Information Management | Preventive | |
| Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 | Communicate | Preventive | |
| Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 | Establish/Maintain Documentation | Preventive | |
| Provide shareholders access to electronic messages via electronic means. CC ID 11855 | Process or Activity | Preventive | |
| Make telephone directory information available to the public. CC ID 08698 | Establish/Maintain Documentation | Preventive | |
| Display warning screens and confirmation screens for all payment transactions. CC ID 06409 | Technical Security | Preventive | |
| Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 | Process or Activity | Preventive | |
| Establish, implement, and maintain a privacy policy. CC ID 06281 [{is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Establish/Maintain Documentation | Preventive | |
| Include the data subject's rights in the privacy policy. CC ID 16355 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a privacy policy model document. CC ID 14720 | Establish/Maintain Documentation | Preventive | |
| Document privacy policies in clearly written and easily understood language. CC ID 00376 | Establish/Maintain Documentation | Detective | |
| Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 | Behavior | Preventive | |
| Write privacy notices in the official languages required by law. CC ID 16529 | Establish/Maintain Documentation | Preventive | |
| Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 | Establish/Maintain Documentation | Preventive | |
| Define what is included in the privacy policy. CC ID 00404 [{Department of Commerce} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Establish/Maintain Documentation | Preventive | |
| Define the information being collected in the privacy policy. CC ID 13115 | Establish/Maintain Documentation | Preventive | |
| Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 | Establish/Maintain Documentation | Preventive | |
| Include the means by which information is collected in the privacy policy. CC ID 13114 | Establish/Maintain Documentation | Preventive | |
| Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 [{Department of Commerce} When an organization leaves the Privacy Shield for any reason, it must remove all statements implying that the organization continues to participate in the Privacy Shield or is entitled to the benefits of the Privacy Shield. The EU-U.S. Privacy Shield certification mark, if used, must also be removed. Any misrepresentation to the general public concerning an organization's adherence to the Privacy Shield Principles may be actionable by the FTC or other relevant government body. Misrepresentations to the Department may be actionable under the False Statements Act (18 U.S.C. § 1001). § III.6.h.] | Establish/Maintain Documentation | Corrective | |
| Include roles and responsibilities in the privacy policy. CC ID 14669 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the privacy policy. CC ID 14668 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the privacy policy. CC ID 14667 | Establish/Maintain Documentation | Preventive | |
| Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the privacy policy. CC ID 14666 | Establish/Maintain Documentation | Preventive | |
| Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 | Establish/Maintain Documentation | Preventive | |
| Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 [{Department of Commerce} When an organization leaves the Privacy Shield for any reason, it must remove all statements implying that the organization continues to participate in the Privacy Shield or is entitled to the benefits of the Privacy Shield. The EU-U.S. Privacy Shield certification mark, if used, must also be removed. Any misrepresentation to the general public concerning an organization's adherence to the Privacy Shield Principles may be actionable by the FTC or other relevant government body. Misrepresentations to the Department may be actionable under the False Statements Act (18 U.S.C. § 1001). § III.6.h. {Department of Commerce} {adequate protection} An organization must subject to the Privacy Shield Principles all personal data received from the EU in reliance upon the Privacy Shield. The undertaking to adhere to the Privacy Shield Principles is not time-limited in respect of personal data received during the period in which the organization enjoys the benefits of the Privacy Shield. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Privacy Shield for any reason. An organization that withdraws from the Privacy Shield but wants to retain such data must affirm to the Department on an annual basis its commitment to continue to apply the Principles or provide "adequate" protection for the information by another authorized means (for example, using a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission); otherwise, the organization must return or delete the information. An organization that withdraws from the Privacy Shield must remove from any relevant privacy policy any references to the Privacy Shield that imply that the organization continues to actively participate in the Privacy Shield and is entitled to its benefits. § III.6.f.] | Establish/Maintain Documentation | Corrective | |
| Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 [description of the organization's privacy policy for such personal information, including: the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.b.iii.7. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i. {Security Principle}(Data Integrity and Purpose Limitation Principle} {Recourse, Enforcement and Liability Principle} An organization must apply the Privacy Shield Principles of Security, Data Integrity and Purpose Limitation, and Recourse, Enforcement and Liability to personal data from publicly available sources. These Principles shall apply also to personal data collected from public records, i.e., those records kept by government agencies or entities at any level that are open to consultation by the public in general. § III.15.a. Organizations are obligated to arbitrate claims and follow the terms as set forth in Annex I, provided that an individual has invoked binding arbitration by delivering notice to the organization at issue and following the procedures and subject to conditions set forth in Annex I. § II.7.c. {include} This list is intended to be illustrative and not limiting. The private sector may design additional mechanisms to provide enforcement, so long as they meet the requirements of the Recourse, Enforcement and Liability Principle and the Supplemental Principles. Please note that the Recourse, Enforcement and Liability Principle's requirements are additional to the requirement that self-regulatory efforts must be enforceable under Section 5 of the Federal Trade Commission Act, which prohibits unfair and deceptive acts, or another law or regulation prohibiting such acts. § III.11.b.] | Establish/Maintain Documentation | Preventive | |
| Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 [description of the organization's privacy policy for such personal information, including: name of any privacy program in which the organization is a member; § III.6.b.iii.5.] | Establish/Maintain Documentation | Preventive | |
| Include a complaint form in the privacy policy. CC ID 12364 [Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i.] | Establish/Maintain Documentation | Preventive | |
| Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 | Establish/Maintain Documentation | Preventive | |
| Include the processing purpose in the privacy policy. CC ID 00406 | Establish/Maintain Documentation | Preventive | |
| Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 | Establish/Maintain Documentation | Preventive | |
| Include the data subject categories being processed in the privacy policy. CC ID 00407 | Establish/Maintain Documentation | Preventive | |
| Define the retention period for collected information in the privacy policy. CC ID 13116 | Establish/Maintain Documentation | Preventive | |
| Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 | Establish/Maintain Documentation | Preventive | |
| Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 | Establish/Maintain Documentation | Preventive | |
| Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 | Establish/Maintain Documentation | Preventive | |
| Include instructions on how to opt-out in the privacy policy. CC ID 00411 [An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice. § II.2.a.] | Establish/Maintain Documentation | Preventive | |
| Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 [description of the organization's privacy policy for such personal information, including: if the organization has a public website, the relevant web address where the privacy policy is available, or if the organization does not have a public website, where the privacy policy is available for viewing by the public; § III.6.b.iii.1. {Department of Commerce} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self-certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. Independent recourse mechanisms must include on their public websites information regarding the Privacy Shield Principles and the services that they provide under the Privacy Shield. This information must include: (1) information on or a link to the Privacy Shield Principles' requirements for independent recourse mechanisms; (2) a link to the Department's Privacy Shield website; (3) an explanation that their dispute resolution services under the Privacy Shield are free of charge to individuals; (4) a description of how a Privacy Shield-related complaint can be filed; (5) the timeframe in which Privacy Shield-related complaints are processed; and (6) a description of the range of potential remedies. § III.11.d.ii. Independent recourse mechanisms must include on their public websites information regarding the Privacy Shield Principles and the services that they provide under the Privacy Shield. This information must include: (1) information on or a link to the Privacy Shield Principles' requirements for independent recourse mechanisms; (2) a link to the Department's Privacy Shield website; (3) an explanation that their dispute resolution services under the Privacy Shield are free of charge to individuals; (4) a description of how a Privacy Shield-related complaint can be filed; (5) the timeframe in which Privacy Shield-related complaints are processed; and (6) a description of the range of potential remedies. § III.11.d.ii.] | Establish/Maintain Documentation | Preventive | |
| Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 | Establish/Maintain Documentation | Preventive | |
| Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 | Establish/Maintain Documentation | Preventive | |
| Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 [description of the organization's privacy policy for such personal information, including: method of verification; and § III.6.b.iii.6.] | Establish/Maintain Documentation | Preventive | |
| Post the privacy policy in an easily seen location. CC ID 00401 [description of the organization's privacy policy for such personal information, including: if the organization has a public website, the relevant web address where the privacy policy is available, or if the organization does not have a public website, where the privacy policy is available for viewing by the public; § III.6.b.iii.1. {Department of Commerce} Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information. In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities. The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees. § III.6.c. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Establish/Maintain Documentation | Preventive | |
| Define who will receive the privacy policy. CC ID 00402 [{Department of Commerce} Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information. In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities. The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees. § III.6.c.] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 | Communicate | Preventive | |
| Establish, implement, and maintain privacy procedures. CC ID 14665 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 | Communicate | Preventive | |
| Establish, implement, and maintain a privacy plan. CC ID 14672 | Establish/Maintain Documentation | Preventive | |
| Align the enterprise architecture with the privacy plan. CC ID 14705 | Process or Activity | Preventive | |
| Approve the privacy plan. CC ID 14700 | Business Processes | Preventive | |
| Include privacy requirements in the privacy plan. CC ID 14699 | Establish/Maintain Documentation | Preventive | |
| Include the information types in the privacy plan. CC ID 14695 | Establish/Maintain Documentation | Preventive | |
| Include threats in the privacy plan. CC ID 14694 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the privacy plan. CC ID 14702 | Establish/Maintain Documentation | Preventive | |
| Include a description of the operational context in the privacy plan. CC ID 14692 | Establish/Maintain Documentation | Preventive | |
| Include risk assessment results in the privacy plan. CC ID 14701 | Establish/Maintain Documentation | Preventive | |
| Include the security categorizations and rationale in the privacy plan. CC ID 14690 | Establish/Maintain Documentation | Preventive | |
| Include security controls in the privacy plan. CC ID 14681 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 | Communicate | Preventive | |
| Include a description of the operational environment in the privacy plan. CC ID 14679 | Establish/Maintain Documentation | Preventive | |
| Include network diagrams in the privacy plan. CC ID 14678 | Establish/Maintain Documentation | Preventive | |
| Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a privacy report. CC ID 14754 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 | Communicate | Preventive | |
| Protect private communications in keeping with compliance requirements. CC ID 14334 | Business Processes | Preventive | |
| Disseminate private communications when required by law. CC ID 14335 | Communicate | Corrective | |
| Establish, implement, and maintain personal data choice and consent program. CC ID 12569 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data request procedures. CC ID 16546 | Establish/Maintain Documentation | Preventive | |
| Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 | Human Resources Management | Preventive | |
| Refrain from charging a fee to implement an opt-out request. CC ID 13877 | Business Processes | Preventive | |
| Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 | Establish/Maintain Documentation | Preventive | |
| Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 | Establish/Maintain Documentation | Preventive | |
| Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Establish/Maintain Documentation | Preventive | |
| Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 | Establish/Maintain Documentation | Preventive | |
| Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 | Establish/Maintain Documentation | Preventive | |
| Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Establish/Maintain Documentation | Preventive | |
| Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Establish/Maintain Documentation | Preventive | |
| Include how personal data will be used in the disclosure authorization form. CC ID 13441 | Establish/Maintain Documentation | Preventive | |
| Include agreement termination information in the disclosure authorization form. CC ID 13437 | Establish/Maintain Documentation | Preventive | |
| Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 | Business Processes | Preventive | |
| Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Business Processes | Preventive | |
| Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice. § II.2.a. {ability} Generally, the purpose of the Choice Principle is to ensure that personal information is used and disclosed in ways that are consistent with the individual's expectations and choices. Accordingly, an individual should be able to exercise "opt out" choice of having personal information used for direct marketing at any time subject to reasonable limits established by the organization, such as giving the organization time to make the opt out effective. An organization may also require sufficient information to confirm the identity of the individual requesting the "opt out." In the United States, individuals may be able to exercise this option through the use of a central "opt out" program such as the Direct Marketing Association's Mail Preference Service. Organizations that participate in the Direct Marketing Association's Mail Preference Service should promote its availability to consumers who do not wish to receive commercial information. In any event, an individual should be given a readily available and affordable mechanism to exercise this option. § III.12.a.] | Data and Information Management | Preventive | |
| Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Business Processes | Preventive | |
| Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Business Processes | Preventive | |
| Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Data and Information Management | Preventive | |
| Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 | Business Processes | Preventive | |
| Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Process or Activity | Preventive | |
| Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Establish/Maintain Documentation | Preventive | |
| Allow consent requests to be provided in any official languages. CC ID 16530 | Business Processes | Preventive | |
| Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Communicate | Preventive | |
| Collect and retain disclosure authorizations for each data subject. CC ID 13434 | Records Management | Preventive | |
| Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 | Data and Information Management | Preventive | |
| Refrain from obtaining consent through deception. CC ID 13556 | Data and Information Management | Preventive | |
| Give individuals the ability to change the uses of their personal data. CC ID 00469 | Data and Information Management | Preventive | |
| Notify data subjects of the implications of withdrawing consent. CC ID 13551 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Establish/Maintain Documentation | Preventive | |
| Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 | Human Resources Management | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Establish Roles | Preventive | |
| Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 | Human Resources Management | Preventive | |
| Notify the supervisory authority. CC ID 00472 | Behavior | Preventive | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Establish/Maintain Documentation | Preventive | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Business Processes | Preventive | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Communicate | Preventive | |
| Include required information in the approval application. CC ID 16628 | Establish/Maintain Documentation | Preventive | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Business Processes | Preventive | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Process or Activity | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Process or Activity | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Communicate | Preventive | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Communicate | Corrective | |
| Cooperate with Data Protection Authorities. CC ID 06870 [{Department of Commerce} Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Organizations that have chosen to cooperate with DPAs, including organizations that process human resources data, must respond directly to such authorities with regard to the investigation and resolution of complaints § II.7.b. {Department of Commerce} Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Organizations that have chosen to cooperate with DPAs, including organizations that process human resources data, must respond directly to such authorities with regard to the investigation and resolution of complaints § II.7.b. {unfair act or practice}{deceptive act or practice}{Department of Commerce} Organizations must retain their records on the implementation of their Privacy Shield privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent body responsible for investigating complaints or to the agency with unfair and deceptive practices jurisdiction. Organizations must also respond promptly to inquiries and other requests for information from the Department relating to the organization's adherence to the Principles. § III.7.e. {unfair act or practice}{deceptive act or practice}{Department of Commerce} Organizations must retain their records on the implementation of their Privacy Shield privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent body responsible for investigating complaints or to the agency with unfair and deceptive practices jurisdiction. Organizations must also respond promptly to inquiries and other requests for information from the Department relating to the organization's adherence to the Principles. § III.7.e. A U.S. organization participating in the Privacy Shield that uses EU human resources data transferred from the European Union in the context of the employment relationship and that wishes such transfers to be covered by the Privacy Shield must therefore commit to cooperate in investigations by and to comply with the advice of competent EU authorities in such cases. § III.9.d.ii. {comply}{privacy rights violation complaint}{legal authority} The Recourse, Enforcement and Liability Principle sets out the requirements for Privacy Shield enforcement. How to meet the requirements of point (a)(ii) of the Principle is set out in the Supplemental Principle on Verification. This Supplemental Principle addresses points (a)(i) and (a)(iii), both of which require independent recourse mechanisms. These mechanisms may take different forms, but they must meet the Recourse, Enforcement and Liability Principle's requirements. Organizations satisfy the requirements through the following: (i) compliance with private sector developed privacy programs that incorporate the Privacy Shield Principles into their rules and that include effective enforcement mechanisms of the type described in the Recourse, Enforcement and Liability Principle; (ii) compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or (iii) commitment to cooperate with data protection authorities located in the European Union or their authorized representatives. § III.11.a. {Department of Commerce} In order to help ensure compliance with their Privacy Shield commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Privacy Shield when requested by the Department. In addition, organizations must respond expeditiously to complaints regarding their compliance with the Principles referred through the Department by DPAs. The response should address whether the complaint has merit and, if so, how the organization will rectify the problem. The Department will protect the confidentiality of information it receives in accordance with U.S. law. § III.11.c.] | Data and Information Management | Preventive | |
| Submit a safe harbor self-certification letter. CC ID 06871 [{Department of Commerce} To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: § III.6.b.] | Establish/Maintain Documentation | Preventive | |
| Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 | Human Resources Management | Preventive | |
| Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 | Establish/Maintain Documentation | Preventive | |
| Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 | Establish/Maintain Documentation | Preventive | |
| Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 | Establish/Maintain Documentation | Preventive | |
| Include data subject's rights in the Binding Corporate Rules. CC ID 12596 | Establish/Maintain Documentation | Preventive | |
| Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 | Establish/Maintain Documentation | Preventive | |
| Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 | Establish/Maintain Documentation | Preventive | |
| Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 | Establish/Maintain Documentation | Preventive | |
| Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 | Establish/Maintain Documentation | Preventive | |
| Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 | Establish/Maintain Documentation | Preventive | |
| Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 | Establish/Maintain Documentation | Preventive | |
| Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 | Establish/Maintain Documentation | Preventive | |
| Include complaint procedures in the Binding Corporate Rules. CC ID 12613 | Establish/Maintain Documentation | Preventive | |
| Include the data transfers in the Binding Corporate Rules. CC ID 12590 | Establish/Maintain Documentation | Preventive | |
| Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 | Establish/Maintain Documentation | Preventive | |
| Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 | Establish/Maintain Documentation | Preventive | |
| Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 | Establish/Maintain Documentation | Preventive | |
| Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 | Establish/Maintain Documentation | Preventive | |
| Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 | Establish/Maintain Documentation | Preventive | |
| Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 | Establish/Maintain Documentation | Preventive | |
| Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 | Establish/Maintain Documentation | Preventive | |
| Notify the data controller of any changes in data processors. CC ID 12648 | Communicate | Preventive | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 | Establish/Maintain Documentation | Preventive | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Establish/Maintain Documentation | Preventive | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Establish/Maintain Documentation | Preventive | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Establish/Maintain Documentation | Preventive | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 | Establish/Maintain Documentation | Preventive | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Establish/Maintain Documentation | Preventive | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 | Establish/Maintain Documentation | Preventive | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Human Resources Management | Preventive | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Establish/Maintain Documentation | Preventive | |
| Display or print the least amount of personal data necessary. CC ID 04643 | Data and Information Management | Preventive | |
| Redact confidential information from public information, as necessary. CC ID 06872 [Where confidential commercial information can be readily separated from other personal information subject to an access request, the organization should redact the confidential commercial information and make available the non-confidential information. § III.8.c.ii.] | Data and Information Management | Preventive | |
| Notify the data subject of the collection purpose. CC ID 00095 | Behavior | Preventive | |
| Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Data and Information Management | Preventive | |
| Document the law that requires restricted data to be collected. CC ID 00103 | Establish/Maintain Documentation | Preventive | |
| Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Behavior | Preventive | |
| Notify the data subject of changes to personal data use. CC ID 00105 [{Notice Principle}{Choice Principle} A U.S. organization that has received employee information from the EU under the Privacy Shield may disclose it to third parties or use it for different purposes only in accordance with the Notice and Choice Principles. For example, where an organization intends to use personal information collected through the employment relationship for non-employment-related purposes, such as marketing communications, the U.S. organization must provide the affected individuals with the requisite choice before doing so, unless they have already authorized the use of the information for such purposes. Moreover, such choices must not be used to restrict employment opportunities or take any punitive action against such employees. § III.9.b.i. Personal data developed in specific medical or pharmaceutical research studies often play a valuable role in future scientific research. Where personal data collected for one research study are transferred to a U.S. organization in the Privacy Shield, the organization may use the data for a new scientific research activity if appropriate notice and choice have been provided in the first instance. Such notice should provide information about any future specific uses of the data, such as periodic follow-up, related studies, or marketing. § III.14.b.i.] | Behavior | Preventive | |
| Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Establish/Maintain Documentation | Preventive | |
| Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Establish/Maintain Documentation | Preventive | |
| Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 [{ability} Generally, the purpose of the Choice Principle is to ensure that personal information is used and disclosed in ways that are consistent with the individual's expectations and choices. Accordingly, an individual should be able to exercise "opt out" choice of having personal information used for direct marketing at any time subject to reasonable limits established by the organization, such as giving the organization time to make the opt out effective. An organization may also require sufficient information to confirm the identity of the individual requesting the "opt out." In the United States, individuals may be able to exercise this option through the use of a central "opt out" program such as the Direct Marketing Association's Mail Preference Service. Organizations that participate in the Direct Marketing Association's Mail Preference Service should promote its availability to consumers who do not wish to receive commercial information. In any event, an individual should be given a readily available and affordable mechanism to exercise this option. § III.12.a.] | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 [{personal data} Similarly, an organization may use information for certain direct marketing purposes when it is impracticable to provide the individual with an opportunity to opt out before using the information, if the organization promptly gives the individual such opportunity at the same time (and upon request at any time) to decline (at no cost to the individual) to receive any further direct marketing communications and the organization complies with the individual's wishes. § III.12.b. {ability} Generally, the purpose of the Choice Principle is to ensure that personal information is used and disclosed in ways that are consistent with the individual's expectations and choices. Accordingly, an individual should be able to exercise "opt out" choice of having personal information used for direct marketing at any time subject to reasonable limits established by the organization, such as giving the organization time to make the opt out effective. An organization may also require sufficient information to confirm the identity of the individual requesting the "opt out." In the United States, individuals may be able to exercise this option through the use of a central "opt out" program such as the Direct Marketing Association's Mail Preference Service. Organizations that participate in the Direct Marketing Association's Mail Preference Service should promote its availability to consumers who do not wish to receive commercial information. In any event, an individual should be given a readily available and affordable mechanism to exercise this option. § III.12.a.] | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 [EU Member State law applies to the collection of the personal data and to any processing that takes place prior to the transfer to the United States. The Privacy Shield Principles apply to the data once they have been transferred to the United States. Data used for pharmaceutical research and other purposes should be anonymized when appropriate. § III.14.a.i.] | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Establish/Maintain Documentation | Preventive | |
| Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Establish/Maintain Documentation | Preventive | |
| Obtain the data subject's consent when the personal data use changes. CC ID 11832 [It is understood that not all future uses of the data can be specified, since a new research use could arise from new insights on the original data, new medical discoveries and advances, and public health and regulatory developments. Where appropriate, the notice should therefore include an explanation that personal data may be used in future medical and pharmaceutical research activities that are unanticipated. If the use is not consistent with the general research purpose(s) for which the personal data were originally collected, or to which the individual has consented subsequently, new consent must be obtained. § III.14.b.ii.] | Behavior | Preventive | |
| Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Establish/Maintain Documentation | Preventive | |
| Dispose of media and restricted data in a timely manner. CC ID 00125 [{Department of Commerce} {adequate protection} An organization must subject to the Privacy Shield Principles all personal data received from the EU in reliance upon the Privacy Shield. The undertaking to adhere to the Privacy Shield Principles is not time-limited in respect of personal data received during the period in which the organization enjoys the benefits of the Privacy Shield. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Privacy Shield for any reason. An organization that withdraws from the Privacy Shield but wants to retain such data must affirm to the Department on an annual basis its commitment to continue to apply the Principles or provide "adequate" protection for the information by another authorized means (for example, using a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission); otherwise, the organization must return or delete the information. An organization that withdraws from the Privacy Shield must remove from any relevant privacy policy any references to the Privacy Shield that imply that the organization continues to actively participate in the Privacy Shield and is entitled to its benefits. § III.6.f. {Department of Commerce} An organization that will cease to exist as a separate legal entity as a result of a merger or a takeover must notify the Department of this in advance. The notification should also indicate whether the acquiring entity or the entity resulting from the merger will (i) continue to be bound by the Privacy Shield Principles by the operation of law governing the takeover or merger or (ii) elect to self-certify its adherence to the Privacy Shield Principles or put in place other safeguards, such as a written agreement that will ensure adherence to the Privacy Shield Principles. Where neither (i) nor (ii) applies, any personal data that has been acquired under the Privacy Shield must be promptly deleted. § III.6.g.] | Data and Information Management | Preventive | |
| Refrain from destroying records being inspected or reviewed. CC ID 13015 | Records Management | Preventive | |
| Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Communicate | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [Consistent with the fundamental nature of access, organizations should always make good faith efforts to provide access. For example, where certain information needs to be protected and can be readily separated from other personal information subject to an access request, the organization should redact the protected information and make available the other information. If an organization determines that access should be restricted in any particular instance, it should provide the individual requesting access with an explanation of why it has made that determination and a contact point for any further inquiries. § III.8.a.iii. {human resources information} The Supplemental Principle on Access provides guidance on reasons which may justify denying or limiting access on request in the human resources context. Of course, employers in the European Union must comply with local regulations and ensure that European Union employees have access to such information as is required by law in their home countries, regardless of the location of data processing and storage. The Privacy Shield requires that an organization processing such data in the United States will cooperate in providing such access either directly or through the EU employer. § III.9.c.i. It is not necessary to apply the Access Principle to public record information as long as it is not combined with other personal information (apart from small amounts used to index or organize the public record information); however, any conditions for consultation established by the relevant jurisdiction are to be respected. In contrast, where public record information is combined with other non-public record information (other than as specifically noted above), an organization must provide access to all such information, assuming it is not subject to other permitted exceptions. § III.15.d. It is not necessary to apply the Access Principle to public record information as long as it is not combined with other personal information (apart from small amounts used to index or organize the public record information); however, any conditions for consultation established by the relevant jurisdiction are to be respected. In contrast, where public record information is combined with other non-public record information (other than as specifically noted above), an organization must provide access to all such information, assuming it is not subject to other permitted exceptions. § III.15.d. As with public record information, it is not necessary to provide access to information that is already publicly available to the public at large, as long as it is not combined with non-publicly available information. Organizations that are in the business of selling publicly available information may charge the organization's customary fee in responding to requests for access. Alternatively, individuals may seek access to their information from the organization that originally compiled the data. § III.15.e.] | Establish/Maintain Documentation | Preventive | |
| Allow data subjects to submit data requests. CC ID 16545 | Process or Activity | Preventive | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Data and Information Management | Preventive | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [The organization should answer requests from an individual concerning the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data is disclosed. § III.8.a.i.1. Footnote 1] | Data and Information Management | Preventive | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 [{national security requirement} An organization must inform individuals about: the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and § II.1.a.xii.] | Data and Information Management | Preventive | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Data and Information Management | Preventive | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Data and Information Management | Preventive | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Establish/Maintain Documentation | Preventive | |
| Define what is to be included in a data access request. CC ID 08699 | Establish/Maintain Documentation | Preventive | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 [Individuals do not have to justify requests for access to their personal data. In responding to individuals' access requests, organizations should first be guided by the concern(s) that led to the requests in the first place. For example, if an access request is vague or broad in scope, an organization may engage the individual in a dialogue so as to better understand the motivation for the request and to locate responsive information. The organization might inquire about which part(s) of the organization the individual interacted with or about the nature of the information or its use that is the subject of the access request. § III.8.a.ii.] | Business Processes | Preventive | |
| Respond to data access requests in a timely manner. CC ID 00421 [{personal data access request} Organizations should respond to access requests within a reasonable time period, in a reasonable manner, and in a form that is readily intelligible to the individual. An organization that provides information to data subjects at regular intervals may satisfy an individual access request with its regular disclosure if it would not constitute an excessive delay. § III.8.i.i.] | Behavior | Preventive | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Data and Information Management | Preventive | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Data and Information Management | Preventive | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Behavior | Detective | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 [Access may not be refused on cost grounds if the individual offers to pay the costs. § III.8.f.iii.] | Behavior | Detective | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Business Processes | Preventive | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Process or Activity | Preventive | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 [An individual has the right to obtain confirmation of whether or not this organization has personal data relating to him or her. An individual also has the right to have communicated to him or her personal data relating to him or her. An organization may charge a fee that is not excessive. § III.8.f.i.] | Establish/Maintain Documentation | Preventive | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Data and Information Management | Preventive | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Data and Information Management | Preventive | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Establish/Maintain Documentation | Preventive | |
| Submit personal data removal requests in writing. CC ID 11973 | Records Management | Preventive | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Establish/Maintain Documentation | Preventive | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Records Management | Corrective | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Establish/Maintain Documentation | Preventive | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Process or Activity | Preventive | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Establish/Maintain Documentation | Preventive | |
| Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 | Data and Information Management | Preventive | |
| Disclose de-identified data, as necessary. CC ID 13034 | Communicate | Preventive | |
| Notify the data subject after personal data is used or disclosed. CC ID 06247 | Behavior | Preventive | |
| Refrain from processing restricted data, as necessary. CC ID 12551 | Records Management | Preventive | |
| Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Process or Activity | Preventive | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Process or Activity | Preventive | |
| Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Business Processes | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Process or Activity | Detective | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Process or Activity | Preventive | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Data and Information Management | Preventive | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Data and Information Management | Preventive | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Business Processes | Preventive | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Business Processes | Preventive | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Business Processes | Preventive | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Business Processes | Preventive | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Business Processes | Preventive | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Business Processes | Preventive | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Business Processes | Preventive | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Process or Activity | Preventive | |
| Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Establish/Maintain Documentation | Preventive | |
| Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Establish/Maintain Documentation | Preventive | |
| Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Establish/Maintain Documentation | Preventive | |
| Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Establish/Maintain Documentation | Preventive | |
| Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Establish/Maintain Documentation | Preventive | |
| Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Records Management | Preventive | |
| Include the data processor's contact information in the record of processing activities. CC ID 12657 | Records Management | Preventive | |
| Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Records Management | Preventive | |
| Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Records Management | Preventive | |
| Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Records Management | Preventive | |
| Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 | Records Management | Preventive | |
| Include the personal data processing categories in the record of processing activities. CC ID 12661 | Records Management | Preventive | |
| Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Records Management | Preventive | |
| Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Records Management | Preventive | |
| Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Records Management | Preventive | |
| Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Records Management | Preventive | |
| Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Records Management | Preventive | |
| Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Records Management | Preventive | |
| Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Records Management | Preventive | |
| Include the data controller's contact information in the record of processing activities. CC ID 12637 | Records Management | Preventive | |
| Process restricted data lawfully and carefully. CC ID 00086 | Establish Roles | Preventive | |
| Analyze requirements for processing personal data in contracts. CC ID 12550 | Investigate | Detective | |
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Technical Security | Preventive | |
| Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: required to provide medical care or diagnosis; § III.1.a.iii.] | Data and Information Management | Preventive | |
| Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Communicate | Corrective | |
| Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Records Management | Preventive | |
| Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Establish/Maintain Documentation | Preventive | |
| Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Data and Information Management | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Records Management | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Process or Activity | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Records Management | Preventive | |
| Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Data and Information Management | Preventive | |
| Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Establish/Maintain Documentation | Preventive | |
| Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Establish/Maintain Documentation | Preventive | |
| Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Data and Information Management | Preventive | |
| Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Establish/Maintain Documentation | Preventive | |
| Define and implement valid authorization control requirements. CC ID 06258 | Establish/Maintain Documentation | Preventive | |
| Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Data and Information Management | Preventive | |
| Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Data and Information Management | Preventive | |
| Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Data and Information Management | Preventive | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 | Data and Information Management | Preventive | |
| Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: necessary for the establishment of legal claims or defenses; § III.1.a.ii. {due diligence review} {statutory requirements} The activities of auditors and investment bankers may involve processing personal data without the consent or knowledge of the individual. This is permitted by the Notice, Choice, and Access Principles under the circumstances described below. Public stock corporations and closely held companies, including Privacy Shield organizations, are regularly subject to audits. Such audits, particularly those looking into potential wrongdoing, may be jeopardized if disclosed prematurely. Similarly, a Privacy Shield organization involved in a potential merger or takeover will need to perform, or be the subject of, a "due diligence" review. This will often entail the collection and processing of personal data, such as information on senior executives and other key personnel. Premature disclosure could impede the transaction or even violate applicable securities regulation. Investment bankers and attorneys engaged in due diligence, or auditors conducting an audit, may process information without knowledge of the individual only to the extent and for the period necessary to meet statutory or public interest requirements and in other circumstances in which the application of these Principles would prejudice the legitimate interests of the organization. These legitimate interests include the monitoring of organizations' compliance with their legal obligations and legitimate accounting activities, and the need for confidentiality connected with possible acquisitions, mergers, joint ventures, or other similar transactions carried out by investment bankers or auditors. § III.4.b.] | Data and Information Management | Preventive | |
| Process personal data relating to criminal offenses when required by law. CC ID 00237 | Data and Information Management | Preventive | |
| Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Data and Information Management | Preventive | |
| Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Data and Information Management | Preventive | |
| Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Data and Information Management | Preventive | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: carried out in the course of legitimate activities by a foundation, association or any other non-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; § III.1.a.iv. {Notice Principle} For occasional employment-related operational needs of the Privacy Shield organization with respect to personal data transferred under the Privacy Shield, such as the booking of a flight, hotel room, or insurance coverage, transfers of personal data of a small number of employees can take place to controllers without application of the Access Principle or entering into a contract with the third-party controller, as otherwise required under the Accountability for Onward Transfer Principle, provided that the Privacy Shield organization has complied with the Notice and Choice Principles. § III.9.e.i. {due diligence review} {statutory requirements} The activities of auditors and investment bankers may involve processing personal data without the consent or knowledge of the individual. This is permitted by the Notice, Choice, and Access Principles under the circumstances described below. Public stock corporations and closely held companies, including Privacy Shield organizations, are regularly subject to audits. Such audits, particularly those looking into potential wrongdoing, may be jeopardized if disclosed prematurely. Similarly, a Privacy Shield organization involved in a potential merger or takeover will need to perform, or be the subject of, a "due diligence" review. This will often entail the collection and processing of personal data, such as information on senior executives and other key personnel. Premature disclosure could impede the transaction or even violate applicable securities regulation. Investment bankers and attorneys engaged in due diligence, or auditors conducting an audit, may process information without knowledge of the individual only to the extent and for the period necessary to meet statutory or public interest requirements and in other circumstances in which the application of these Principles would prejudice the legitimate interests of the organization. These legitimate interests include the monitoring of organizations' compliance with their legal obligations and legitimate accounting activities, and the need for confidentiality connected with possible acquisitions, mergers, joint ventures, or other similar transactions carried out by investment bankers or auditors. § III.4.b. To the extent and for the period necessary to avoid prejudicing the ability of the organization in making promotions, appointments, or other similar employment decisions, an organization does not need to offer notice and choice. § III.9.b.iv.] | Data and Information Management | Preventive | |
| Process traffic data in a controlled manner. CC ID 00130 | Data and Information Management | Preventive | |
| Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Data and Information Management | Preventive | |
| Process personal data when it is publicly accessible. CC ID 00187 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: related to data that are manifestly made public by the individual. § III.1.a.vi.] | Data and Information Management | Preventive | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Data and Information Management | Preventive | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Business Processes | Preventive | |
| Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Communicate | Corrective | |
| Process personal data for the purposes of employment. CC ID 16527 | Data and Information Management | Preventive | |
| Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Data and Information Management | Preventive | |
| Process personal data for debt collection or benefit payments. CC ID 00190 | Data and Information Management | Preventive | |
| Process personal data in order to advance the public interest. CC ID 00191 | Data and Information Management | Preventive | |
| Process personal data for surveys, archives, or scientific research. CC ID 00192 [Participants may decide or be asked to withdraw from a clinical trial at any time. Any personal data collected previous to withdrawal may still be processed along with other data collected as part of the clinical trial, however, if this was made clear to the participant in the notice at the time he or she agreed to participate. § III.14.c.i.] | Data and Information Management | Preventive | |
| Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Data and Information Management | Preventive | |
| Process personal data for academic purposes or religious purposes. CC ID 00194 | Data and Information Management | Preventive | |
| Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Data and Information Management | Preventive | |
| Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Data and Information Management | Preventive | |
| Follow legal obligations while processing personal data. CC ID 04794 | Data and Information Management | Preventive | |
| Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Data and Information Management | Preventive | |
| Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 | Data and Information Management | Preventive | |
| Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 | Process or Activity | Preventive | |
| Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Data and Information Management | Preventive | |
| Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Data and Information Management | Preventive | |
| Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Data and Information Management | Preventive | |
| Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Data and Information Management | Preventive | |
| Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Data and Information Management | Preventive | |
| Process personal data absent consent in order to perform a contract. CC ID 13586 | Data and Information Management | Preventive | |
| Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Data and Information Management | Preventive | |
| Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Data and Information Management | Preventive | |
| Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is needed by law. CC ID 13577 | Data and Information Management | Preventive | |
| Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is from publicly available information. CC ID 13576 | Data and Information Management | Preventive | |
| Process personal data absent consent to create a credit report. CC ID 15288 | Data and Information Management | Preventive | |
| Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 | Data and Information Management | Preventive | |
| Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Data and Information Management | Preventive | |
| Process personal data absent consent when produced for business purposes. CC ID 13563 | Data and Information Management | Preventive | |
| Process personal data absent consent for handling insurance claims. CC ID 13561 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Data and Information Management | Preventive | |
| Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Data and Information Management | Preventive | |
| Process personal data absent consent for life-threatening emergencies. CC ID 13558 | Data and Information Management | Preventive | |
| Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Data and Information Management | Preventive | |
| Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 [This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party. § II.1.b. {Notice Principle}{Choice Principle} A U.S. organization that has received employee information from the EU under the Privacy Shield may disclose it to third parties or use it for different purposes only in accordance with the Notice and Choice Principles. For example, where an organization intends to use personal information collected through the employment relationship for non-employment-related purposes, such as marketing communications, the U.S. organization must provide the affected individuals with the requisite choice before doing so, unless they have already authorized the use of the information for such purposes. Moreover, such choices must not be used to restrict employment opportunities or take any punitive action against such employees. § III.9.b.i.] | Behavior | Preventive | |
| Define security breach notification requirement exceptions. CC ID 04797 | Establish/Maintain Documentation | Preventive | |
| Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 | Communicate | Corrective | |
| Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 | Records Management | Preventive | |
| Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 | Communicate | Corrective | |
| Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 | Data and Information Management | Preventive | |
| Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Establish/Maintain Documentation | Preventive | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Establish/Maintain Documentation | Preventive | |
| Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 | Data and Information Management | Detective | |
| Define opt-out exceptions for disclosing restricted data. CC ID 00159 [{pharmaceutical company} {Notice Principle} {Choice Principle} {Accountability for Onward Transfer Principle} {Access Principle} A pharmaceutical or medical device company does not have to apply the Privacy Shield Principles with respect to the Notice, Choice, Accountability for Onward Transfer, and Access Principles in its product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices, to the extent that adherence to the Principles interferes with compliance with regulatory requirements. This is true both with respect to reports by, for example, health care providers to pharmaceutical and medical device companies, and with respect to reports by pharmaceutical and medical device companies to government agencies like the Food and Drug Administration. § III.14.f.i.] | Establish/Maintain Documentation | Preventive | |
| Define how a data subject may give consent. CC ID 00160 | Establish/Maintain Documentation | Preventive | |
| Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 | Communicate | Preventive | |
| Disclose restricted data absent consent when the law does not require consent. CC ID 00136 | Data and Information Management | Preventive | |
| Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 | Data and Information Management | Preventive | |
| Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 | Data and Information Management | Preventive | |
| Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 | Data and Information Management | Preventive | |
| Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 | Data and Information Management | Preventive | |
| Disclose personal data absent consent to create a credit report. CC ID 15297 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 | Data and Information Management | Preventive | |
| Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for handling insurance claims. CC ID 13585 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to perform a contract. CC ID 00139 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 | Data and Information Management | Preventive | |
| Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 | Data and Information Management | Preventive | |
| Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Data and Information Management | Preventive | |
| Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 | Data and Information Management | Preventive | |
| Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent for public economic interests. CC ID 00148 | Data and Information Management | Preventive | |
| Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 [{Notice Principle}{Choice Principle}{Accountability for Onward Transfer Principle} It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials. § III.15.b.] | Data and Information Management | Preventive | |
| Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 | Data and Information Management | Preventive | |
| Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Establish/Maintain Documentation | Detective | |
| Disclose restricted data absent consent when it is needed by law. CC ID 00163 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: necessary to carry out the organization's obligations in the field of employment law; or § III.1.a.v. {Notice Principle}{Choice Principle}{personal data transfer} Pharmaceutical and medical device companies are allowed to provide personal data from clinical trials conducted in the EU to regulators in the United States for regulatory and supervision purposes. Similar transfers are allowed to parties other than regulators, such as company locations and other researchers, consistent with the Principles of Notice and Choice. § III.14.d.i. {shall not impair} Absence of notice in accordance with point (a)(xii) of the Notice Principle shall not prevent or impair an organization's ability to respond to any lawful request. § III.16.c.] | Data and Information Management | Preventive | |
| Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 | Data and Information Management | Preventive | |
| Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 | Communicate | Preventive | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Establish/Maintain Documentation | Preventive | |
| Capture personal data removal requests. CC ID 13507 | Communicate | Preventive | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 | Records Management | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Process or Activity | Preventive | |
| Dispose of personal data removal requests, as necessary. CC ID 13512 | Business Processes | Preventive | |
| Limit the redisclosure and reuse of restricted data. CC ID 00168 | Data and Information Management | Preventive | |
| Refrain from redisclosing or reusing restricted data. CC ID 00169 | Data and Information Management | Preventive | |
| Document the redisclosing restricted data exceptions. CC ID 00170 | Establish/Maintain Documentation | Preventive | |
| Redisclose restricted data when the data subject consents. CC ID 00171 | Data and Information Management | Preventive | |
| Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Data and Information Management | Preventive | |
| Redisclose restricted data in order to protect public revenue. CC ID 00173 | Data and Information Management | Preventive | |
| Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Data and Information Management | Preventive | |
| Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Data and Information Management | Preventive | |
| Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Data and Information Management | Preventive | |
| Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Data and Information Management | Preventive | |
| Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), organizations must obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt- in choice. In addition, an organization should treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive. § II.2.c.] | Data and Information Management | Preventive | |
| Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Data and Information Management | Preventive | |
| Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Data and Information Management | Preventive | |
| Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Data and Information Management | Preventive | |
| Process Personal Identification Numbers with consent. CC ID 00239 | Data and Information Management | Preventive | |
| Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Behavior | Preventive | |
| Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Data and Information Management | Preventive | |
| Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Data and Information Management | Preventive | |
| Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Data and Information Management | Preventive | |
| Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Data and Information Management | Preventive | |
| Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Establish/Maintain Documentation | Preventive | |
| Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Data and Information Management | Preventive | |
| Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Data and Information Management | Preventive | |
| Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Data and Information Management | Preventive | |
| Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Data and Information Management | Preventive | |
| Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 | Data and Information Management | Preventive | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 [{is not used} For example, if the personal information is used for decisions that will significantly affect the individual, then consistent with the other provisions of these Supplemental Principles, the organization would have to disclose that information even if it is relatively difficult or expensive to provide. If the personal information requested is not sensitive or not used for decisions that will significantly affect the individual, but is readily available and inexpensive to provide, an organization would have to provide access to such information. § III.8.b.ii.] | Establish/Maintain Documentation | Preventive | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Data and Information Management | Preventive | |
| Review personal data disclosure requests. CC ID 07129 | Data and Information Management | Preventive | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Communicate | Preventive | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 [{personal data access request} An organization which claims an exception has the burden of demonstrating its necessity, and the reasons for restricting access and a contact point for further inquiries should be given to individuals. § III.8.e.ii. {pharmaceutical company} {Notice Principle} {Choice Principle} {Accountability for Onward Transfer Principle} {Access Principle} A pharmaceutical or medical device company does not have to apply the Privacy Shield Principles with respect to the Notice, Choice, Accountability for Onward Transfer, and Access Principles in its product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices, to the extent that adherence to the Principles interferes with compliance with regulatory requirements. This is true both with respect to reports by, for example, health care providers to pharmaceutical and medical device companies, and with respect to reports by pharmaceutical and medical device companies to government agencies like the Food and Drug Administration. § III.14.f.i.] | Establish/Maintain Documentation | Preventive | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Data and Information Management | Preventive | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Data and Information Management | Preventive | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Data and Information Management | Preventive | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Data and Information Management | Preventive | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Data and Information Management | Preventive | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Data and Information Management | Preventive | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [Confidential commercial information is information that an organization has taken steps to protect from disclosure, where disclosure would help a competitor in the market. Organizations may deny or limit access to the extent that granting full access would reveal its own confidential commercial information, such as marketing inferences or classifications generated by the organization, or the confidential commercial information of another that is subject to a contractual obligation of confidentiality. § III.8.c.i. {personal data} Other reasons for denying or limiting access are: prejudicing the confidentiality necessary in monitoring, inspection or regulatory functions connected with sound management, or in future or ongoing negotiations involving the organization. § III.8.e.i.5.] | Data and Information Management | Preventive | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Data and Information Management | Preventive | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Data and Information Management | Preventive | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Process or Activity | Preventive | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Data and Information Management | Preventive | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Data and Information Management | Preventive | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 [As organizations must always make good faith efforts to provide individuals with access to their personal data, the circumstances in which organizations may restrict such access are limited, and any reasons for restricting access must be specific. As under the Directive, an organization can restrict access to information to the extent that disclosure is likely to interfere with the safeguarding of important countervailing public interests, such as national security; defense; or public security. In addition, where personal information is processed solely for research or statistical purposes, access may be denied. Other reasons for denying or limiting access are: § III.8.e.i. {clinical trial}{personal data} Agreement to participate in the trial under these conditions is a reasonable forgoing of the right of access. Following the conclusion of the trial and analysis of the results, participants should have access to their data if they request it. They should seek it primarily from the physician or other health care provider from whom they received treatment within the clinical trial, or secondarily from the sponsoring organization. § III.14.e.ii. To ensure objectivity in many clinical trials, participants, and often investigators as well, cannot be given access to information about which treatment each participant may be receiving. Doing so would jeopardize the validity of the research study and results. Participants in such clinical trials (referred to as "blinded" studies) do not have to be provided access to the data on their treatment during the trial if this restriction has been explained when the participant entered the trial and the disclosure of such information would jeopardize the integrity of the research effort. § III.14.e.i.] | Data and Information Management | Preventive | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Data and Information Management | Detective | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 [The right of access to personal data may be restricted in exceptional circumstances where the legitimate rights of persons other than the individual would be violated or where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question. Expense and burden are important factors and should be taken into account but they are not controlling factors in determining whether providing access is reasonable. § III.8.b.i. {personal data} Other reasons for denying or limiting access are: disclosure where the legitimate rights or important interests of others would be violated; § III.8.e.i.2.] | Data and Information Management | Preventive | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Data and Information Management | Preventive | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 [As organizations must always make good faith efforts to provide individuals with access to their personal data, the circumstances in which organizations may restrict such access are limited, and any reasons for restricting access must be specific. As under the Directive, an organization can restrict access to information to the extent that disclosure is likely to interfere with the safeguarding of important countervailing public interests, such as national security; defense; or public security. In addition, where personal information is processed solely for research or statistical purposes, access may be denied. Other reasons for denying or limiting access are: § III.8.e.i.] | Data and Information Management | Preventive | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 [{personal data} Other reasons for denying or limiting access are: interference with the execution or enforcement of the law or with private causes of action, including the prevention, investigation or detection of offenses or the right to a fair trial; § III.8.e.i.1.] | Data and Information Management | Preventive | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 [{personal data} Other reasons for denying or limiting access are: prejudicing employee security investigations or grievance proceedings or in connection with employee succession planning and corporate re-organizations; or § III.8.e.i.4.] | Data and Information Management | Preventive | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 [{personal data} Other reasons for denying or limiting access are: prejudicing employee security investigations or grievance proceedings or in connection with employee succession planning and corporate re-organizations; or § III.8.e.i.4.] | Data and Information Management | Preventive | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 [The right of access to personal data may be restricted in exceptional circumstances where the legitimate rights of persons other than the individual would be violated or where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question. Expense and burden are important factors and should be taken into account but they are not controlling factors in determining whether providing access is reasonable. § III.8.b.i.] | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [Consistent with the fundamental nature of access, organizations should always make good faith efforts to provide access. For example, where certain information needs to be protected and can be readily separated from other personal information subject to an access request, the organization should redact the protected information and make available the other information. If an organization determines that access should be restricted in any particular instance, it should provide the individual requesting access with an explanation of why it has made that determination and a contact point for any further inquiries. § III.8.a.iii. {personal data access request} An organization which claims an exception has the burden of demonstrating its necessity, and the reasons for restricting access and a contact point for further inquiries should be given to individuals. § III.8.e.ii.] | Data and Information Management | Preventive | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Communicate | Preventive | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Data and Information Management | Preventive | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 [{personal data} Other reasons for denying or limiting access are: breaching a legal or other professional privilege or obligation; § III.8.e.i.3.] | Process or Activity | Preventive | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [{is not used} For example, if the personal information is used for decisions that will significantly affect the individual, then consistent with the other provisions of these Supplemental Principles, the organization would have to disclose that information even if it is relatively difficult or expensive to provide. If the personal information requested is not sensitive or not used for decisions that will significantly affect the individual, but is readily available and inexpensive to provide, an organization would have to provide access to such information. § III.8.b.ii.] | Data and Information Management | Preventive | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 [{personal data} An organization is not required to provide access unless it is supplied with sufficient information to allow it to confirm the identity of the person making the request. § III.8.h.i. {ability} Generally, the purpose of the Choice Principle is to ensure that personal information is used and disclosed in ways that are consistent with the individual's expectations and choices. Accordingly, an individual should be able to exercise "opt out" choice of having personal information used for direct marketing at any time subject to reasonable limits established by the organization, such as giving the organization time to make the opt out effective. An organization may also require sufficient information to confirm the identity of the individual requesting the "opt out." In the United States, individuals may be able to exercise this option through the use of a central "opt out" program such as the Direct Marketing Association's Mail Preference Service. Organizations that participate in the Direct Marketing Association's Mail Preference Service should promote its availability to consumers who do not wish to receive commercial information. In any event, an individual should be given a readily available and affordable mechanism to exercise this option. § III.12.a.] | Data and Information Management | Preventive | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Communicate | Preventive | |
| Provide data or records in a reasonable time frame. CC ID 00429 [An organization may set reasonable limits on the number of times within a given period that access requests from a particular individual will be met. In setting such limitations, an organization should consider such factors as the frequency with which information is updated, the purpose for which the data are used, and the nature of the information. § III.8.g.i.] | Data and Information Management | Preventive | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Communicate | Preventive | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Data and Information Management | Preventive | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Data and Information Management | Preventive | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Data and Information Management | Preventive | |
| Provide data at a cost that is not excessive. CC ID 00430 [An individual has the right to obtain confirmation of whether or not this organization has personal data relating to him or her. An individual also has the right to have communicated to him or her personal data relating to him or her. An organization may charge a fee that is not excessive. § III.8.f.i. Charging a fee may be justified, for example, where requests for access are manifestly excessive, in particular because of their repetitive character. § III.8.f.ii. As with public record information, it is not necessary to provide access to information that is already publicly available to the public at large, as long as it is not combined with non-publicly available information. Organizations that are in the business of selling publicly available information may charge the organization's customary fee in responding to requests for access. Alternatively, individuals may seek access to their information from the organization that originally compiled the data. § III.15.e.] | Data and Information Management | Preventive | |
| Provide records or data in a reasonable manner. CC ID 00431 [As organizations must always make good faith efforts to provide individuals with access to their personal data, the circumstances in which organizations may restrict such access are limited, and any reasons for restricting access must be specific. As under the Directive, an organization can restrict access to information to the extent that disclosure is likely to interfere with the safeguarding of important countervailing public interests, such as national security; defense; or public security. In addition, where personal information is processed solely for research or statistical purposes, access may be denied. Other reasons for denying or limiting access are: § III.8.e.i. Where confidential commercial information can be readily separated from other personal information subject to an access request, the organization should redact the confidential commercial information and make available the non-confidential information. § III.8.c.ii. {personal data access request} Organizations should respond to access requests within a reasonable time period, in a reasonable manner, and in a form that is readily intelligible to the individual. An organization that provides information to data subjects at regular intervals may satisfy an individual access request with its regular disclosure if it would not constitute an excessive delay. § III.8.i.i.] | Data and Information Management | Preventive | |
| Provide personal data in a form that is intelligible. CC ID 00432 [{personal data access request} Organizations should respond to access requests within a reasonable time period, in a reasonable manner, and in a form that is readily intelligible to the individual. An organization that provides information to data subjects at regular intervals may satisfy an individual access request with its regular disclosure if it would not constitute an excessive delay. § III.8.i.i.] | Data and Information Management | Preventive | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Data and Information Management | Preventive | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Data and Information Management | Preventive | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Data and Information Management | Preventive | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Establish/Maintain Documentation | Preventive | |
| Include cookie management in the privacy framework. CC ID 13809 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain cookie management procedures. CC ID 13810 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Establish/Maintain Documentation | Preventive | |
| Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 | Data and Information Management | Preventive | |
| Refrain from collecting personal data, as necessary. CC ID 15269 | Data and Information Management | Preventive | |
| Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 | Business Processes | Detective | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Establish/Maintain Documentation | Preventive | |
| Use personal data for specified purposes. CC ID 11831 [{is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a. {is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a.] | Data and Information Management | Preventive | |
| Post the collection purpose. CC ID 00101 | Establish/Maintain Documentation | Preventive | |
| Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Data and Information Management | Preventive | |
| Document each individual's personal data collection consent preferences. CC ID 06945 | Establish/Maintain Documentation | Preventive | |
| Provide explicit consent that is clear and unambiguous. CC ID 00181 | Data and Information Management | Preventive | |
| Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Data and Information Management | Preventive | |
| Adhere to each individual's personal data collection consent preferences. CC ID 06947 [In addition, employers should make reasonable efforts to accommodate employee privacy preferences. This could include, for example, restricting access to the personal data, anonymizing certain data, or assigning codes or pseudonyms when the actual names are not required for the management purpose at hand. § III.9.b.iii.] | Data and Information Management | Preventive | |
| Notify the data subject of the source of collected personal data. CC ID 00083 | Behavior | Preventive | |
| Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Data and Information Management | Preventive | |
| Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Data and Information Management | Preventive | |
| Establish and maintain a personal data definition. CC ID 00028 | Establish/Maintain Documentation | Preventive | |
| Include an individual's name in the personal data definition. CC ID 04710 | Data and Information Management | Preventive | |
| Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Data and Information Management | Preventive | |
| Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Data and Information Management | Preventive | |
| Include an individual's signature in the personal data definition. CC ID 04711 | Data and Information Management | Preventive | |
| Include an individual's date of birth in the personal data definition. CC ID 04770 | Data and Information Management | Preventive | |
| Include the number of children in the personal data definition. CC ID 13759 | Establish/Maintain Documentation | Preventive | |
| Include the individual's religion in the personal data definition. CC ID 13765 | Establish/Maintain Documentation | Preventive | |
| Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Data and Information Management | Preventive | |
| Include an individual's biometric data in the personal data definition. CC ID 04698 | Data and Information Management | Preventive | |
| Include an individual's photographic image in the personal data definition. CC ID 04779 | Data and Information Management | Preventive | |
| Include an individual's fingerprints in the personal data definition. CC ID 04689 | Data and Information Management | Preventive | |
| Include an individual's address in the personal data definition. CC ID 04687 | Data and Information Management | Preventive | |
| Include an individual's telephone number in the personal data definition. CC ID 04688 | Data and Information Management | Preventive | |
| Include an individual's fax number in the personal data definition. CC ID 07120 | Data and Information Management | Preventive | |
| Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Establish/Maintain Documentation | Preventive | |
| Include an individual's license plate number in the personal data definition. CC ID 13763 | Establish/Maintain Documentation | Preventive | |
| Include an individual's financial account number in the personal data definition. CC ID 04692 | Data and Information Management | Preventive | |
| Include an individual's account balances in the personal data definition. CC ID 13770 | Establish/Maintain Documentation | Preventive | |
| Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Data and Information Management | Preventive | |
| Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Data and Information Management | Preventive | |
| Include an individual's logon credentials in the personal data definition. CC ID 13771 | Establish/Maintain Documentation | Preventive | |
| Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Data and Information Management | Preventive | |
| Include an individual's passport number in the personal data definition. CC ID 04713 | Data and Information Management | Preventive | |
| Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Data and Information Management | Preventive | |
| Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Data and Information Management | Preventive | |
| Include an individual's military identification number in the personal data definition. CC ID 13083 | Establish/Maintain Documentation | Preventive | |
| Include an individual's e-mail address in the personal data definition. CC ID 04696 | Data and Information Management | Preventive | |
| Include electronic signatures in the personal data definition. CC ID 04697 | Data and Information Management | Preventive | |
| Include an individual's payment card information in the personal data definition. CC ID 04751 | Data and Information Management | Preventive | |
| Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Data and Information Management | Preventive | |
| Include an individual's payment card service code in the personal data definition. CC ID 04753 | Data and Information Management | Preventive | |
| Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Data and Information Management | Preventive | |
| Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Data and Information Management | Preventive | |
| Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Data and Information Management | Preventive | |
| Include an individual's medical history in the personal data definition. CC ID 04701 | Data and Information Management | Preventive | |
| Include an individual's medical treatment in the personal data definition. CC ID 04702 | Data and Information Management | Preventive | |
| Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Data and Information Management | Preventive | |
| Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Data and Information Management | Preventive | |
| Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Data and Information Management | Preventive | |
| Include an individual's health insurance information in the personal data definition. CC ID 04705 | Data and Information Management | Preventive | |
| Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Data and Information Management | Preventive | |
| Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Data and Information Management | Preventive | |
| Include an individual's education information in the personal data definition. CC ID 04714 | Data and Information Management | Preventive | |
| Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Data and Information Management | Preventive | |
| Include an individual's employment information in the personal data definition. CC ID 04715 | Data and Information Management | Preventive | |
| Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Data and Information Management | Preventive | |
| Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Data and Information Management | Preventive | |
| Include an individual's employment history in the personal data definition. CC ID 04716 | Data and Information Management | Preventive | |
| Include an individual's place of employment in the personal data definition. CC ID 04765 | Data and Information Management | Preventive | |
| Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Data and Information Management | Preventive | |
| Include an individual's property information in the personal data definition. CC ID 04780 | Data and Information Management | Preventive | |
| Include an individual's property title in the personal data definition. CC ID 04781 | Data and Information Management | Preventive | |
| Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Data and Information Management | Preventive | |
| Include hardware asset identification information in the personal data definition. CC ID 07123 | Data and Information Management | Preventive | |
| Include MAC addresses in the personal data definition. CC ID 04778 | Data and Information Management | Preventive | |
| Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Data and Information Management | Preventive | |
| Include asset serial numbers in the personal data definition. CC ID 07124 | Data and Information Management | Preventive | |
| Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Data and Information Management | Preventive | |
| Refrain from including publicly available information in the personal data definition. CC ID 13084 | Establish/Maintain Documentation | Preventive | |
| Define specially restricted data. CC ID 00037 | Data and Information Management | Preventive | |
| Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Data and Information Management | Preventive | |
| Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Data and Information Management | Preventive | |
| Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Data and Information Management | Preventive | |
| Implement a nondiscrimination principle. CC ID 00081 | Data and Information Management | Preventive | |
| Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Data and Information Management | Preventive | |
| Preserve each individual's right to human dignity. CC ID 00082 | Data and Information Management | Preventive | |
| Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Data and Information Management | Preventive | |
| Employ a random number generator to create authenticators. CC ID 13782 | Technical Security | Preventive | |
| Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Data and Information Management | Preventive | |
| Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Data and Information Management | Preventive | |
| Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Data and Information Management | Preventive | |
| Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Data and Information Management | Preventive | |
| Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Behavior | Preventive | |
| Manage health data collection. CC ID 00050 | Data and Information Management | Preventive | |
| Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Data and Information Management | Preventive | |
| Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Data and Information Management | Preventive | |
| Collect Individually Identifiable Health Information for research. CC ID 00054 | Data and Information Management | Preventive | |
| Remove personal data before disclosing health data. CC ID 00055 | Data and Information Management | Preventive | |
| Give special attention to collecting children's data. CC ID 00038 | Data and Information Management | Preventive | |
| Use simple understandable language to collect information from children. CC ID 00039 | Behavior | Preventive | |
| Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Establish/Maintain Documentation | Preventive | |
| Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Establish/Maintain Documentation | Preventive | |
| Collect personal data directly from the data subject. CC ID 00011 | Data and Information Management | Preventive | |
| Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Data and Information Management | Preventive | |
| Provide unlinkability for users and resources. CC ID 04550 | Data and Information Management | Preventive | |
| Provide unobservability of users and resources. CC ID 04551 | Technical Security | Preventive | |
| Confirm the data quality of personal data collected from third parties. CC ID 13510 | Investigate | Detective | |
| Collect restricted data in a fair and lawful manner. CC ID 00010 | Data and Information Management | Preventive | |
| Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Data and Information Management | Preventive | |
| Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: in the vital interests of the data subject or another person; § III.1.a.i.] | Data and Information Management | Preventive | |
| Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Data and Information Management | Preventive | |
| Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Data and Information Management | Preventive | |
| Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Data and Information Management | Preventive | |
| Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Data and Information Management | Preventive | |
| Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Data and Information Management | Preventive | |
| Collect personal data absent consent for handling insurance claims. CC ID 13543 | Data and Information Management | Preventive | |
| Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Data and Information Management | Preventive | |
| Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Data and Information Management | Preventive | |
| Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Data and Information Management | Preventive | |
| Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Data and Information Management | Preventive | |
| Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Data and Information Management | Preventive | |
| Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Data and Information Management | Preventive | |
| Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 [Personal information that is gathered for publication, broadcast, or other forms of public communication of journalistic material, whether used or not, as well as information found in previously published material disseminated from media archives, is not subject to the requirements of the Privacy Shield Principles. § III.2.b.] | Data and Information Management | Preventive | |
| Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 | Data and Information Management | Preventive | |
| Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Data and Information Management | Preventive | |
| Collect restricted data absent consent from publicly available information. CC ID 00019 [{Notice Principle}{Choice Principle}{Accountability for Onward Transfer Principle} It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials. § III.15.b.] | Data and Information Management | Preventive | |
| Collect restricted data absent consent when needed by law. CC ID 00020 [{pharmaceutical company} {Notice Principle} {Choice Principle} {Accountability for Onward Transfer Principle} {Access Principle} A pharmaceutical or medical device company does not have to apply the Privacy Shield Principles with respect to the Notice, Choice, Accountability for Onward Transfer, and Access Principles in its product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices, to the extent that adherence to the Principles interferes with compliance with regulatory requirements. This is true both with respect to reports by, for example, health care providers to pharmaceutical and medical device companies, and with respect to reports by pharmaceutical and medical device companies to government agencies like the Food and Drug Administration. § III.14.f.i.] | Data and Information Management | Preventive | |
| Collect personal data absent consent to create a credit report. CC ID 15287 | Data and Information Management | Preventive | |
| Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Data and Information Management | Preventive | |
| Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Data and Information Management | Preventive | |
| Collect the minimum amount of restricted data necessary. CC ID 00078 | Data and Information Management | Preventive | |
| Collect restricted data in a proper information framework. CC ID 00009 | Data and Information Management | Preventive | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Data and Information Management | Preventive | |
| Collect restricted data when required by law. CC ID 00031 | Data and Information Management | Preventive | |
| Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Data and Information Management | Preventive | |
| Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: carried out in the course of legitimate activities by a foundation, association or any other non-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; § III.1.a.iv.] | Data and Information Management | Preventive | |
| Collect restricted data for legal purposes. CC ID 00036 | Data and Information Management | Preventive | |
| Review the methods for collecting personal data, as necessary. CC ID 13511 | Investigate | Detective | |
| Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Communicate | Preventive | |
| Provide the data subject with the data collector's name and contact information. CC ID 00024 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Establish/Maintain Documentation | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Data and Information Management | Preventive | |
| Protect electronic messaging information. CC ID 12022 | Technical Security | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 [{Department of Commerce} {adequate protection} An organization must subject to the Privacy Shield Principles all personal data received from the EU in reliance upon the Privacy Shield. The undertaking to adhere to the Privacy Shield Principles is not time-limited in respect of personal data received during the period in which the organization enjoys the benefits of the Privacy Shield. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Privacy Shield for any reason. An organization that withdraws from the Privacy Shield but wants to retain such data must affirm to the Department on an annual basis its commitment to continue to apply the Principles or provide "adequate" protection for the information by another authorized means (for example, using a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission); otherwise, the organization must return or delete the information. An organization that withdraws from the Privacy Shield must remove from any relevant privacy policy any references to the Privacy Shield that imply that the organization continues to actively participate in the Privacy Shield and is entitled to its benefits. § III.6.f. {Department of Commerce} {adequate protection} An organization must subject to the Privacy Shield Principles all personal data received from the EU in reliance upon the Privacy Shield. The undertaking to adhere to the Privacy Shield Principles is not time-limited in respect of personal data received during the period in which the organization enjoys the benefits of the Privacy Shield. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Privacy Shield for any reason. An organization that withdraws from the Privacy Shield but wants to retain such data must affirm to the Department on an annual basis its commitment to continue to apply the Principles or provide "adequate" protection for the information by another authorized means (for example, using a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission); otherwise, the organization must return or delete the information. An organization that withdraws from the Privacy Shield must remove from any relevant privacy policy any references to the Privacy Shield that imply that the organization continues to actively participate in the Privacy Shield and is entitled to its benefits. § III.6.f.] | Data and Information Management | Preventive | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Configuration | Preventive | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Testing | Detective | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Configuration | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Configuration | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Technical Security | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Data and Information Management | Preventive | |
| Log the disclosure of personal data. CC ID 06628 | Log Management | Preventive | |
| Log the modification of personal data. CC ID 11844 | Log Management | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Technical Security | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 | Technical Security | Preventive | |
| Implement physical controls to protect personal data. CC ID 00355 | Testing | Preventive | |
| Limit data leakage. CC ID 00356 [{data processor} The purpose of the contract is to make sure that the processor: provides appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alternation, unauthorized disclosure or access, and understands whether onward transfer is allowed; and § III.10.a.ii.2. {Security Principle}(Data Integrity and Purpose Limitation Principle} {Recourse, Enforcement and Liability Principle} An organization must apply the Privacy Shield Principles of Security, Data Integrity and Purpose Limitation, and Recourse, Enforcement and Liability to personal data from publicly available sources. These Principles shall apply also to personal data collected from public records, i.e., those records kept by government agencies or entities at any level that are open to consultation by the public in general. § III.15.a.] | Data and Information Management | Preventive | |
| Conduct personal data risk assessments. CC ID 00357 [{unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a.] | Testing | Detective | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Business Processes | Preventive | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Data and Information Management | Detective | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Data and Information Management | Detective | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Monitor and Evaluate Occurrences | Detective | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Investigate | Detective | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Behavior | Detective | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Data and Information Management | Detective | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Log Management | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Monitor and Evaluate Occurrences | Corrective | |
| Log dates for account name changes or address changes. CC ID 04876 | Log Management | Detective | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Monitor and Evaluate Occurrences | Detective | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Data and Information Management | Detective | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Acquisition/Sale of Assets or Services | Preventive | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Process or Activity | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Process or Activity | Preventive | |
| Review monitored websites for data leakage. CC ID 10593 | Monitor and Evaluate Occurrences | Detective | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Process or Activity | Corrective | |
| Include text about data ownership in the data handling policy. CC ID 15720 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain call metadata controls. CC ID 04790 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 | Data and Information Management | Preventive | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Data and Information Management | Preventive | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Data and Information Management | Preventive | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Data and Information Management | Preventive | |
| Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Communicate | Preventive | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 | Establish/Maintain Documentation | Preventive | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Establish/Maintain Documentation | Preventive | |
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Data and Information Management | Preventive | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Data and Information Management | Preventive | |
| Define an out of scope privacy breach. CC ID 04677 | Establish/Maintain Documentation | Preventive | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Business Processes | Preventive | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Monitor and Evaluate Occurrences | Preventive | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Monitor and Evaluate Occurrences | Preventive | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Monitor and Evaluate Occurrences | Preventive | |
| Conduct internal data processing audits. CC ID 00374 | Testing | Detective | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Communicate | Preventive | |
| Establish, implement, and maintain a personal data transfer program. CC ID 00307 [{Department of Commerce} Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information. In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities. The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees. § III.6.c.] | Establish/Maintain Documentation | Preventive | |
| Obtain consent from an individual prior to transferring personal data. CC ID 06948 | Data and Information Management | Preventive | |
| Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 [{notice principle} To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles. § II.3.a. {data processor} When personal data is transferred from the EU to the United States only for processing purposes, a contract will be required, regardless of participation by the processor in the Privacy Shield. § III.10.a.i. Data controllers in the European Union are always required to enter into a contract when a transfer for mere processing is made, whether the processing operation is carried out inside or outside the EU, and whether or not the processor participates in the Privacy Shield. The purpose of the contract is to make sure that the processor: § III.10.a.ii. {personal data transfer}{do not need} For transfers between controllers, the recipient controller need not be a Privacy Shield organization or have an independent recourse mechanism. The Privacy Shield organization must enter into a contract with the recipient third-party controller that provides for the same level of protection as is available under the Privacy Shield, not including the requirement that the third party controller be a Privacy Shield organization or have an independent recourse mechanism, provided it makes available an equivalent mechanism. § III.10.c.i.] | Establish/Maintain Documentation | Preventive | |
| Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 [{personal data transfer}{do not need} For transfers between controllers, the recipient controller need not be a Privacy Shield organization or have an independent recourse mechanism. The Privacy Shield organization must enter into a contract with the recipient third-party controller that provides for the same level of protection as is available under the Privacy Shield, not including the requirement that the third party controller be a Privacy Shield organization or have an independent recourse mechanism, provided it makes available an equivalent mechanism. § III.10.c.i.] | Business Processes | Preventive | |
| Notify data subjects when their personal data is transferred. CC ID 00352 | Behavior | Preventive | |
| Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 [{Department of Commerce} To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; (iv) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (v) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. § II.3.b. {Notice Principle}{Choice Principle} The Privacy Principles apply immediately upon certification. Recognizing that the Principles will impact commercial relationships with third parties, organizations that certify to the Privacy Shield Framework in the first two months following the Framework's effective date shall bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle as soon as possible, and in any event no later than nine months from the date upon which they certify to the Privacy Shield. During that interim period, where organizations transfer data to a third party, they shall (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles. § III.6.e. {liability} In the context of an onward transfer, a Privacy Shield organization has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield organization shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage. § II.7.d. Airline passenger reservation and other travel information, such as frequent flyer or hotel reservation information and special handling needs, such as meals to meet religious requirements or physical assistance, may be transferred to organizations located outside the EU in several different circumstances. Under Article 26 of the Directive, personal data may be transferred "to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2)" on the condition that it (i) is necessary to provide the services requested by the consumer or to fulfill the terms of an agreement, such as a "frequent flyer" agreement; or (ii) has been unambiguously consented to by the consumer. U.S. organizations subscribing to the Privacy Shield provide adequate protection for personal data and may therefore receive data transfers from the EU without meeting these conditions or other conditions set out in Article 26 of the Directive. Since the Privacy Shield includes specific rules for sensitive information, such information (which may need to be collected, for example, in connection with customers' needs for physical assistance) may be included in transfers to Privacy Shield participants. In all cases, however, the organization transferring the information has to respect the law in the EU Member State in which it is operating, which may inter alia impose special conditions for the handling of sensitive data. § III.13.a.] | Establish/Maintain Documentation | Preventive | |
| Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 | Communicate | Preventive | |
| Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 [{Notice Principle}{Choice Principle}{personal data transfer} Pharmaceutical and medical device companies are allowed to provide personal data from clinical trials conducted in the EU to regulators in the United States for regulatory and supervision purposes. Similar transfers are allowed to parties other than regulators, such as company locations and other researchers, consistent with the Principles of Notice and Choice. § III.14.d.i.] | Data and Information Management | Preventive | |
| Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 | Data and Information Management | Preventive | |
| Prohibit the transfer of personal data when security is inadequate. CC ID 00345 [{notice principle} To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles. § II.3.a. {notice principle} To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles. § II.3.a.] | Data and Information Management | Preventive | |
| Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 | Data and Information Management | Preventive | |
| Refrain from transferring past the first transfer. CC ID 00347 | Data and Information Management | Preventive | |
| Document transfer disagreements by the data subject in writing. CC ID 00348 | Establish/Maintain Documentation | Preventive | |
| Allow the data subject the right to object to the personal data transfer. CC ID 00349 | Data and Information Management | Preventive | |
| Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 | Records Management | Preventive | |
| Follow the instructions of the data transferrer. CC ID 00334 [Where an organization in the EU transfers personal information about its employees (past or present) collected in the context of the employment relationship, to a parent, affiliate, or unaffiliated service provider in the United States participating in the Privacy Shield, the transfer enjoys the benefits of the Privacy Shield. In such cases, the collection of the information and its processing prior to transfer will have been subject to the national laws of the EU country where it was collected, and any conditions for or restrictions on its transfer according to those laws will have to be respected. § III.9.a.i. {employee information} It should be noted that certain generally applicable conditions for transfer from some EU Member States may preclude other uses of such information even after transfer outside the EU and such conditions will have to be respected. § III.9.b.ii. {data processor} The purpose of the contract is to make sure that the processor: acts only on instructions from the controller; § III.10.a.ii.1. {Notice Principle}{Choice Principle}{Accountability for Onward Transfer Principle} It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials. § III.15.b. {Notice Principle}{Choice Principle}{Accountability for Onward Transfer Principle} It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials. § III.15.b. {Notice Principle}{Choice Principle}{Accountability for Onward Transfer Principle} It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials. § III.15.b.] | Behavior | Preventive | |
| Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 | Establish/Maintain Documentation | Preventive | |
| Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 [{Notice Principle}{Choice Principle}{Accountability for Onward Transfer Principle} It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials. § III.15.b.] | Data and Information Management | Preventive | |
| Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Data and Information Management | Preventive | |
| Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 [{key-coded data} Invariably, research data are uniquely key-coded at their origin by the principal investigator so as not to reveal the identity of individual data subjects. Pharmaceutical companies sponsoring such research do not receive the key. The unique key code is held only by the researcher, so that he or she can identify the research subject under special circumstances (e.g., if follow-up medical attention is required). A transfer from the EU to the United States of data coded in this way would not constitute a transfer of personal data that would be subject to the Privacy Shield Principles. § III.14.g.i.] | Data and Information Management | Preventive | |
| Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Data and Information Management | Preventive | |
| Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Data and Information Management | Preventive | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Data and Information Management | Preventive | |
| Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 | Data and Information Management | Preventive | |
| Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Data and Information Management | Preventive | |
| Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Data and Information Management | Preventive | |
| Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Data and Information Management | Preventive | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Data and Information Management | Preventive | |
| Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 [{notice principle} To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles. § II.3.a. For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), organizations must obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt- in choice. In addition, an organization should treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive. § II.2.c. {Department of Commerce} To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; (iv) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (v) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. § II.3.b. {Notice Principle}{Choice Principle} The Privacy Principles apply immediately upon certification. Recognizing that the Principles will impact commercial relationships with third parties, organizations that certify to the Privacy Shield Framework in the first two months following the Framework's effective date shall bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle as soon as possible, and in any event no later than nine months from the date upon which they certify to the Privacy Shield. During that interim period, where organizations transfer data to a third party, they shall (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles. § III.6.e. {Notice Principle}{Choice Principle} The Privacy Principles apply immediately upon certification. Recognizing that the Principles will impact commercial relationships with third parties, organizations that certify to the Privacy Shield Framework in the first two months following the Framework's effective date shall bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle as soon as possible, and in any event no later than nine months from the date upon which they certify to the Privacy Shield. During that interim period, where organizations transfer data to a third party, they shall (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles. § III.6.e. {Notice Principle}{Choice Principle} The Privacy Principles apply immediately upon certification. Recognizing that the Principles will impact commercial relationships with third parties, organizations that certify to the Privacy Shield Framework in the first two months following the Framework's effective date shall bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle as soon as possible, and in any event no later than nine months from the date upon which they certify to the Privacy Shield. During that interim period, where organizations transfer data to a third party, they shall (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles. § III.6.e.] | Data and Information Management | Preventive | |
| Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 [When personal information is transferred between two controllers within a controlled group of corporations or entities, a contract is not always required under the Accountability for Onward Transfer Principle. Data controllers within a controlled group of corporations or entities may base such transfers on other instruments, such as EU Binding Corporate Rules or other intra-group instruments (e.g., compliance and control programs), ensuring the continuity of protection of personal information under the Privacy Shield Principles. In case of such transfers, the Privacy Shield organization remains responsible for compliance with Privacy Shield Principles. § III.10.b.i.] | Business Processes | Preventive | |
| Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 | Establish/Maintain Documentation | Preventive | |
| Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 | Data and Information Management | Preventive | |
| Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 | Data and Information Management | Preventive | |
| Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 | Data and Information Management | Preventive | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 | Data and Information Management | Preventive | |
| Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 | Data and Information Management | Preventive | |
| Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 | Data and Information Management | Preventive | |
| Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 | Data and Information Management | Preventive | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 | Data and Information Management | Preventive | |
| Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 [An organization must inform individuals about: its liability in cases of onward transfers to third parties. § II.1.a.xiii.] | Communicate | Preventive | |
| Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 | Behavior | Preventive | |
| Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 | Establish/Maintain Documentation | Preventive | |
| Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 | Data and Information Management | Preventive | |
| Obtain consent prior to downloading software to an individual's computer. CC ID 06951 | Data and Information Management | Preventive | |
| Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 | Process or Activity | Preventive | |
| Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 | Process or Activity | Preventive | |
| Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 | Process or Activity | Preventive | |
| Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a privacy impact assessment. CC ID 13712 | Establish/Maintain Documentation | Preventive | |
| Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 | Establish/Maintain Documentation | Preventive | |
| Include how to grant consent in the privacy impact assessment. CC ID 15519 | Establish/Maintain Documentation | Preventive | |
| Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 | Establish/Maintain Documentation | Preventive | |
| Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 | Establish/Maintain Documentation | Preventive | |
| Include data handling procedures in the privacy impact assessment. CC ID 15516 | Establish/Maintain Documentation | Preventive | |
| Include the intended use of information in the privacy impact assessment. CC ID 15515 | Establish/Maintain Documentation | Preventive | |
| Include the reason information is being collected in the privacy impact assessment. CC ID 15514 | Establish/Maintain Documentation | Preventive | |
| Include the type of information to be collected in the privacy impact assessment. CC ID 15513 | Business Processes | Preventive | |
| Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Communicate | Preventive | |
| Review compliance with the organization's privacy objectives. CC ID 13490 | Human Resources Management | Detective | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 [{be rigorous} At a minimum such mechanisms must include: obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations. § II.7.a.iii. To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; (iv) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (v) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. § II.3.b.] | Data and Information Management | Preventive | |
| Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 | Behavior | Preventive | |
| Implement procedures to file privacy rights violation complaints. CC ID 00476 [Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must include: § II.7.a. At a minimum such mechanisms must include: readily available independent recourse mechanisms by which each individual's complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Principles, and damages awarded where the applicable law or private-sector initiatives so provide; § II.7.a.i. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i.] | Data and Information Management | Corrective | |
| File privacy rights violation complaints in writing. CC ID 00477 [Independent recourse mechanisms must include on their public websites information regarding the Privacy Shield Principles and the services that they provide under the Privacy Shield. This information must include: (1) information on or a link to the Privacy Shield Principles' requirements for independent recourse mechanisms; (2) a link to the Department's Privacy Shield website; (3) an explanation that their dispute resolution services under the Privacy Shield are free of charge to individuals; (4) a description of how a Privacy Shield-related complaint can be filed; (5) the timeframe in which Privacy Shield-related complaints are processed; and (6) a description of the range of potential remedies. § III.11.d.ii.] | Establish/Maintain Documentation | Corrective | |
| Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Establish/Maintain Documentation | Corrective | |
| Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Establish/Maintain Documentation | Preventive | |
| Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 [An organization must inform individuals about: the possibility, under certain conditions, for the individual to invoke binding arbitration, § II.1.a.xi. An organization must inform individuals about: the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution provider based in the United States, § II.1.a.ix. Where the organization has chosen outside compliance review, such a review must demonstrate that its privacy policy regarding personal information received from the EU conforms to the Privacy Shield Principles, that it is being complied with, and that individuals are informed of the mechanisms through which they may pursue complaints. The methods of review may include, without limitation, auditing, random reviews, use of "decoys", or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed must be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about compliance. § III.7.d. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Behavior | Corrective | |
| Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 | Business Processes | Preventive | |
| File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 | Behavior | Corrective | |
| Change or destroy any personal data that is incorrect. CC ID 00462 | Data and Information Management | Corrective | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 [{Department of Commerce} In order to help ensure compliance with their Privacy Shield commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Privacy Shield when requested by the Department. In addition, organizations must respond expeditiously to complaints regarding their compliance with the Principles referred through the Department by DPAs. The response should address whether the complaint has merit and, if so, how the organization will rectify the problem. The Department will protect the confidentiality of information it receives in accordance with U.S. law. § III.11.c.] | Behavior | Corrective | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Data and Information Management | Preventive | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Data and Information Management | Corrective | |
| Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [Independent recourse mechanisms must include on their public websites information regarding the Privacy Shield Principles and the services that they provide under the Privacy Shield. This information must include: (1) information on or a link to the Privacy Shield Principles' requirements for independent recourse mechanisms; (2) a link to the Department's Privacy Shield website; (3) an explanation that their dispute resolution services under the Privacy Shield are free of charge to individuals; (4) a description of how a Privacy Shield-related complaint can be filed; (5) the timeframe in which Privacy Shield-related complaints are processed; and (6) a description of the range of potential remedies. § III.11.d.ii.] | Establish/Maintain Documentation | Preventive | |
| Include potential remedies in the privacy dispute resolution program. CC ID 12531 [Independent recourse mechanisms must include on their public websites information regarding the Privacy Shield Principles and the services that they provide under the Privacy Shield. This information must include: (1) information on or a link to the Privacy Shield Principles' requirements for independent recourse mechanisms; (2) a link to the Department's Privacy Shield website; (3) an explanation that their dispute resolution services under the Privacy Shield are free of charge to individuals; (4) a description of how a Privacy Shield-related complaint can be filed; (5) the timeframe in which Privacy Shield-related complaints are processed; and (6) a description of the range of potential remedies. § III.11.d.ii.] | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 [An organization must inform individuals about: how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints, § II.1.a.v. An organization must inform individuals about: the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution provider based in the United States, § II.1.a.ix. description of the organization's privacy policy for such personal information, including: a contact office for the handling of complaints, access requests, and any other issues arising under the Privacy Shield; § III.6.b.iii.3. Consistent with the fundamental nature of access, organizations should always make good faith efforts to provide access. For example, where certain information needs to be protected and can be readily separated from other personal information subject to an access request, the organization should redact the protected information and make available the other information. If an organization determines that access should be restricted in any particular instance, it should provide the individual requesting access with an explanation of why it has made that determination and a contact point for any further inquiries. § III.8.a.iii. {personal data access request} An organization which claims an exception has the burden of demonstrating its necessity, and the reasons for restricting access and a contact point for further inquiries should be given to individuals. § III.8.e.ii.] | Establish/Maintain Documentation | Preventive | |
| Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 [Independent recourse mechanisms must include on their public websites information regarding the Privacy Shield Principles and the services that they provide under the Privacy Shield. This information must include: (1) information on or a link to the Privacy Shield Principles' requirements for independent recourse mechanisms; (2) a link to the Department's Privacy Shield website; (3) an explanation that their dispute resolution services under the Privacy Shield are free of charge to individuals; (4) a description of how a Privacy Shield-related complaint can be filed; (5) the timeframe in which Privacy Shield-related complaints are processed; and (6) a description of the range of potential remedies. § III.11.d.ii.] | Establish/Maintain Documentation | Preventive | |
| Document unresolved challenges. CC ID 13568 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 | Establish/Maintain Documentation | Preventive | |
| Notify individuals of their right to challenge personal data. CC ID 00457 [Under the Privacy Shield Principles, the right of access is fundamental to privacy protection. In particular, it allows individuals to verify the accuracy of information held about them. The Access Principle means that individuals have the right to: § III.8.a.i. Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated. § II.6.a. The Access Principle means that individuals have the right to: have the data corrected, amended or deleted where it is inaccurate or processed in violation of the Principles. § III.8.a.i.3.] | Data and Information Management | Preventive | |
| Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 | Data and Information Management | Preventive | |
| Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 | Configuration | Preventive | |
| Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Human Resources Management | Preventive | |
| Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Data and Information Management | Preventive | |
| Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 | Communicate | Preventive | |
| Investigate the disputed accuracy of personal data. CC ID 00461 | Data and Information Management | Preventive | |
| Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 | Behavior | Corrective | |
| Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 | Behavior | Corrective | |
| Notify third parties of unresolved challenges. CC ID 13559 | Communicate | Preventive | |
| Document disagreements as to whether personal data is complete and accurate. CC ID 06952 | Establish/Maintain Documentation | Preventive | |
| Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 | Establish/Maintain Documentation | Preventive | |
| Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 [To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; (iv) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (v) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. § II.3.b.] | Data and Information Management | Corrective | |
| Investigate privacy rights violation complaints. CC ID 00480 [{Department of Commerce} Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Organizations that have chosen to cooperate with DPAs, including organizations that process human resources data, must respond directly to such authorities with regard to the investigation and resolution of complaints § II.7.b. {comply}{privacy rights violation complaint}{legal authority} The Recourse, Enforcement and Liability Principle sets out the requirements for Privacy Shield enforcement. How to meet the requirements of point (a)(ii) of the Principle is set out in the Supplemental Principle on Verification. This Supplemental Principle addresses points (a)(i) and (a)(iii), both of which require independent recourse mechanisms. These mechanisms may take different forms, but they must meet the Recourse, Enforcement and Liability Principle's requirements. Organizations satisfy the requirements through the following: (i) compliance with private sector developed privacy programs that incorporate the Privacy Shield Principles into their rules and that include effective enforcement mechanisms of the type described in the Recourse, Enforcement and Liability Principle; (ii) compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or (iii) commitment to cooperate with data protection authorities located in the European Union or their authorized representatives. § III.11.a. {Department of Commerce} In order to help ensure compliance with their Privacy Shield commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Privacy Shield when requested by the Department. In addition, organizations must respond expeditiously to complaints regarding their compliance with the Principles referred through the Department by DPAs. The response should address whether the complaint has merit and, if so, how the organization will rectify the problem. The Department will protect the confidentiality of information it receives in accordance with U.S. law. § III.11.c. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i.] | Behavior | Detective | |
| Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 | Business Processes | Corrective | |
| Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 | Behavior | Detective | |
| Include the allegations against the organization in the notice of investigation. CC ID 13031 | Establish/Maintain Documentation | Preventive | |
| Investigate privacy rights violation complaints in private. CC ID 00492 | Behavior | Detective | |
| Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 [{Department of Commerce} Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Organizations that have chosen to cooperate with DPAs, including organizations that process human resources data, must respond directly to such authorities with regard to the investigation and resolution of complaints § II.7.b. {unfair act or practice}{deceptive act or practice}{Department of Commerce} Organizations must retain their records on the implementation of their Privacy Shield privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent body responsible for investigating complaints or to the agency with unfair and deceptive practices jurisdiction. Organizations must also respond promptly to inquiries and other requests for information from the Department relating to the organization's adherence to the Principles. § III.7.e. {Department of Commerce} In order to help ensure compliance with their Privacy Shield commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Privacy Shield when requested by the Department. In addition, organizations must respond expeditiously to complaints regarding their compliance with the Principles referred through the Department by DPAs. The response should address whether the complaint has merit and, if so, how the organization will rectify the problem. The Department will protect the confidentiality of information it receives in accordance with U.S. law. § III.11.c. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i.] | Behavior | Detective | |
| Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 | Behavior | Detective | |
| Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [In so far as personal information is used only in the context of the employment relationship, primary responsibility for the data vis-à-vis the employee remains with the organization in the EU. It follows that, where European employees make complaints about violations of their data protection rights and are not satisfied with the results of internal review, complaint, and appeal procedures (or any applicable grievance procedures under a contract with a trade union), they should be directed to the state or national data protection or labor authority in the jurisdiction where the employees work. This includes cases where the alleged mishandling of their personal information is the responsibility of the U.S. organization that has received the information from the employer and thus involves an alleged breach of the Privacy Shield Principles. This will be the most efficient way to address the often overlapping rights and obligations imposed by local labor law and labor agreements as well as data protection law. § III.9.d.i.] | Behavior | Preventive | |
| Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 | Behavior | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 | Behavior | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 | Behavior | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 | Behavior | Preventive | |
| Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 | Behavior | Preventive | |
| Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Behavior | Preventive | |
| Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 | Behavior | Preventive | |
| Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 | Behavior | Preventive | |
| Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 | Communicate | Corrective | |
| Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 | Establish/Maintain Documentation | Corrective | |
| Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 | Behavior | Corrective | |
| Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 [As set forth in Annex I, an arbitration option is available to an individual to determine, for residual claims, whether a Privacy Shield organization has violated its obligations under the Principles as to that individual, and whether any such violation remains fully or partially unremedied. This option is available only for these purposes. This option is not available, for example, with respect to the exceptions to the Principles or with respect to an allegation about the adequacy of the Privacy Shield. Under this arbitration option, the Privacy Shield Panel (consisting of one or three arbitrators, as agreed by the parties) has the authority to impose individual-specific, non-monetary equitable relief (such as access, correction, deletion, or return of the individual's data in question) necessary to remedy the violation of the Principles only with respect to the individual. Individuals and Privacy Shield organizations will be able to seek judicial review and enforcement of the arbitral decisions pursuant to U.S. law under the Federal Arbitration Act. § III.11.d.iv.] | Establish/Maintain Documentation | Detective | |
| Order the organization to change to be in compliance with applicable law. CC ID 00499 | Behavior | Corrective | |
| Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 | Behavior | Corrective | |
| Award damages based on applicable law. CC ID 00501 | Behavior | Corrective | |
| Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 [{persistent failure to comply}{Department of Commerce} If an organization persistently fails to comply with the Principles, it is no longer entitled to benefit from the Privacy Shield. Organizations that have persistently failed to comply with the Principles will be removed from the Privacy Shield List by the Department and must return or delete the personal information they received under the Privacy Shield. § III.11.g.i.] | Data and Information Management | Corrective | |
| Define the organization's liability based on the applicable law. CC ID 00504 [{liability} In the context of an onward transfer, a Privacy Shield organization has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield organization shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage. § II.7.d. Internet Service Providers ("ISPs"), telecommunications carriers, and other organizations are not liable under the Privacy Shield Principles when on behalf of another organization they merely transmit, route, switch, or cache information. As is the case with the Directive itself, the Privacy Shield does not create secondary liability. To the extent that an organization is acting as a mere conduit for data transmitted by third parties and does not determine the purposes and means of processing those personal datą it would not be liable. § III.3.a. {pharmaceutical company} {Notice Principle} {Choice Principle} {Accountability for Onward Transfer Principle} {Access Principle} A pharmaceutical or medical device company does not have to apply the Privacy Shield Principles with respect to the Notice, Choice, Accountability for Onward Transfer, and Access Principles in its product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices, to the extent that adherence to the Principles interferes with compliance with regulatory requirements. This is true both with respect to reports by, for example, health care providers to pharmaceutical and medical device companies, and with respect to reports by pharmaceutical and medical device companies to government agencies like the Food and Drug Administration. § III.14.f.i.] | Establish/Maintain Documentation | Preventive | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 [Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must include: § II.7.a. At a minimum such mechanisms must include: readily available independent recourse mechanisms by which each individual's complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Principles, and damages awarded where the applicable law or private-sector initiatives so provide; § II.7.a.i. {be rigorous} At a minimum such mechanisms must include: obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations. § II.7.a.iii.] | Establish/Maintain Documentation | Preventive | |
| Define the appeal process based on the applicable law. CC ID 00506 | Establish/Maintain Documentation | Preventive | |
| Define the fee structure for the appeal process. CC ID 16532 | Process or Activity | Preventive | |
| Define the time requirements for the appeal process. CC ID 16531 | Process or Activity | Preventive | |
| Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Communicate | Preventive | |
| Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Communicate | Preventive | |
| Provide notice of proposed penalties. CC ID 06216 | Establish/Maintain Documentation | Preventive | |
| Notify the public and other agencies after a penalty becomes final. CC ID 06217 [{Federal Trade Commission order}{Privacy Shield} When an organization becomes subject to an FTC or court order based on non-compliance, the organization shall make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements. The Department has established a dedicated point of contact for DPAs for any problems of compliance by Privacy Shield organizations. The FTC will give priority consideration to referrals of non-compliance with the Principles from the Department and EU Member State authorities, and will exchange information regarding referrals with the referring state authorities on a timely basis, subject to existing confidentiality restrictions. § II.7.e.] | Behavior | Preventive | |
| Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 | Testing | Detective | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Data and Information Management | Preventive | |
| Establish, implement, and maintain customer data authentication procedures. CC ID 13187 | Establish/Maintain Documentation | Preventive | |
| Check the accuracy of restricted data. CC ID 00088 [{is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a. {is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a.] | Data and Information Management | Preventive | |
| Record restricted data correctly. CC ID 00089 [{Security Principle}(Data Integrity and Purpose Limitation Principle} {Recourse, Enforcement and Liability Principle} An organization must apply the Privacy Shield Principles of Security, Data Integrity and Purpose Limitation, and Recourse, Enforcement and Liability to personal data from publicly available sources. These Principles shall apply also to personal data collected from public records, i.e., those records kept by government agencies or entities at any level that are open to consultation by the public in general. § III.15.a.] | Testing | Detective | |
| Check that restricted data is complete. CC ID 00090 [{is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a.] | Data and Information Management | Preventive | |
| Keep restricted data up-to-date and valid. CC ID 00091 [{is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a.] | Data and Information Management | Preventive | |
Records management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Establish/Maintain Documentation | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Establish/Maintain Documentation | Detective | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Process or Activity | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [{unfair act or practice}{deceptive act or practice}{Department of Commerce} Organizations must retain their records on the implementation of their Privacy Shield privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent body responsible for investigating complaints or to the agency with unfair and deceptive practices jurisdiction. Organizations must also respond promptly to inquiries and other requests for information from the Department relating to the organization's adherence to the Principles. § III.7.e. {is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a.] | Records Management | Preventive | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [By derogation to the previous paragraph, it is not necessary to provide choice when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organization. However, an organization shall always enter into a contract with the agent. § II.2.b.] | Process or Activity | Detective | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Establish/Maintain Documentation | Preventive | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Establish/Maintain Documentation | Preventive | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Establish/Maintain Documentation | Preventive | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Establish/Maintain Documentation | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Establish/Maintain Documentation | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Establish/Maintain Documentation | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Establish/Maintain Documentation | Preventive | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Establish/Maintain Documentation | Preventive | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Establish/Maintain Documentation | Preventive | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Establish/Maintain Documentation | Preventive | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Establish/Maintain Documentation | Preventive | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 | Business Processes | Preventive | |
| Include text about data ownership in third party contracts. CC ID 06502 | Establish/Maintain Documentation | Preventive | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Establish/Maintain Documentation | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Establish/Maintain Documentation | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in third party contracts. CC ID 13487 | Establish/Maintain Documentation | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Establish/Maintain Documentation | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Establish/Maintain Documentation | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Establish/Maintain Documentation | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Establish/Maintain Documentation | Preventive | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Establish/Maintain Documentation | Preventive | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Establish/Maintain Documentation | Preventive | |
| Include a reporting structure in third party contracts. CC ID 06532 | Establish/Maintain Documentation | Preventive | |
| Include points of contact in third party contracts. CC ID 12355 | Establish/Maintain Documentation | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Establish/Maintain Documentation | Preventive | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Establish/Maintain Documentation | Preventive | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Establish/Maintain Documentation | Preventive | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Establish/Maintain Documentation | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Acquisition/Sale of Assets or Services | Preventive | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Establish/Maintain Documentation | Preventive | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Establish/Maintain Documentation | Preventive | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Establish/Maintain Documentation | Preventive | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Establish/Maintain Documentation | Preventive | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 | Establish/Maintain Documentation | Preventive | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Establish/Maintain Documentation | Preventive | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Establish/Maintain Documentation | Preventive | |
| Include change control notification processes in third party contracts. CC ID 06524 | Establish/Maintain Documentation | Preventive | |
| Include cost structure changes in third party contracts. CC ID 10021 | Establish/Maintain Documentation | Preventive | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Establish/Maintain Documentation | Preventive | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Establish/Maintain Documentation | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Establish/Maintain Documentation | Preventive | |
| Include a termination provision clause in third party contracts. CC ID 01367 | Establish/Maintain Documentation | Detective | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 | Establish/Maintain Documentation | Preventive | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Establish/Maintain Documentation | Preventive | |
| Include termination costs in third party contracts. CC ID 10023 | Establish/Maintain Documentation | Preventive | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Establish/Maintain Documentation | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Establish/Maintain Documentation | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Establish/Maintain Documentation | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Establish/Maintain Documentation | Preventive | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Testing | Detective | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Establish/Maintain Documentation | Preventive | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Testing | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Testing | Detective | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 [{data processor} The purpose of the contract is to make sure that the processor: taking into account the nature of the processing, assists the controller in responding to individuals exercising their rights under the Principles. § III.10.a.ii.3.] | Establish/Maintain Documentation | Preventive | |
| Establish the third party's service continuity. CC ID 00797 | Testing | Detective | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Testing | Detective | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Data and Information Management | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Testing | Detective | |
| Include disclosure requirements in third party contracts. CC ID 08825 | Business Processes | Preventive | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Establish/Maintain Documentation | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Business Processes | Preventive | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [{Department of Commerce} To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; (iv) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (v) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. § II.3.b.] | Testing | Detective | |
| Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 | Establish/Maintain Documentation | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Acquisition/Sale of Assets or Services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Acquire or sell an organization. CC ID 12421 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Preventive | |
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Monitoring and measurement | Detective | |
| Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Monitoring and measurement | Detective | |
| Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Monitoring and measurement | Detective | |
| Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Monitoring and measurement | Detective | |
| Report on the policies and controls that have been implemented by management. CC ID 01670 | Monitoring and measurement | Detective | |
| Report on the percentage of security management roles that have been assigned. CC ID 01671 | Monitoring and measurement | Detective | |
| Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Monitoring and measurement | Detective | |
| Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Monitoring and measurement | Detective | |
| Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Monitoring and measurement | Preventive | |
| Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Monitoring and measurement | Detective | |
| Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Monitoring and measurement | Detective | |
| Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Monitoring and measurement | Detective | |
| Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Monitoring and measurement | Detective | |
| Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Monitoring and measurement | Detective | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Detective | |
| Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Monitoring and measurement | Detective | |
| Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Monitoring and measurement | Detective | |
| Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Monitoring and measurement | Detective | |
| Monitor compliance with the Quality Control system. CC ID 01023 | Monitoring and measurement | Preventive | |
| Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Monitoring and measurement | Preventive | |
| Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Monitoring and measurement | Preventive | |
| Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Monitoring and measurement | Detective | |
| Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Monitoring and measurement | Detective | |
| Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Monitoring and measurement | Detective | |
| Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Monitoring and measurement | Detective | |
| Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Monitoring and measurement | Detective | |
| Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Monitoring and measurement | Detective | |
| Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Monitoring and measurement | Detective | |
| Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Monitoring and measurement | Detective | |
| Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Monitoring and measurement | Detective | |
| Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Monitoring and measurement | Detective | |
| Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Monitoring and measurement | Detective | |
| Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Monitoring and measurement | Detective | |
| Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Monitoring and measurement | Detective | |
| Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Monitoring and measurement | Detective | |
| Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Monitoring and measurement | Detective | |
| Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Monitoring and measurement | Detective | |
| Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Monitoring and measurement | Detective | |
| Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Monitoring and measurement | Detective | |
| Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Monitoring and measurement | Detective | |
| Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Monitoring and measurement | Detective | |
| Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Monitoring and measurement | Detective | |
| Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Monitoring and measurement | Detective | |
| Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Monitoring and measurement | Detective | |
| Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Monitoring and measurement | Detective | |
| Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Monitoring and measurement | Detective | |
| Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Monitoring and measurement | Detective | |
| Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Monitoring and measurement | Detective | |
| Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Monitoring and measurement | Detective | |
| Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Monitoring and measurement | Detective | |
| Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Monitoring and measurement | Detective | |
| Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Monitoring and measurement | Detective | |
| Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Monitoring and measurement | Detective | |
| Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Monitoring and measurement | Detective | |
| Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Monitoring and measurement | Detective | |
| Report on the percentage of servers located in controlled access areas. CC ID 02067 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain waste management metrics. CC ID 16152 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain emissions management metrics. CC ID 16145 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain financial management metrics. CC ID 16749 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique active user identifiers. CC ID 02074 | Monitoring and measurement | Detective | |
| Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Monitoring and measurement | Detective | |
| Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Monitoring and measurement | Detective | |
| Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Monitoring and measurement | Detective | |
| Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Monitoring and measurement | Detective | |
| Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Monitoring and measurement | Detective | |
| Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Monitoring and measurement | Detective | |
| Report on the percentage of users with access to shared accounts. CC ID 04573 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Monitoring and measurement | Preventive | |
| Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Monitoring and measurement | Detective | |
| Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Monitoring and measurement | Detective | |
| Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Monitoring and measurement | Detective | |
| Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Monitoring and measurement | Detective | |
| Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Monitoring and measurement | Detective | |
| Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Monitoring and measurement | Detective | |
| Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Monitoring and measurement | Detective | |
| Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Monitoring and measurement | Detective | |
| Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Monitoring and measurement | Detective | |
| Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Monitoring and measurement | Detective | |
| Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Monitoring and measurement | Detective | |
| Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Monitoring and measurement | Detective | |
| Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Monitoring and measurement | Detective | |
| Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Monitoring and measurement | Detective | |
| Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Monitoring and measurement | Detective | |
| Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Monitoring and measurement | Detective | |
| Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with all approved patches installed. CC ID 02113 | Monitoring and measurement | Detective | |
| Report on the mean time from patch availability to patch installation. CC ID 02114 | Monitoring and measurement | Detective | |
| Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Monitoring and measurement | Detective | |
| Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Monitoring and measurement | Detective | |
| Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Monitoring and measurement | Detective | |
| Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Monitoring and measurement | Detective | |
| Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Monitoring and measurement | Detective | |
| Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Monitoring and measurement | Detective | |
| Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Monitoring and measurement | Detective | |
| Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Monitoring and measurement | Detective | |
| Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Monitoring and measurement | Detective | |
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Monitoring and measurement | Detective | |
| Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Monitoring and measurement | Detective | |
| Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Monitoring and measurement | Detective | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Monitoring and measurement | Detective | |
| Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Monitoring and measurement | Detective | |
| Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Monitoring and measurement | Detective | |
| Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Monitoring and measurement | Detective | |
| Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Monitoring and measurement | Preventive | |
| Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Monitoring and measurement | Preventive | |
| Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Monitoring and measurement | Preventive | |
| Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Monitoring and measurement | Preventive | |
| Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Monitoring and measurement | Preventive | |
| Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Monitoring and measurement | Preventive | |
| Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Monitoring and measurement | Preventive | |
| Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Monitoring and measurement | Preventive | |
| Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Monitoring and measurement | Preventive | |
| Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Monitoring and measurement | Preventive | |
| Include the privacy programs the organization is a member of in the Statement of Compliance. CC ID 16818 | Audits and risk management | Preventive | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Monitoring and measurement | Preventive | |
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Monitoring and measurement | Preventive | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [{is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Monitoring and measurement | Corrective | |
| Take disciplinary actions against individuals who violate the Code of Conduct. CC ID 06435 [{Department of Commerce} The result of any remedies provided by the dispute resolution body should be that the effects of non-compliance are reversed or corrected by the organization, insofar as feasible, and that future processing by the organization will be in conformity with the Principles and, where appropriate, that processing of the personal data of the individual who brought the complaint will cease. Sanctions need to be rigorous enough to ensure compliance by the organization with the Principles. A range of sanctions of varying degrees of severity will allow dispute resolution bodies to respond appropriately to varying degrees of non-compliance. Sanctions should include both publicity for findings of non-compliance and the requirement to delete data in certain circumstances. Other sanctions could include suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance and injunctive awards. Private sector dispute resolution bodies and self-regulatory bodies must notify failures of Privacy Shield organizations to comply with their rulings to the governmental body with applicable jurisdiction or to the courts, as appropriate, and to notify the Department. § III.11.e.i.] | Human Resources management | Preventive | |
| Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Preventive | |
| Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Preventive | |
| Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Preventive | |
| Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Preventive | |
| Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Preventive | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Operational management | Preventive | |
| Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 [An organization applying to participate in a self-regulatory body for the purposes of requalifying for the Privacy Shield must provide that body with full information about its prior participation in the Privacy Shield. § III.11.g.iv.] | Privacy protection for information and data | Preventive | |
| Define the criteria for waivers of data subjects' rights. CC ID 16858 | Privacy protection for information and data | Preventive | |
| Revoke waivers of data subject's rights, as necessary. CC ID 16859 | Privacy protection for information and data | Preventive | |
| Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 | Privacy protection for information and data | Preventive | |
| Notify the supervisory authority. CC ID 00472 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the collection purpose. CC ID 00095 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Privacy protection for information and data | Preventive | |
| Notify the data subject of changes to personal data use. CC ID 00105 [{Notice Principle}{Choice Principle} A U.S. organization that has received employee information from the EU under the Privacy Shield may disclose it to third parties or use it for different purposes only in accordance with the Notice and Choice Principles. For example, where an organization intends to use personal information collected through the employment relationship for non-employment-related purposes, such as marketing communications, the U.S. organization must provide the affected individuals with the requisite choice before doing so, unless they have already authorized the use of the information for such purposes. Moreover, such choices must not be used to restrict employment opportunities or take any punitive action against such employees. § III.9.b.i. Personal data developed in specific medical or pharmaceutical research studies often play a valuable role in future scientific research. Where personal data collected for one research study are transferred to a U.S. organization in the Privacy Shield, the organization may use the data for a new scientific research activity if appropriate notice and choice have been provided in the first instance. Such notice should provide information about any future specific uses of the data, such as periodic follow-up, related studies, or marketing. § III.14.b.i.] | Privacy protection for information and data | Preventive | |
| Obtain the data subject's consent when the personal data use changes. CC ID 11832 [It is understood that not all future uses of the data can be specified, since a new research use could arise from new insights on the original data, new medical discoveries and advances, and public health and regulatory developments. Where appropriate, the notice should therefore include an explanation that personal data may be used in future medical and pharmaceutical research activities that are unanticipated. If the use is not consistent with the general research purpose(s) for which the personal data were originally collected, or to which the individual has consented subsequently, new consent must be obtained. § III.14.b.ii.] | Privacy protection for information and data | Preventive | |
| Respond to data access requests in a timely manner. CC ID 00421 [{personal data access request} Organizations should respond to access requests within a reasonable time period, in a reasonable manner, and in a form that is readily intelligible to the individual. An organization that provides information to data subjects at regular intervals may satisfy an individual access request with its regular disclosure if it would not constitute an excessive delay. § III.8.i.i.] | Privacy protection for information and data | Preventive | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Privacy protection for information and data | Detective | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 [Access may not be refused on cost grounds if the individual offers to pay the costs. § III.8.f.iii.] | Privacy protection for information and data | Detective | |
| Notify the data subject after personal data is used or disclosed. CC ID 06247 | Privacy protection for information and data | Preventive | |
| Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 [This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party. § II.1.b. {Notice Principle}{Choice Principle} A U.S. organization that has received employee information from the EU under the Privacy Shield may disclose it to third parties or use it for different purposes only in accordance with the Notice and Choice Principles. For example, where an organization intends to use personal information collected through the employment relationship for non-employment-related purposes, such as marketing communications, the U.S. organization must provide the affected individuals with the requisite choice before doing so, unless they have already authorized the use of the information for such purposes. Moreover, such choices must not be used to restrict employment opportunities or take any punitive action against such employees. § III.9.b.i.] | Privacy protection for information and data | Preventive | |
| Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the source of collected personal data. CC ID 00083 | Privacy protection for information and data | Preventive | |
| Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Privacy protection for information and data | Preventive | |
| Use simple understandable language to collect information from children. CC ID 00039 | Privacy protection for information and data | Preventive | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Detective | |
| Notify data subjects when their personal data is transferred. CC ID 00352 | Privacy protection for information and data | Preventive | |
| Follow the instructions of the data transferrer. CC ID 00334 [Where an organization in the EU transfers personal information about its employees (past or present) collected in the context of the employment relationship, to a parent, affiliate, or unaffiliated service provider in the United States participating in the Privacy Shield, the transfer enjoys the benefits of the Privacy Shield. In such cases, the collection of the information and its processing prior to transfer will have been subject to the national laws of the EU country where it was collected, and any conditions for or restrictions on its transfer according to those laws will have to be respected. § III.9.a.i. {employee information} It should be noted that certain generally applicable conditions for transfer from some EU Member States may preclude other uses of such information even after transfer outside the EU and such conditions will have to be respected. § III.9.b.ii. {data processor} The purpose of the contract is to make sure that the processor: acts only on instructions from the controller; § III.10.a.ii.1. {Notice Principle}{Choice Principle}{Accountability for Onward Transfer Principle} It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials. § III.15.b. {Notice Principle}{Choice Principle}{Accountability for Onward Transfer Principle} It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials. § III.15.b. {Notice Principle}{Choice Principle}{Accountability for Onward Transfer Principle} It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials. § III.15.b.] | Privacy protection for information and data | Preventive | |
| Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 | Privacy protection for information and data | Preventive | |
| Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 | Privacy protection for information and data | Preventive | |
| Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 [An organization must inform individuals about: the possibility, under certain conditions, for the individual to invoke binding arbitration, § II.1.a.xi. An organization must inform individuals about: the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution provider based in the United States, § II.1.a.ix. Where the organization has chosen outside compliance review, such a review must demonstrate that its privacy policy regarding personal information received from the EU conforms to the Privacy Shield Principles, that it is being complied with, and that individuals are informed of the mechanisms through which they may pursue complaints. The methods of review may include, without limitation, auditing, random reviews, use of "decoys", or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed must be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about compliance. § III.7.d. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Privacy protection for information and data | Corrective | |
| File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 | Privacy protection for information and data | Corrective | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 [{Department of Commerce} In order to help ensure compliance with their Privacy Shield commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Privacy Shield when requested by the Department. In addition, organizations must respond expeditiously to complaints regarding their compliance with the Principles referred through the Department by DPAs. The response should address whether the complaint has merit and, if so, how the organization will rectify the problem. The Department will protect the confidentiality of information it receives in accordance with U.S. law. § III.11.c.] | Privacy protection for information and data | Corrective | |
| Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 | Privacy protection for information and data | Corrective | |
| Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 | Privacy protection for information and data | Corrective | |
| Investigate privacy rights violation complaints. CC ID 00480 [{Department of Commerce} Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Organizations that have chosen to cooperate with DPAs, including organizations that process human resources data, must respond directly to such authorities with regard to the investigation and resolution of complaints § II.7.b. {comply}{privacy rights violation complaint}{legal authority} The Recourse, Enforcement and Liability Principle sets out the requirements for Privacy Shield enforcement. How to meet the requirements of point (a)(ii) of the Principle is set out in the Supplemental Principle on Verification. This Supplemental Principle addresses points (a)(i) and (a)(iii), both of which require independent recourse mechanisms. These mechanisms may take different forms, but they must meet the Recourse, Enforcement and Liability Principle's requirements. Organizations satisfy the requirements through the following: (i) compliance with private sector developed privacy programs that incorporate the Privacy Shield Principles into their rules and that include effective enforcement mechanisms of the type described in the Recourse, Enforcement and Liability Principle; (ii) compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or (iii) commitment to cooperate with data protection authorities located in the European Union or their authorized representatives. § III.11.a. {Department of Commerce} In order to help ensure compliance with their Privacy Shield commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Privacy Shield when requested by the Department. In addition, organizations must respond expeditiously to complaints regarding their compliance with the Principles referred through the Department by DPAs. The response should address whether the complaint has merit and, if so, how the organization will rectify the problem. The Department will protect the confidentiality of information it receives in accordance with U.S. law. § III.11.c. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i.] | Privacy protection for information and data | Detective | |
| Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 | Privacy protection for information and data | Detective | |
| Investigate privacy rights violation complaints in private. CC ID 00492 | Privacy protection for information and data | Detective | |
| Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 [{Department of Commerce} Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Organizations that have chosen to cooperate with DPAs, including organizations that process human resources data, must respond directly to such authorities with regard to the investigation and resolution of complaints § II.7.b. {unfair act or practice}{deceptive act or practice}{Department of Commerce} Organizations must retain their records on the implementation of their Privacy Shield privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent body responsible for investigating complaints or to the agency with unfair and deceptive practices jurisdiction. Organizations must also respond promptly to inquiries and other requests for information from the Department relating to the organization's adherence to the Principles. § III.7.e. {Department of Commerce} In order to help ensure compliance with their Privacy Shield commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Privacy Shield when requested by the Department. In addition, organizations must respond expeditiously to complaints regarding their compliance with the Principles referred through the Department by DPAs. The response should address whether the complaint has merit and, if so, how the organization will rectify the problem. The Department will protect the confidentiality of information it receives in accordance with U.S. law. § III.11.c. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i.] | Privacy protection for information and data | Detective | |
| Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 | Privacy protection for information and data | Detective | |
| Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [In so far as personal information is used only in the context of the employment relationship, primary responsibility for the data vis-à-vis the employee remains with the organization in the EU. It follows that, where European employees make complaints about violations of their data protection rights and are not satisfied with the results of internal review, complaint, and appeal procedures (or any applicable grievance procedures under a contract with a trade union), they should be directed to the state or national data protection or labor authority in the jurisdiction where the employees work. This includes cases where the alleged mishandling of their personal information is the responsibility of the U.S. organization that has received the information from the employer and thus involves an alleged breach of the Privacy Shield Principles. This will be the most efficient way to address the often overlapping rights and obligations imposed by local labor law and labor agreements as well as data protection law. § III.9.d.i.] | Privacy protection for information and data | Preventive | |
| Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 | Privacy protection for information and data | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 | Privacy protection for information and data | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 | Privacy protection for information and data | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 | Privacy protection for information and data | Preventive | |
| Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 | Privacy protection for information and data | Preventive | |
| Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Privacy protection for information and data | Preventive | |
| Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 | Privacy protection for information and data | Preventive | |
| Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 | Privacy protection for information and data | Preventive | |
| Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 | Privacy protection for information and data | Corrective | |
| Order the organization to change to be in compliance with applicable law. CC ID 00499 | Privacy protection for information and data | Corrective | |
| Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 | Privacy protection for information and data | Corrective | |
| Award damages based on applicable law. CC ID 00501 | Privacy protection for information and data | Corrective | |
| Notify the public and other agencies after a penalty becomes final. CC ID 06217 [{Federal Trade Commission order}{Privacy Shield} When an organization becomes subject to an FTC or court order based on non-compliance, the organization shall make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements. The Department has established a dedicated point of contact for DPAs for any problems of compliance by Privacy Shield organizations. The FTC will give priority consideration to referrals of non-compliance with the Principles from the Department and EU Member State authorities, and will exchange information regarding referrals with the referring state authorities on a timely basis, subject to existing confidentiality restrictions. § II.7.e.] | Privacy protection for information and data | Preventive | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Monitoring and measurement | Preventive | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Monitoring and measurement | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [{comply}{privacy rights violation complaint}{legal authority} The Recourse, Enforcement and Liability Principle sets out the requirements for Privacy Shield enforcement. How to meet the requirements of point (a)(ii) of the Principle is set out in the Supplemental Principle on Verification. This Supplemental Principle addresses points (a)(i) and (a)(iii), both of which require independent recourse mechanisms. These mechanisms may take different forms, but they must meet the Recourse, Enforcement and Liability Principle's requirements. Organizations satisfy the requirements through the following: (i) compliance with private sector developed privacy programs that incorporate the Privacy Shield Principles into their rules and that include effective enforcement mechanisms of the type described in the Recourse, Enforcement and Liability Principle; (ii) compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or (iii) commitment to cooperate with data protection authorities located in the European Union or their authorized representatives. § III.11.a. {comply}{privacy rights violation complaint}{legal authority} The Recourse, Enforcement and Liability Principle sets out the requirements for Privacy Shield enforcement. How to meet the requirements of point (a)(ii) of the Principle is set out in the Supplemental Principle on Verification. This Supplemental Principle addresses points (a)(i) and (a)(iii), both of which require independent recourse mechanisms. These mechanisms may take different forms, but they must meet the Recourse, Enforcement and Liability Principle's requirements. Organizations satisfy the requirements through the following: (i) compliance with private sector developed privacy programs that incorporate the Privacy Shield Principles into their rules and that include effective enforcement mechanisms of the type described in the Recourse, Enforcement and Liability Principle; (ii) compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or (iii) commitment to cooperate with data protection authorities located in the European Union or their authorized representatives. § III.11.a. Airline passenger reservation and other travel information, such as frequent flyer or hotel reservation information and special handling needs, such as meals to meet religious requirements or physical assistance, may be transferred to organizations located outside the EU in several different circumstances. Under Article 26 of the Directive, personal data may be transferred "to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2)" on the condition that it (i) is necessary to provide the services requested by the consumer or to fulfill the terms of an agreement, such as a "frequent flyer" agreement; or (ii) has been unambiguously consented to by the consumer. U.S. organizations subscribing to the Privacy Shield provide adequate protection for personal data and may therefore receive data transfers from the EU without meeting these conditions or other conditions set out in Article 26 of the Directive. Since the Privacy Shield includes specific rules for sensitive information, such information (which may need to be collected, for example, in connection with customers' needs for physical assistance) may be included in transfers to Privacy Shield participants. In all cases, however, the organization transferring the information has to respect the law in the EU Member State in which it is operating, which may inter alia impose special conditions for the handling of sensitive data. § III.13.a. Organizations are obligated to arbitrate claims and follow the terms as set forth in Annex I, provided that an individual has invoked binding arbitration by delivering notice to the organization at issue and following the procedures and subject to conditions set forth in Annex I. § II.7.c.] | Operational management | Preventive | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Preventive | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Preventive | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Preventive | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Preventive | |
| Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Preventive | |
| Conduct a due diligence assessment as part of an organization's acquisition. CC ID 12424 [{due diligence review} {statutory requirements} The activities of auditors and investment bankers may involve processing personal data without the consent or knowledge of the individual. This is permitted by the Notice, Choice, and Access Principles under the circumstances described below. Public stock corporations and closely held companies, including Privacy Shield organizations, are regularly subject to audits. Such audits, particularly those looking into potential wrongdoing, may be jeopardized if disclosed prematurely. Similarly, a Privacy Shield organization involved in a potential merger or takeover will need to perform, or be the subject of, a "due diligence" review. This will often entail the collection and processing of personal data, such as information on senior executives and other key personnel. Premature disclosure could impede the transaction or even violate applicable securities regulation. Investment bankers and attorneys engaged in due diligence, or auditors conducting an audit, may process information without knowledge of the individual only to the extent and for the period necessary to meet statutory or public interest requirements and in other circumstances in which the application of these Principles would prejudice the legitimate interests of the organization. These legitimate interests include the monitoring of organizations' compliance with their legal obligations and legitimate accounting activities, and the need for confidentiality connected with possible acquisitions, mergers, joint ventures, or other similar transactions carried out by investment bankers or auditors. § III.4.b.] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Preventive | |
| Approve the privacy plan. CC ID 14700 | Privacy protection for information and data | Preventive | |
| Protect private communications in keeping with compliance requirements. CC ID 14334 | Privacy protection for information and data | Preventive | |
| Refrain from charging a fee to implement an opt-out request. CC ID 13877 | Privacy protection for information and data | Preventive | |
| Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 | Privacy protection for information and data | Preventive | |
| Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Privacy protection for information and data | Preventive | |
| Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Privacy protection for information and data | Preventive | |
| Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Privacy protection for information and data | Preventive | |
| Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 | Privacy protection for information and data | Preventive | |
| Allow consent requests to be provided in any official languages. CC ID 16530 | Privacy protection for information and data | Preventive | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Preventive | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Preventive | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 [Individuals do not have to justify requests for access to their personal data. In responding to individuals' access requests, organizations should first be guided by the concern(s) that led to the requests in the first place. For example, if an access request is vague or broad in scope, an organization may engage the individual in a dialogue so as to better understand the motivation for the request and to locate responsive information. The organization might inquire about which part(s) of the organization the individual interacted with or about the nature of the information or its use that is the subject of the access request. § III.8.a.ii.] | Privacy protection for information and data | Preventive | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Privacy protection for information and data | Preventive | |
| Dispose of personal data removal requests, as necessary. CC ID 13512 | Privacy protection for information and data | Preventive | |
| Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 | Privacy protection for information and data | Detective | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Preventive | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Preventive | |
| Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 [{personal data transfer}{do not need} For transfers between controllers, the recipient controller need not be a Privacy Shield organization or have an independent recourse mechanism. The Privacy Shield organization must enter into a contract with the recipient third-party controller that provides for the same level of protection as is available under the Privacy Shield, not including the requirement that the third party controller be a Privacy Shield organization or have an independent recourse mechanism, provided it makes available an equivalent mechanism. § III.10.c.i.] | Privacy protection for information and data | Preventive | |
| Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 [When personal information is transferred between two controllers within a controlled group of corporations or entities, a contract is not always required under the Accountability for Onward Transfer Principle. Data controllers within a controlled group of corporations or entities may base such transfers on other instruments, such as EU Binding Corporate Rules or other intra-group instruments (e.g., compliance and control programs), ensuring the continuity of protection of personal information under the Privacy Shield Principles. In case of such transfers, the Privacy Shield organization remains responsible for compliance with Privacy Shield Principles. § III.10.b.i.] | Privacy protection for information and data | Preventive | |
| Include the type of information to be collected in the privacy impact assessment. CC ID 15513 | Privacy protection for information and data | Preventive | |
| Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 | Privacy protection for information and data | Preventive | |
| Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 | Privacy protection for information and data | Corrective | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 | Third Party and supply chain oversight | Preventive | |
| Include disclosure requirements in third party contracts. CC ID 08825 | Third Party and supply chain oversight | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Preventive | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Preventive | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 [{self-certification submission} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. Where the organization has chosen outside compliance review, such a review must demonstrate that its privacy policy regarding personal information received from the EU conforms to the Privacy Shield Principles, that it is being complied with, and that individuals are informed of the mechanisms through which they may pursue complaints. The methods of review may include, without limitation, auditing, random reviews, use of "decoys", or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed must be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about compliance. § III.7.d. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c. The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self-certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self-certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. Independent recourse mechanisms must publish an annual report providing aggregate statistics regarding their dispute resolution services. The annual report must include: (1) the total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received; (3) dispute resolution quality measures, such as the length of time taken to process complaints; and (4) the outcomes of the complaints received, notably the number and types of remedies or sanctions imposed. § III.11.d.iii. {Department of Commerce} Persistent failure to comply arises where an organization that has self-certified to the Department refuses to comply with a final determination by any privacy self-regulatory, independent dispute resolution, or government body, or where such a body determines that an organization frequently fails to comply with the Principles to the point where its claim to comply is no longer credible. In these cases, the organization must promptly notify the Department of such facts. Failure to do so may be actionable under the False Statements Act (18 U.S.C. § 1001). An organization's withdrawal from a private-sector privacy self-regulatory program or independent dispute resolution mechanism does not relieve it of its obligation to comply with the Principles and would constitute a persistent failure to comply. § III.11.g.ii. {Department of Commerce} The result of any remedies provided by the dispute resolution body should be that the effects of non-compliance are reversed or corrected by the organization, insofar as feasible, and that future processing by the organization will be in conformity with the Principles and, where appropriate, that processing of the personal data of the individual who brought the complaint will cease. Sanctions need to be rigorous enough to ensure compliance by the organization with the Principles. A range of sanctions of varying degrees of severity will allow dispute resolution bodies to respond appropriately to varying degrees of non-compliance. Sanctions should include both publicity for findings of non-compliance and the requirement to delete data in certain circumstances. Other sanctions could include suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance and injunctive awards. Private sector dispute resolution bodies and self-regulatory bodies must notify failures of Privacy Shield organizations to comply with their rulings to the governmental body with applicable jurisdiction or to the courts, as appropriate, and to notify the Department. § III.11.e.i. {Department of Commerce} The result of any remedies provided by the dispute resolution body should be that the effects of non-compliance are reversed or corrected by the organization, insofar as feasible, and that future processing by the organization will be in conformity with the Principles and, where appropriate, that processing of the personal data of the individual who brought the complaint will cease. Sanctions need to be rigorous enough to ensure compliance by the organization with the Principles. A range of sanctions of varying degrees of severity will allow dispute resolution bodies to respond appropriately to varying degrees of non-compliance. Sanctions should include both publicity for findings of non-compliance and the requirement to delete data in certain circumstances. Other sanctions could include suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance and injunctive awards. Private sector dispute resolution bodies and self-regulatory bodies must notify failures of Privacy Shield organizations to comply with their rulings to the governmental body with applicable jurisdiction or to the courts, as appropriate, and to notify the Department. § III.11.e.i. {law enforcement reasons} In order to provide transparency in respect of lawful requests by public authorities to access personal information, Privacy Shield organizations may voluntarily issue periodic transparency reports on the number of requests for personal information they receive by public authorities for law enforcement or national security reasons, to the extent such disclosures are permissible under applicable law. § III.16.a.] | Audits and risk management | Preventive | |
| Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Preventive | |
| Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 | Operational management | Preventive | |
| Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 | Privacy protection for information and data | Preventive | |
| Deliver privacy notices to data subjects, as necessary. CC ID 13444 | Privacy protection for information and data | Preventive | |
| Update privacy notices, as necessary. CC ID 13474 | Privacy protection for information and data | Preventive | |
| Redeliver privacy notices, as necessary. CC ID 14850 | Privacy protection for information and data | Preventive | |
| Deliver privacy notices to third parties, as necessary. CC ID 13473 | Privacy protection for information and data | Preventive | |
| Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 | Privacy protection for information and data | Preventive | |
| Deliver opt-out notices, as necessary. CC ID 13449 | Privacy protection for information and data | Preventive | |
| Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 | Privacy protection for information and data | Preventive | |
| Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 [{Department of Commerce} To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; (iv) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (v) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. § II.3.b.] | Privacy protection for information and data | Preventive | |
| Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 [{Department of Commerce} {adequate protection} An organization must subject to the Privacy Shield Principles all personal data received from the EU in reliance upon the Privacy Shield. The undertaking to adhere to the Privacy Shield Principles is not time-limited in respect of personal data received during the period in which the organization enjoys the benefits of the Privacy Shield. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Privacy Shield for any reason. An organization that withdraws from the Privacy Shield but wants to retain such data must affirm to the Department on an annual basis its commitment to continue to apply the Principles or provide "adequate" protection for the information by another authorized means (for example, using a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission); otherwise, the organization must return or delete the information. An organization that withdraws from the Privacy Shield must remove from any relevant privacy policy any references to the Privacy Shield that imply that the organization continues to actively participate in the Privacy Shield and is entitled to its benefits. § III.6.f.] | Privacy protection for information and data | Preventive | |
| Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 [{Department of Commerce} An organization that will cease to exist as a separate legal entity as a result of a merger or a takeover must notify the Department of this in advance. The notification should also indicate whether the acquiring entity or the entity resulting from the merger will (i) continue to be bound by the Privacy Shield Principles by the operation of law governing the takeover or merger or (ii) elect to self-certify its adherence to the Privacy Shield Principles or put in place other safeguards, such as a written agreement that will ensure adherence to the Privacy Shield Principles. Where neither (i) nor (ii) applies, any personal data that has been acquired under the Privacy Shield must be promptly deleted. § III.6.g.] | Privacy protection for information and data | Preventive | |
| Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 [{Department of Commerce} An organization that will cease to exist as a separate legal entity as a result of a merger or a takeover must notify the Department of this in advance. The notification should also indicate whether the acquiring entity or the entity resulting from the merger will (i) continue to be bound by the Privacy Shield Principles by the operation of law governing the takeover or merger or (ii) elect to self-certify its adherence to the Privacy Shield Principles or put in place other safeguards, such as a written agreement that will ensure adherence to the Privacy Shield Principles. Where neither (i) nor (ii) applies, any personal data that has been acquired under the Privacy Shield must be promptly deleted. § III.6.g.] | Privacy protection for information and data | Preventive | |
| Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 [{investigatory powers} An organization must inform individuals about: being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body, § II.1.a.x.] | Privacy protection for information and data | Preventive | |
| Notify data subjects about their privacy rights. CC ID 12989 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 [An organization must inform individuals about: the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles, § II.1.a.ii.] | Privacy protection for information and data | Preventive | |
| Provide public proof the organization participates in a privacy program. CC ID 12349 [An organization must inform individuals about: its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List, § II.1.a.i.] | Privacy protection for information and data | Preventive | |
| Disclose statements added to education records, as necessary. CC ID 12990 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 | Privacy protection for information and data | Preventive | |
| Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject, as necessary. CC ID 12625 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 | Privacy protection for information and data | Preventive | |
| Disseminate private communications when required by law. CC ID 14335 | Privacy protection for information and data | Corrective | |
| Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Privacy protection for information and data | Preventive | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Preventive | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Corrective | |
| Notify the data controller of any changes in data processors. CC ID 12648 | Privacy protection for information and data | Preventive | |
| Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Preventive | |
| Disclose de-identified data, as necessary. CC ID 13034 | Privacy protection for information and data | Preventive | |
| Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Privacy protection for information and data | Corrective | |
| Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Privacy protection for information and data | Corrective | |
| Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 | Privacy protection for information and data | Corrective | |
| Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 | Privacy protection for information and data | Corrective | |
| Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 | Privacy protection for information and data | Preventive | |
| Capture personal data removal requests. CC ID 13507 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Privacy protection for information and data | Preventive | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Preventive | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Preventive | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Privacy protection for information and data | Preventive | |
| Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 | Privacy protection for information and data | Preventive | |
| Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 [An organization must inform individuals about: its liability in cases of onward transfers to third parties. § II.1.a.xiii.] | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Privacy protection for information and data | Preventive | |
| Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 | Privacy protection for information and data | Preventive | |
| Notify third parties of unresolved challenges. CC ID 13559 | Privacy protection for information and data | Preventive | |
| Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 | Privacy protection for information and data | Corrective | |
| Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Privacy protection for information and data | Preventive | |
Configuration | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Monitoring and measurement | Preventive | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Preventive | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Preventive | |
| Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 | Privacy protection for information and data | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 [An organization must inform individuals about: its commitment to subject to the Principles all personal data received from the EU in reliance on the Privacy Shield, § II.1.a.iii {Department of Commerce} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. {Department of Commerce} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. {Department of Commerce} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. {Department of Commerce} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. {law enforcement reasons} In order to provide transparency in respect of lawful requests by public authorities to access personal information, Privacy Shield organizations may voluntarily issue periodic transparency reports on the number of requests for personal information they receive by public authorities for law enforcement or national security reasons, to the extent such disclosures are permissible under applicable law. § III.16.a.] | Privacy protection for information and data | Preventive | |
| Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 | Privacy protection for information and data | Preventive | |
| Deliver notices to the intended parties. CC ID 06240 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Privacy protection for information and data | Preventive | |
| Provide legal authorities access to personal data, upon request. CC ID 06818 | Privacy protection for information and data | Preventive | |
| Document the countries where restricted data may be stored. CC ID 12750 | Privacy protection for information and data | Preventive | |
| Protect the rights of students and their parents or legal representatives. CC ID 00222 | Privacy protection for information and data | Preventive | |
| Disclose educational data, as necessary. CC ID 00223 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 | Privacy protection for information and data | Preventive | |
| Disclose education records when written consent is received. CC ID 00224 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to other school officials. CC ID 00226 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to another institution's school officials. CC ID 00227 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent in connection with financial aid. CC ID 00229 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to accrediting organizations. CC ID 00231 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent for a health and safety emergency. CC ID 00234 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent when it is merely directory information. CC ID 00235 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to a crime victim. CC ID 00236 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [{database} Access can be provided in the form of disclosure of the relevant personal information by an organization to the individual and does not require access by the individual to an organization's data base. § III.8.d.i. Access needs to be provided only to the extent that an organization stores the personal information. The Access Principle does not itself create any obligation to retain, maintain, reorganize, or restructure personal information files. § III.8.d.ii. Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated. § II.6.a. {personal data} The Access Principle means that individuals have the right to: have communicated to them such data so that they could verify its accuracy and the lawfulness of the processing; and § III.8.a.i.2.] | Privacy protection for information and data | Preventive | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 [The organization should answer requests from an individual concerning the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data is disclosed. § III.8.a.i.1. Footnote 1] | Privacy protection for information and data | Preventive | |
| Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 | Privacy protection for information and data | Preventive | |
| Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice. § II.2.a. {ability} Generally, the purpose of the Choice Principle is to ensure that personal information is used and disclosed in ways that are consistent with the individual's expectations and choices. Accordingly, an individual should be able to exercise "opt out" choice of having personal information used for direct marketing at any time subject to reasonable limits established by the organization, such as giving the organization time to make the opt out effective. An organization may also require sufficient information to confirm the identity of the individual requesting the "opt out." In the United States, individuals may be able to exercise this option through the use of a central "opt out" program such as the Direct Marketing Association's Mail Preference Service. Organizations that participate in the Direct Marketing Association's Mail Preference Service should promote its availability to consumers who do not wish to receive commercial information. In any event, an individual should be given a readily available and affordable mechanism to exercise this option. § III.12.a.] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Privacy protection for information and data | Preventive | |
| Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 | Privacy protection for information and data | Preventive | |
| Refrain from obtaining consent through deception. CC ID 13556 | Privacy protection for information and data | Preventive | |
| Give individuals the ability to change the uses of their personal data. CC ID 00469 | Privacy protection for information and data | Preventive | |
| Notify data subjects of the implications of withdrawing consent. CC ID 13551 | Privacy protection for information and data | Preventive | |
| Cooperate with Data Protection Authorities. CC ID 06870 [{Department of Commerce} Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Organizations that have chosen to cooperate with DPAs, including organizations that process human resources data, must respond directly to such authorities with regard to the investigation and resolution of complaints § II.7.b. {Department of Commerce} Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Organizations that have chosen to cooperate with DPAs, including organizations that process human resources data, must respond directly to such authorities with regard to the investigation and resolution of complaints § II.7.b. {unfair act or practice}{deceptive act or practice}{Department of Commerce} Organizations must retain their records on the implementation of their Privacy Shield privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent body responsible for investigating complaints or to the agency with unfair and deceptive practices jurisdiction. Organizations must also respond promptly to inquiries and other requests for information from the Department relating to the organization's adherence to the Principles. § III.7.e. {unfair act or practice}{deceptive act or practice}{Department of Commerce} Organizations must retain their records on the implementation of their Privacy Shield privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent body responsible for investigating complaints or to the agency with unfair and deceptive practices jurisdiction. Organizations must also respond promptly to inquiries and other requests for information from the Department relating to the organization's adherence to the Principles. § III.7.e. A U.S. organization participating in the Privacy Shield that uses EU human resources data transferred from the European Union in the context of the employment relationship and that wishes such transfers to be covered by the Privacy Shield must therefore commit to cooperate in investigations by and to comply with the advice of competent EU authorities in such cases. § III.9.d.ii. {comply}{privacy rights violation complaint}{legal authority} The Recourse, Enforcement and Liability Principle sets out the requirements for Privacy Shield enforcement. How to meet the requirements of point (a)(ii) of the Principle is set out in the Supplemental Principle on Verification. This Supplemental Principle addresses points (a)(i) and (a)(iii), both of which require independent recourse mechanisms. These mechanisms may take different forms, but they must meet the Recourse, Enforcement and Liability Principle's requirements. Organizations satisfy the requirements through the following: (i) compliance with private sector developed privacy programs that incorporate the Privacy Shield Principles into their rules and that include effective enforcement mechanisms of the type described in the Recourse, Enforcement and Liability Principle; (ii) compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or (iii) commitment to cooperate with data protection authorities located in the European Union or their authorized representatives. § III.11.a. {Department of Commerce} In order to help ensure compliance with their Privacy Shield commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Privacy Shield when requested by the Department. In addition, organizations must respond expeditiously to complaints regarding their compliance with the Principles referred through the Department by DPAs. The response should address whether the complaint has merit and, if so, how the organization will rectify the problem. The Department will protect the confidentiality of information it receives in accordance with U.S. law. § III.11.c.] | Privacy protection for information and data | Preventive | |
| Display or print the least amount of personal data necessary. CC ID 04643 | Privacy protection for information and data | Preventive | |
| Redact confidential information from public information, as necessary. CC ID 06872 [Where confidential commercial information can be readily separated from other personal information subject to an access request, the organization should redact the confidential commercial information and make available the non-confidential information. § III.8.c.ii.] | Privacy protection for information and data | Preventive | |
| Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Privacy protection for information and data | Preventive | |
| Dispose of media and restricted data in a timely manner. CC ID 00125 [{Department of Commerce} {adequate protection} An organization must subject to the Privacy Shield Principles all personal data received from the EU in reliance upon the Privacy Shield. The undertaking to adhere to the Privacy Shield Principles is not time-limited in respect of personal data received during the period in which the organization enjoys the benefits of the Privacy Shield. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Privacy Shield for any reason. An organization that withdraws from the Privacy Shield but wants to retain such data must affirm to the Department on an annual basis its commitment to continue to apply the Principles or provide "adequate" protection for the information by another authorized means (for example, using a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission); otherwise, the organization must return or delete the information. An organization that withdraws from the Privacy Shield must remove from any relevant privacy policy any references to the Privacy Shield that imply that the organization continues to actively participate in the Privacy Shield and is entitled to its benefits. § III.6.f. {Department of Commerce} An organization that will cease to exist as a separate legal entity as a result of a merger or a takeover must notify the Department of this in advance. The notification should also indicate whether the acquiring entity or the entity resulting from the merger will (i) continue to be bound by the Privacy Shield Principles by the operation of law governing the takeover or merger or (ii) elect to self-certify its adherence to the Privacy Shield Principles or put in place other safeguards, such as a written agreement that will ensure adherence to the Privacy Shield Principles. Where neither (i) nor (ii) applies, any personal data that has been acquired under the Privacy Shield must be promptly deleted. § III.6.g.] | Privacy protection for information and data | Preventive | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Preventive | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [The organization should answer requests from an individual concerning the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data is disclosed. § III.8.a.i.1. Footnote 1] | Privacy protection for information and data | Preventive | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 [{national security requirement} An organization must inform individuals about: the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and § II.1.a.xii.] | Privacy protection for information and data | Preventive | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Preventive | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Privacy protection for information and data | Preventive | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Privacy protection for information and data | Preventive | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Preventive | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Preventive | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Privacy protection for information and data | Preventive | |
| Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Privacy protection for information and data | Preventive | |
| Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: required to provide medical care or diagnosis; § III.1.a.iii.] | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Privacy protection for information and data | Preventive | |
| Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Privacy protection for information and data | Preventive | |
| Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Privacy protection for information and data | Preventive | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 | Privacy protection for information and data | Preventive | |
| Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: necessary for the establishment of legal claims or defenses; § III.1.a.ii. {due diligence review} {statutory requirements} The activities of auditors and investment bankers may involve processing personal data without the consent or knowledge of the individual. This is permitted by the Notice, Choice, and Access Principles under the circumstances described below. Public stock corporations and closely held companies, including Privacy Shield organizations, are regularly subject to audits. Such audits, particularly those looking into potential wrongdoing, may be jeopardized if disclosed prematurely. Similarly, a Privacy Shield organization involved in a potential merger or takeover will need to perform, or be the subject of, a "due diligence" review. This will often entail the collection and processing of personal data, such as information on senior executives and other key personnel. Premature disclosure could impede the transaction or even violate applicable securities regulation. Investment bankers and attorneys engaged in due diligence, or auditors conducting an audit, may process information without knowledge of the individual only to the extent and for the period necessary to meet statutory or public interest requirements and in other circumstances in which the application of these Principles would prejudice the legitimate interests of the organization. These legitimate interests include the monitoring of organizations' compliance with their legal obligations and legitimate accounting activities, and the need for confidentiality connected with possible acquisitions, mergers, joint ventures, or other similar transactions carried out by investment bankers or auditors. § III.4.b.] | Privacy protection for information and data | Preventive | |
| Process personal data relating to criminal offenses when required by law. CC ID 00237 | Privacy protection for information and data | Preventive | |
| Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Privacy protection for information and data | Preventive | |
| Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Privacy protection for information and data | Preventive | |
| Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Privacy protection for information and data | Preventive | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: carried out in the course of legitimate activities by a foundation, association or any other non-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; § III.1.a.iv. {Notice Principle} For occasional employment-related operational needs of the Privacy Shield organization with respect to personal data transferred under the Privacy Shield, such as the booking of a flight, hotel room, or insurance coverage, transfers of personal data of a small number of employees can take place to controllers without application of the Access Principle or entering into a contract with the third-party controller, as otherwise required under the Accountability for Onward Transfer Principle, provided that the Privacy Shield organization has complied with the Notice and Choice Principles. § III.9.e.i. {due diligence review} {statutory requirements} The activities of auditors and investment bankers may involve processing personal data without the consent or knowledge of the individual. This is permitted by the Notice, Choice, and Access Principles under the circumstances described below. Public stock corporations and closely held companies, including Privacy Shield organizations, are regularly subject to audits. Such audits, particularly those looking into potential wrongdoing, may be jeopardized if disclosed prematurely. Similarly, a Privacy Shield organization involved in a potential merger or takeover will need to perform, or be the subject of, a "due diligence" review. This will often entail the collection and processing of personal data, such as information on senior executives and other key personnel. Premature disclosure could impede the transaction or even violate applicable securities regulation. Investment bankers and attorneys engaged in due diligence, or auditors conducting an audit, may process information without knowledge of the individual only to the extent and for the period necessary to meet statutory or public interest requirements and in other circumstances in which the application of these Principles would prejudice the legitimate interests of the organization. These legitimate interests include the monitoring of organizations' compliance with their legal obligations and legitimate accounting activities, and the need for confidentiality connected with possible acquisitions, mergers, joint ventures, or other similar transactions carried out by investment bankers or auditors. § III.4.b. To the extent and for the period necessary to avoid prejudicing the ability of the organization in making promotions, appointments, or other similar employment decisions, an organization does not need to offer notice and choice. § III.9.b.iv.] | Privacy protection for information and data | Preventive | |
| Process traffic data in a controlled manner. CC ID 00130 | Privacy protection for information and data | Preventive | |
| Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Privacy protection for information and data | Preventive | |
| Process personal data when it is publicly accessible. CC ID 00187 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: related to data that are manifestly made public by the individual. § III.1.a.vi.] | Privacy protection for information and data | Preventive | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Privacy protection for information and data | Preventive | |
| Process personal data for the purposes of employment. CC ID 16527 | Privacy protection for information and data | Preventive | |
| Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Privacy protection for information and data | Preventive | |
| Process personal data for debt collection or benefit payments. CC ID 00190 | Privacy protection for information and data | Preventive | |
| Process personal data in order to advance the public interest. CC ID 00191 | Privacy protection for information and data | Preventive | |
| Process personal data for surveys, archives, or scientific research. CC ID 00192 [Participants may decide or be asked to withdraw from a clinical trial at any time. Any personal data collected previous to withdrawal may still be processed along with other data collected as part of the clinical trial, however, if this was made clear to the participant in the notice at the time he or she agreed to participate. § III.14.c.i.] | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Privacy protection for information and data | Preventive | |
| Process personal data for academic purposes or religious purposes. CC ID 00194 | Privacy protection for information and data | Preventive | |
| Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Privacy protection for information and data | Preventive | |
| Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Privacy protection for information and data | Preventive | |
| Follow legal obligations while processing personal data. CC ID 04794 | Privacy protection for information and data | Preventive | |
| Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent in order to perform a contract. CC ID 13586 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is needed by law. CC ID 13577 | Privacy protection for information and data | Preventive | |
| Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is from publicly available information. CC ID 13576 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent to create a credit report. CC ID 15288 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when produced for business purposes. CC ID 13563 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for handling insurance claims. CC ID 13561 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for life-threatening emergencies. CC ID 13558 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Privacy protection for information and data | Preventive | |
| Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 | Privacy protection for information and data | Preventive | |
| Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 | Privacy protection for information and data | Detective | |
| Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when the law does not require consent. CC ID 00136 | Privacy protection for information and data | Preventive | |
| Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 | Privacy protection for information and data | Preventive | |
| Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent to create a credit report. CC ID 15297 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for handling insurance claims. CC ID 13585 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to perform a contract. CC ID 00139 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent for public economic interests. CC ID 00148 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 [{Notice Principle}{Choice Principle}{Accountability for Onward Transfer Principle} It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials. § III.15.b.] | Privacy protection for information and data | Preventive | |
| Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is needed by law. CC ID 00163 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: necessary to carry out the organization's obligations in the field of employment law; or § III.1.a.v. {Notice Principle}{Choice Principle}{personal data transfer} Pharmaceutical and medical device companies are allowed to provide personal data from clinical trials conducted in the EU to regulators in the United States for regulatory and supervision purposes. Similar transfers are allowed to parties other than regulators, such as company locations and other researchers, consistent with the Principles of Notice and Choice. § III.14.d.i. {shall not impair} Absence of notice in accordance with point (a)(xii) of the Notice Principle shall not prevent or impair an organization's ability to respond to any lawful request. § III.16.c.] | Privacy protection for information and data | Preventive | |
| Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 | Privacy protection for information and data | Preventive | |
| Limit the redisclosure and reuse of restricted data. CC ID 00168 | Privacy protection for information and data | Preventive | |
| Refrain from redisclosing or reusing restricted data. CC ID 00169 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data when the data subject consents. CC ID 00171 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data in order to protect public revenue. CC ID 00173 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), organizations must obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt- in choice. In addition, an organization should treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive. § II.2.c.] | Privacy protection for information and data | Preventive | |
| Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Privacy protection for information and data | Preventive | |
| Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Privacy protection for information and data | Preventive | |
| Process Personal Identification Numbers with consent. CC ID 00239 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Privacy protection for information and data | Preventive | |
| Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Privacy protection for information and data | Preventive | |
| Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Privacy protection for information and data | Preventive | |
| Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Privacy protection for information and data | Preventive | |
| Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Privacy protection for information and data | Preventive | |
| Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Privacy protection for information and data | Preventive | |
| Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Privacy protection for information and data | Preventive | |
| Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 | Privacy protection for information and data | Preventive | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Privacy protection for information and data | Preventive | |
| Review personal data disclosure requests. CC ID 07129 | Privacy protection for information and data | Preventive | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Privacy protection for information and data | Preventive | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Privacy protection for information and data | Preventive | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Preventive | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [Confidential commercial information is information that an organization has taken steps to protect from disclosure, where disclosure would help a competitor in the market. Organizations may deny or limit access to the extent that granting full access would reveal its own confidential commercial information, such as marketing inferences or classifications generated by the organization, or the confidential commercial information of another that is subject to a contractual obligation of confidentiality. § III.8.c.i. {personal data} Other reasons for denying or limiting access are: prejudicing the confidentiality necessary in monitoring, inspection or regulatory functions connected with sound management, or in future or ongoing negotiations involving the organization. § III.8.e.i.5.] | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Preventive | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Preventive | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Preventive | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 [As organizations must always make good faith efforts to provide individuals with access to their personal data, the circumstances in which organizations may restrict such access are limited, and any reasons for restricting access must be specific. As under the Directive, an organization can restrict access to information to the extent that disclosure is likely to interfere with the safeguarding of important countervailing public interests, such as national security; defense; or public security. In addition, where personal information is processed solely for research or statistical purposes, access may be denied. Other reasons for denying or limiting access are: § III.8.e.i. {clinical trial}{personal data} Agreement to participate in the trial under these conditions is a reasonable forgoing of the right of access. Following the conclusion of the trial and analysis of the results, participants should have access to their data if they request it. They should seek it primarily from the physician or other health care provider from whom they received treatment within the clinical trial, or secondarily from the sponsoring organization. § III.14.e.ii. To ensure objectivity in many clinical trials, participants, and often investigators as well, cannot be given access to information about which treatment each participant may be receiving. Doing so would jeopardize the validity of the research study and results. Participants in such clinical trials (referred to as "blinded" studies) do not have to be provided access to the data on their treatment during the trial if this restriction has been explained when the participant entered the trial and the disclosure of such information would jeopardize the integrity of the research effort. § III.14.e.i.] | Privacy protection for information and data | Preventive | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Detective | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 [The right of access to personal data may be restricted in exceptional circumstances where the legitimate rights of persons other than the individual would be violated or where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question. Expense and burden are important factors and should be taken into account but they are not controlling factors in determining whether providing access is reasonable. § III.8.b.i. {personal data} Other reasons for denying or limiting access are: disclosure where the legitimate rights or important interests of others would be violated; § III.8.e.i.2.] | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 [As organizations must always make good faith efforts to provide individuals with access to their personal data, the circumstances in which organizations may restrict such access are limited, and any reasons for restricting access must be specific. As under the Directive, an organization can restrict access to information to the extent that disclosure is likely to interfere with the safeguarding of important countervailing public interests, such as national security; defense; or public security. In addition, where personal information is processed solely for research or statistical purposes, access may be denied. Other reasons for denying or limiting access are: § III.8.e.i.] | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 [{personal data} Other reasons for denying or limiting access are: interference with the execution or enforcement of the law or with private causes of action, including the prevention, investigation or detection of offenses or the right to a fair trial; § III.8.e.i.1.] | Privacy protection for information and data | Preventive | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 [{personal data} Other reasons for denying or limiting access are: prejudicing employee security investigations or grievance proceedings or in connection with employee succession planning and corporate re-organizations; or § III.8.e.i.4.] | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 [{personal data} Other reasons for denying or limiting access are: prejudicing employee security investigations or grievance proceedings or in connection with employee succession planning and corporate re-organizations; or § III.8.e.i.4.] | Privacy protection for information and data | Preventive | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 [The right of access to personal data may be restricted in exceptional circumstances where the legitimate rights of persons other than the individual would be violated or where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question. Expense and burden are important factors and should be taken into account but they are not controlling factors in determining whether providing access is reasonable. § III.8.b.i.] | Privacy protection for information and data | Preventive | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [Consistent with the fundamental nature of access, organizations should always make good faith efforts to provide access. For example, where certain information needs to be protected and can be readily separated from other personal information subject to an access request, the organization should redact the protected information and make available the other information. If an organization determines that access should be restricted in any particular instance, it should provide the individual requesting access with an explanation of why it has made that determination and a contact point for any further inquiries. § III.8.a.iii. {personal data access request} An organization which claims an exception has the burden of demonstrating its necessity, and the reasons for restricting access and a contact point for further inquiries should be given to individuals. § III.8.e.ii.] | Privacy protection for information and data | Preventive | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [{is not used} For example, if the personal information is used for decisions that will significantly affect the individual, then consistent with the other provisions of these Supplemental Principles, the organization would have to disclose that information even if it is relatively difficult or expensive to provide. If the personal information requested is not sensitive or not used for decisions that will significantly affect the individual, but is readily available and inexpensive to provide, an organization would have to provide access to such information. § III.8.b.ii.] | Privacy protection for information and data | Preventive | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 [{personal data} An organization is not required to provide access unless it is supplied with sufficient information to allow it to confirm the identity of the person making the request. § III.8.h.i. {ability} Generally, the purpose of the Choice Principle is to ensure that personal information is used and disclosed in ways that are consistent with the individual's expectations and choices. Accordingly, an individual should be able to exercise "opt out" choice of having personal information used for direct marketing at any time subject to reasonable limits established by the organization, such as giving the organization time to make the opt out effective. An organization may also require sufficient information to confirm the identity of the individual requesting the "opt out." In the United States, individuals may be able to exercise this option through the use of a central "opt out" program such as the Direct Marketing Association's Mail Preference Service. Organizations that participate in the Direct Marketing Association's Mail Preference Service should promote its availability to consumers who do not wish to receive commercial information. In any event, an individual should be given a readily available and affordable mechanism to exercise this option. § III.12.a.] | Privacy protection for information and data | Preventive | |
| Provide data or records in a reasonable time frame. CC ID 00429 [An organization may set reasonable limits on the number of times within a given period that access requests from a particular individual will be met. In setting such limitations, an organization should consider such factors as the frequency with which information is updated, the purpose for which the data are used, and the nature of the information. § III.8.g.i.] | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Preventive | |
| Provide data at a cost that is not excessive. CC ID 00430 [An individual has the right to obtain confirmation of whether or not this organization has personal data relating to him or her. An individual also has the right to have communicated to him or her personal data relating to him or her. An organization may charge a fee that is not excessive. § III.8.f.i. Charging a fee may be justified, for example, where requests for access are manifestly excessive, in particular because of their repetitive character. § III.8.f.ii. As with public record information, it is not necessary to provide access to information that is already publicly available to the public at large, as long as it is not combined with non-publicly available information. Organizations that are in the business of selling publicly available information may charge the organization's customary fee in responding to requests for access. Alternatively, individuals may seek access to their information from the organization that originally compiled the data. § III.15.e.] | Privacy protection for information and data | Preventive | |
| Provide records or data in a reasonable manner. CC ID 00431 [As organizations must always make good faith efforts to provide individuals with access to their personal data, the circumstances in which organizations may restrict such access are limited, and any reasons for restricting access must be specific. As under the Directive, an organization can restrict access to information to the extent that disclosure is likely to interfere with the safeguarding of important countervailing public interests, such as national security; defense; or public security. In addition, where personal information is processed solely for research or statistical purposes, access may be denied. Other reasons for denying or limiting access are: § III.8.e.i. Where confidential commercial information can be readily separated from other personal information subject to an access request, the organization should redact the confidential commercial information and make available the non-confidential information. § III.8.c.ii. {personal data access request} Organizations should respond to access requests within a reasonable time period, in a reasonable manner, and in a form that is readily intelligible to the individual. An organization that provides information to data subjects at regular intervals may satisfy an individual access request with its regular disclosure if it would not constitute an excessive delay. § III.8.i.i.] | Privacy protection for information and data | Preventive | |
| Provide personal data in a form that is intelligible. CC ID 00432 [{personal data access request} Organizations should respond to access requests within a reasonable time period, in a reasonable manner, and in a form that is readily intelligible to the individual. An organization that provides information to data subjects at regular intervals may satisfy an individual access request with its regular disclosure if it would not constitute an excessive delay. § III.8.i.i.] | Privacy protection for information and data | Preventive | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Preventive | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Preventive | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Preventive | |
| Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 | Privacy protection for information and data | Preventive | |
| Refrain from collecting personal data, as necessary. CC ID 15269 | Privacy protection for information and data | Preventive | |
| Use personal data for specified purposes. CC ID 11831 [{is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a. {is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a.] | Privacy protection for information and data | Preventive | |
| Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Privacy protection for information and data | Preventive | |
| Provide explicit consent that is clear and unambiguous. CC ID 00181 | Privacy protection for information and data | Preventive | |
| Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Privacy protection for information and data | Preventive | |
| Adhere to each individual's personal data collection consent preferences. CC ID 06947 [In addition, employers should make reasonable efforts to accommodate employee privacy preferences. This could include, for example, restricting access to the personal data, anonymizing certain data, or assigning codes or pseudonyms when the actual names are not required for the management purpose at hand. § III.9.b.iii.] | Privacy protection for information and data | Preventive | |
| Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Privacy protection for information and data | Preventive | |
| Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Privacy protection for information and data | Preventive | |
| Include an individual's name in the personal data definition. CC ID 04710 | Privacy protection for information and data | Preventive | |
| Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Privacy protection for information and data | Preventive | |
| Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Privacy protection for information and data | Preventive | |
| Include an individual's signature in the personal data definition. CC ID 04711 | Privacy protection for information and data | Preventive | |
| Include an individual's date of birth in the personal data definition. CC ID 04770 | Privacy protection for information and data | Preventive | |
| Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Privacy protection for information and data | Preventive | |
| Include an individual's biometric data in the personal data definition. CC ID 04698 | Privacy protection for information and data | Preventive | |
| Include an individual's photographic image in the personal data definition. CC ID 04779 | Privacy protection for information and data | Preventive | |
| Include an individual's fingerprints in the personal data definition. CC ID 04689 | Privacy protection for information and data | Preventive | |
| Include an individual's address in the personal data definition. CC ID 04687 | Privacy protection for information and data | Preventive | |
| Include an individual's telephone number in the personal data definition. CC ID 04688 | Privacy protection for information and data | Preventive | |
| Include an individual's fax number in the personal data definition. CC ID 07120 | Privacy protection for information and data | Preventive | |
| Include an individual's financial account number in the personal data definition. CC ID 04692 | Privacy protection for information and data | Preventive | |
| Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Privacy protection for information and data | Preventive | |
| Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Privacy protection for information and data | Preventive | |
| Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Privacy protection for information and data | Preventive | |
| Include an individual's passport number in the personal data definition. CC ID 04713 | Privacy protection for information and data | Preventive | |
| Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Privacy protection for information and data | Preventive | |
| Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Privacy protection for information and data | Preventive | |
| Include an individual's e-mail address in the personal data definition. CC ID 04696 | Privacy protection for information and data | Preventive | |
| Include electronic signatures in the personal data definition. CC ID 04697 | Privacy protection for information and data | Preventive | |
| Include an individual's payment card information in the personal data definition. CC ID 04751 | Privacy protection for information and data | Preventive | |
| Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Privacy protection for information and data | Preventive | |
| Include an individual's payment card service code in the personal data definition. CC ID 04753 | Privacy protection for information and data | Preventive | |
| Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Privacy protection for information and data | Preventive | |
| Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Privacy protection for information and data | Preventive | |
| Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Privacy protection for information and data | Preventive | |
| Include an individual's medical history in the personal data definition. CC ID 04701 | Privacy protection for information and data | Preventive | |
| Include an individual's medical treatment in the personal data definition. CC ID 04702 | Privacy protection for information and data | Preventive | |
| Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Privacy protection for information and data | Preventive | |
| Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Privacy protection for information and data | Preventive | |
| Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Privacy protection for information and data | Preventive | |
| Include an individual's health insurance information in the personal data definition. CC ID 04705 | Privacy protection for information and data | Preventive | |
| Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Privacy protection for information and data | Preventive | |
| Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Privacy protection for information and data | Preventive | |
| Include an individual's education information in the personal data definition. CC ID 04714 | Privacy protection for information and data | Preventive | |
| Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Privacy protection for information and data | Preventive | |
| Include an individual's employment information in the personal data definition. CC ID 04715 | Privacy protection for information and data | Preventive | |
| Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Privacy protection for information and data | Preventive | |
| Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Privacy protection for information and data | Preventive | |
| Include an individual's employment history in the personal data definition. CC ID 04716 | Privacy protection for information and data | Preventive | |
| Include an individual's place of employment in the personal data definition. CC ID 04765 | Privacy protection for information and data | Preventive | |
| Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Privacy protection for information and data | Preventive | |
| Include an individual's property information in the personal data definition. CC ID 04780 | Privacy protection for information and data | Preventive | |
| Include an individual's property title in the personal data definition. CC ID 04781 | Privacy protection for information and data | Preventive | |
| Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Privacy protection for information and data | Preventive | |
| Include hardware asset identification information in the personal data definition. CC ID 07123 | Privacy protection for information and data | Preventive | |
| Include MAC addresses in the personal data definition. CC ID 04778 | Privacy protection for information and data | Preventive | |
| Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Privacy protection for information and data | Preventive | |
| Include asset serial numbers in the personal data definition. CC ID 07124 | Privacy protection for information and data | Preventive | |
| Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Privacy protection for information and data | Preventive | |
| Define specially restricted data. CC ID 00037 | Privacy protection for information and data | Preventive | |
| Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Privacy protection for information and data | Preventive | |
| Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Privacy protection for information and data | Preventive | |
| Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Privacy protection for information and data | Preventive | |
| Implement a nondiscrimination principle. CC ID 00081 | Privacy protection for information and data | Preventive | |
| Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Privacy protection for information and data | Preventive | |
| Preserve each individual's right to human dignity. CC ID 00082 | Privacy protection for information and data | Preventive | |
| Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Privacy protection for information and data | Preventive | |
| Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Privacy protection for information and data | Preventive | |
| Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Privacy protection for information and data | Preventive | |
| Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Privacy protection for information and data | Preventive | |
| Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Privacy protection for information and data | Preventive | |
| Manage health data collection. CC ID 00050 | Privacy protection for information and data | Preventive | |
| Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Privacy protection for information and data | Preventive | |
| Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Privacy protection for information and data | Preventive | |
| Collect Individually Identifiable Health Information for research. CC ID 00054 | Privacy protection for information and data | Preventive | |
| Remove personal data before disclosing health data. CC ID 00055 | Privacy protection for information and data | Preventive | |
| Give special attention to collecting children's data. CC ID 00038 | Privacy protection for information and data | Preventive | |
| Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Privacy protection for information and data | Preventive | |
| Collect personal data directly from the data subject. CC ID 00011 | Privacy protection for information and data | Preventive | |
| Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Privacy protection for information and data | Preventive | |
| Provide unlinkability for users and resources. CC ID 04550 | Privacy protection for information and data | Preventive | |
| Collect restricted data in a fair and lawful manner. CC ID 00010 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: in the vital interests of the data subject or another person; § III.1.a.i.] | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent for handling insurance claims. CC ID 13543 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Privacy protection for information and data | Preventive | |
| Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 [Personal information that is gathered for publication, broadcast, or other forms of public communication of journalistic material, whether used or not, as well as information found in previously published material disseminated from media archives, is not subject to the requirements of the Privacy Shield Principles. § III.2.b.] | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent from publicly available information. CC ID 00019 [{Notice Principle}{Choice Principle}{Accountability for Onward Transfer Principle} It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials. § III.15.b.] | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent when needed by law. CC ID 00020 [{pharmaceutical company} {Notice Principle} {Choice Principle} {Accountability for Onward Transfer Principle} {Access Principle} A pharmaceutical or medical device company does not have to apply the Privacy Shield Principles with respect to the Notice, Choice, Accountability for Onward Transfer, and Access Principles in its product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices, to the extent that adherence to the Principles interferes with compliance with regulatory requirements. This is true both with respect to reports by, for example, health care providers to pharmaceutical and medical device companies, and with respect to reports by pharmaceutical and medical device companies to government agencies like the Food and Drug Administration. § III.14.f.i.] | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent to create a credit report. CC ID 15287 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Privacy protection for information and data | Preventive | |
| Collect the minimum amount of restricted data necessary. CC ID 00078 | Privacy protection for information and data | Preventive | |
| Collect restricted data in a proper information framework. CC ID 00009 | Privacy protection for information and data | Preventive | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Privacy protection for information and data | Preventive | |
| Collect restricted data when required by law. CC ID 00031 | Privacy protection for information and data | Preventive | |
| Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Privacy protection for information and data | Preventive | |
| Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: carried out in the course of legitimate activities by a foundation, association or any other non-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; § III.1.a.iv.] | Privacy protection for information and data | Preventive | |
| Collect restricted data for legal purposes. CC ID 00036 | Privacy protection for information and data | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 [{Department of Commerce} {adequate protection} An organization must subject to the Privacy Shield Principles all personal data received from the EU in reliance upon the Privacy Shield. The undertaking to adhere to the Privacy Shield Principles is not time-limited in respect of personal data received during the period in which the organization enjoys the benefits of the Privacy Shield. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Privacy Shield for any reason. An organization that withdraws from the Privacy Shield but wants to retain such data must affirm to the Department on an annual basis its commitment to continue to apply the Principles or provide "adequate" protection for the information by another authorized means (for example, using a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission); otherwise, the organization must return or delete the information. An organization that withdraws from the Privacy Shield must remove from any relevant privacy policy any references to the Privacy Shield that imply that the organization continues to actively participate in the Privacy Shield and is entitled to its benefits. § III.6.f. {Department of Commerce} {adequate protection} An organization must subject to the Privacy Shield Principles all personal data received from the EU in reliance upon the Privacy Shield. The undertaking to adhere to the Privacy Shield Principles is not time-limited in respect of personal data received during the period in which the organization enjoys the benefits of the Privacy Shield. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Privacy Shield for any reason. An organization that withdraws from the Privacy Shield but wants to retain such data must affirm to the Department on an annual basis its commitment to continue to apply the Principles or provide "adequate" protection for the information by another authorized means (for example, using a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission); otherwise, the organization must return or delete the information. An organization that withdraws from the Privacy Shield must remove from any relevant privacy policy any references to the Privacy Shield that imply that the organization continues to actively participate in the Privacy Shield and is entitled to its benefits. § III.6.f.] | Privacy protection for information and data | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Preventive | |
| Limit data leakage. CC ID 00356 [{data processor} The purpose of the contract is to make sure that the processor: provides appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alternation, unauthorized disclosure or access, and understands whether onward transfer is allowed; and § III.10.a.ii.2. {Security Principle}(Data Integrity and Purpose Limitation Principle} {Recourse, Enforcement and Liability Principle} An organization must apply the Privacy Shield Principles of Security, Data Integrity and Purpose Limitation, and Recourse, Enforcement and Liability to personal data from publicly available sources. These Principles shall apply also to personal data collected from public records, i.e., those records kept by government agencies or entities at any level that are open to consultation by the public in general. § III.15.a.] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Detective | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Detective | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Detective | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Detective | |
| Include text about data ownership in the data handling policy. CC ID 15720 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 | Privacy protection for information and data | Preventive | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Privacy protection for information and data | Preventive | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Privacy protection for information and data | Preventive | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Preventive | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Preventive | |
| Obtain consent from an individual prior to transferring personal data. CC ID 06948 | Privacy protection for information and data | Preventive | |
| Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 [{Notice Principle}{Choice Principle}{personal data transfer} Pharmaceutical and medical device companies are allowed to provide personal data from clinical trials conducted in the EU to regulators in the United States for regulatory and supervision purposes. Similar transfers are allowed to parties other than regulators, such as company locations and other researchers, consistent with the Principles of Notice and Choice. § III.14.d.i.] | Privacy protection for information and data | Preventive | |
| Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 | Privacy protection for information and data | Preventive | |
| Prohibit the transfer of personal data when security is inadequate. CC ID 00345 [{notice principle} To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles. § II.3.a. {notice principle} To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles. § II.3.a.] | Privacy protection for information and data | Preventive | |
| Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 | Privacy protection for information and data | Preventive | |
| Refrain from transferring past the first transfer. CC ID 00347 | Privacy protection for information and data | Preventive | |
| Allow the data subject the right to object to the personal data transfer. CC ID 00349 | Privacy protection for information and data | Preventive | |
| Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 [{Notice Principle}{Choice Principle}{Accountability for Onward Transfer Principle} It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials. § III.15.b.] | Privacy protection for information and data | Preventive | |
| Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Privacy protection for information and data | Preventive | |
| Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 [{key-coded data} Invariably, research data are uniquely key-coded at their origin by the principal investigator so as not to reveal the identity of individual data subjects. Pharmaceutical companies sponsoring such research do not receive the key. The unique key code is held only by the researcher, so that he or she can identify the research subject under special circumstances (e.g., if follow-up medical attention is required). A transfer from the EU to the United States of data coded in this way would not constitute a transfer of personal data that would be subject to the Privacy Shield Principles. § III.14.g.i.] | Privacy protection for information and data | Preventive | |
| Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Privacy protection for information and data | Preventive | |
| Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Privacy protection for information and data | Preventive | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Privacy protection for information and data | Preventive | |
| Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 | Privacy protection for information and data | Preventive | |
| Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Privacy protection for information and data | Preventive | |
| Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Privacy protection for information and data | Preventive | |
| Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Privacy protection for information and data | Preventive | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Privacy protection for information and data | Preventive | |
| Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 [{notice principle} To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles. § II.3.a. For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), organizations must obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt- in choice. In addition, an organization should treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive. § II.2.c. {Department of Commerce} To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; (iv) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (v) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. § II.3.b. {Notice Principle}{Choice Principle} The Privacy Principles apply immediately upon certification. Recognizing that the Principles will impact commercial relationships with third parties, organizations that certify to the Privacy Shield Framework in the first two months following the Framework's effective date shall bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle as soon as possible, and in any event no later than nine months from the date upon which they certify to the Privacy Shield. During that interim period, where organizations transfer data to a third party, they shall (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles. § III.6.e. {Notice Principle}{Choice Principle} The Privacy Principles apply immediately upon certification. Recognizing that the Principles will impact commercial relationships with third parties, organizations that certify to the Privacy Shield Framework in the first two months following the Framework's effective date shall bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle as soon as possible, and in any event no later than nine months from the date upon which they certify to the Privacy Shield. During that interim period, where organizations transfer data to a third party, they shall (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles. § III.6.e. {Notice Principle}{Choice Principle} The Privacy Principles apply immediately upon certification. Recognizing that the Principles will impact commercial relationships with third parties, organizations that certify to the Privacy Shield Framework in the first two months following the Framework's effective date shall bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle as soon as possible, and in any event no later than nine months from the date upon which they certify to the Privacy Shield. During that interim period, where organizations transfer data to a third party, they shall (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles. § III.6.e.] | Privacy protection for information and data | Preventive | |
| Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 | Privacy protection for information and data | Preventive | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 | Privacy protection for information and data | Preventive | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to downloading software to an individual's computer. CC ID 06951 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 | Privacy protection for information and data | Preventive | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 [{be rigorous} At a minimum such mechanisms must include: obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations. § II.7.a.iii. To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; (iv) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (v) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. § II.3.b.] | Privacy protection for information and data | Preventive | |
| Implement procedures to file privacy rights violation complaints. CC ID 00476 [Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must include: § II.7.a. At a minimum such mechanisms must include: readily available independent recourse mechanisms by which each individual's complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Principles, and damages awarded where the applicable law or private-sector initiatives so provide; § II.7.a.i. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i.] | Privacy protection for information and data | Corrective | |
| Change or destroy any personal data that is incorrect. CC ID 00462 | Privacy protection for information and data | Corrective | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Preventive | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Corrective | |
| Notify individuals of their right to challenge personal data. CC ID 00457 [Under the Privacy Shield Principles, the right of access is fundamental to privacy protection. In particular, it allows individuals to verify the accuracy of information held about them. The Access Principle means that individuals have the right to: § III.8.a.i. Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated. § II.6.a. The Access Principle means that individuals have the right to: have the data corrected, amended or deleted where it is inaccurate or processed in violation of the Principles. § III.8.a.i.3.] | Privacy protection for information and data | Preventive | |
| Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 | Privacy protection for information and data | Preventive | |
| Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Privacy protection for information and data | Preventive | |
| Investigate the disputed accuracy of personal data. CC ID 00461 | Privacy protection for information and data | Preventive | |
| Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 [To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; (iv) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (v) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. § II.3.b.] | Privacy protection for information and data | Corrective | |
| Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 [{persistent failure to comply}{Department of Commerce} If an organization persistently fails to comply with the Principles, it is no longer entitled to benefit from the Privacy Shield. Organizations that have persistently failed to comply with the Principles will be removed from the Privacy Shield List by the Department and must return or delete the personal information they received under the Privacy Shield. § III.11.g.i.] | Privacy protection for information and data | Corrective | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Privacy protection for information and data | Preventive | |
| Check the accuracy of restricted data. CC ID 00088 [{is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a. {is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a.] | Privacy protection for information and data | Preventive | |
| Check that restricted data is complete. CC ID 00090 [{is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a.] | Privacy protection for information and data | Preventive | |
| Keep restricted data up-to-date and valid. CC ID 00091 [{is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a.] | Privacy protection for information and data | Preventive | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Detective | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Preventive | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [{is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Human Resources management | Preventive | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Preventive | |
| Include roles and responsibilities in the registration notice. CC ID 16803 | Privacy protection for information and data | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Preventive | |
| Process restricted data lawfully and carefully. CC ID 00086 | Privacy protection for information and data | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
| Include the effective date on all organizational policies. CC ID 06820 [description of the organization's privacy policy for such personal information, including: its effective date of implementation; § III.6.b.iii.2.] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a compliance testing strategy. CC ID 00659 [To meet the verification requirements of the Recourse, Enforcement and Liability Principle, an organization must verify such attestations and assertions either through self-assessment or outside compliance reviews. § III.7.b. To meet the verification requirements of the Recourse, Enforcement and Liability Principle, an organization must verify such attestations and assertions either through self-assessment or outside compliance reviews. § III.7.b. Where the organization has chosen outside compliance review, such a review must demonstrate that its privacy policy regarding personal information received from the EU conforms to the Privacy Shield Principles, that it is being complied with, and that individuals are informed of the mechanisms through which they may pursue complaints. The methods of review may include, without limitation, auditing, random reviews, use of "decoys", or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed must be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about compliance. § III.7.d. Where the organization has chosen outside compliance review, such a review must demonstrate that its privacy policy regarding personal information received from the EU conforms to the Privacy Shield Principles, that it is being complied with, and that individuals are informed of the mechanisms through which they may pursue complaints. The methods of review may include, without limitation, auditing, random reviews, use of "decoys", or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed must be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about compliance. § III.7.d. At a minimum such mechanisms must include: follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of non-compliance; and § II.7.a.ii. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [{is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain risk management metrics. CC ID 01656 | Monitoring and measurement | Preventive | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Monitoring and measurement | Preventive | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a security program metrics program. CC ID 01660 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an audit metrics program. CC ID 01664 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Monitoring and measurement | Preventive | |
| Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 | Audits and risk management | Preventive | |
| Include a commitment to comply with recommendations from applicable statutory bodies in the Statement of Compliance. CC ID 12371 [{Department of Commerce} Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information. In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities. The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees. § III.6.c.] | Audits and risk management | Preventive | |
| Include a commitment to cooperate with applicable statutory bodies in the Statement of Compliance. CC ID 12370 [{Department of Commerce} Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information. In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities. The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees. § III.6.c.] | Audits and risk management | Preventive | |
| Include the statutory bodies having jurisdiction over privacy rights violations in the Statement of Compliance. CC ID 12369 [{Department of Commerce} Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information. In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities. The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees. § III.6.c.] | Audits and risk management | Preventive | |
| Include a description of the organization's privacy policy in the Statement of Compliance. CC ID 12362 [To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: description of the organization's privacy policy for such personal information, including: § III.6.b.iii. The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self-certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d.] | Audits and risk management | Preventive | |
| Include the outcomes of privacy rights violation complaints received in the Statement of Compliance. CC ID 12534 [Independent recourse mechanisms must publish an annual report providing aggregate statistics regarding their dispute resolution services. The annual report must include: (1) the total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received; (3) dispute resolution quality measures, such as the length of time taken to process complaints; and (4) the outcomes of the complaints received, notably the number and types of remedies or sanctions imposed. § III.11.d.iii.] | Audits and risk management | Preventive | |
| Include dispute resolution quality measures in the Statement of Compliance. CC ID 12533 [Independent recourse mechanisms must publish an annual report providing aggregate statistics regarding their dispute resolution services. The annual report must include: (1) the total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received; (3) dispute resolution quality measures, such as the length of time taken to process complaints; and (4) the outcomes of the complaints received, notably the number and types of remedies or sanctions imposed. § III.11.d.iii.] | Audits and risk management | Preventive | |
| Include the type of privacy rights violation complaints received in the Statement of Compliance. CC ID 12532 [Independent recourse mechanisms must publish an annual report providing aggregate statistics regarding their dispute resolution services. The annual report must include: (1) the total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received; (3) dispute resolution quality measures, such as the length of time taken to process complaints; and (4) the outcomes of the complaints received, notably the number and types of remedies or sanctions imposed. § III.11.d.iii.] | Audits and risk management | Preventive | |
| Include the number of privacy rights violation complaints received in the Statement of Compliance. CC ID 12530 [Independent recourse mechanisms must publish an annual report providing aggregate statistics regarding their dispute resolution services. The annual report must include: (1) the total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received; (3) dispute resolution quality measures, such as the length of time taken to process complaints; and (4) the outcomes of the complaints received, notably the number and types of remedies or sanctions imposed. § III.11.d.iii.] | Audits and risk management | Preventive | |
| Include the organization's fax number in the Statement of Compliance. CC ID 12361 [{telephone number} To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: name of organization, mailing address, e-mail address, telephone, and fax numbers; § III.6.b.i.] | Audits and risk management | Preventive | |
| Include the organization's telephone number in the Statement of Compliance. CC ID 12360 [{telephone number} To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: name of organization, mailing address, e-mail address, telephone, and fax numbers; § III.6.b.i.] | Audits and risk management | Preventive | |
| Include the organization's e-mail address in the Statement of Compliance. CC ID 12359 [{telephone number} To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: name of organization, mailing address, e-mail address, telephone, and fax numbers; § III.6.b.i.] | Audits and risk management | Preventive | |
| Include the organization's name in the Statement of Compliance. CC ID 12351 [{telephone number} To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: name of organization, mailing address, e-mail address, telephone, and fax numbers; § III.6.b.i.] | Audits and risk management | Preventive | |
| Include the organization's mailing address in the Statement of Compliance. CC ID 12358 [{telephone number} To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: name of organization, mailing address, e-mail address, telephone, and fax numbers; § III.6.b.i.] | Audits and risk management | Preventive | |
| Describe how the organization processes personal data in the Statement of Compliance. CC ID 12377 [To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: description of the activities of the organization with respect to personal information received from the EU; and § III.6.b.ii.] | Audits and risk management | Preventive | |
| Approve and sign the Statement of Compliance. CC ID 12392 [Where the organization has chosen outside compliance review, such a review must demonstrate that its privacy policy regarding personal information received from the EU conforms to the Privacy Shield Principles, that it is being complied with, and that individuals are informed of the mechanisms through which they may pursue complaints. The methods of review may include, without limitation, auditing, random reviews, use of "decoys", or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed must be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about compliance. § III.7.d.] | Audits and risk management | Preventive | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Preventive | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Preventive | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Preventive | |
| Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 | Human Resources management | Preventive | |
| Establish, implement, and maintain a Code of Conduct. CC ID 04897 | Human Resources management | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 | Operational management | Preventive | |
| Document the organization's local environments. CC ID 06726 [Given U.S. constitutional protections for freedom of the press and the Directive's exemption for journalistic material, where the rights of a free press embodied in the First Amendment of the U.S. Constitution intersect with privacy protection interests, the First Amendment must govern the balancing of these interests with regard to the activities of U.S. persons or organizations. § III.2.a. Privacy Shield benefits are assured from the date on which the Department has placed the organization's self-certification submission on the Privacy Shield List after having determined that the submission is complete. § III.6.a. The Privacy Shield Principles are relevant only when individually identified records are transferred or accessed. Statistical reporting relying on aggregate employment data and containing no personal data or the use of anonymized data does not raise privacy concerns. § III.9.a.ii. The FTC has committed to reviewing on a priority basis referrals alleging non-compliance with the Principles received from: (i) privacy self-regulatory organizations and other independent dispute resolution bodies; (ii) EU Member States; and (iii) the Department, to determine whether Section 5 of the FTC Act prohibiting unfair or deceptive acts or practices in commerce has been violated. If the FTC concludes that it has reason to believe Section 5 has been violated, it may resolve the matter by seeking an administrative cease and desist order prohibiting the challenged practices or by filing a complaint in a federal district court, which if successful could result in a federal court order to same effect. This includes false claims of adherence to the Privacy Shield Principles or participation in the Privacy Shield by organizations, which either are no longer on the Privacy Shield List or have never self-certified to the Department. The FTC may obtain civil penalties for violations of an administrative cease and desist order and may pursue civil or criminal contempt for violation of a federal court order. The FTC will notify the Department of any such actions it takes. The Department encourages other government bodies to notify it of the final disposition of any such referrals or other rulings determining adherence to the Privacy Shield Principles. § III.11.f.ii. Where an organization is found to have intentionally made personal information public in contravention of the Principles so that it or others may benefit from these exceptions, it will cease to qualify for the benefits of the Privacy Shield. § III.15.c. The information provided by the Privacy Shield organizations in these reports together with information that has been released by the intelligence community, along with other information, can be used to inform the annual joint review of the functioning of the Privacy Shield in accordance with the Principles. § III.16.b. The activities of auditors and investment bankers may involve processing personal data without the consent or knowledge of the individual. This is permitted by the Notice, Choice, and Access Principles under the circumstances described below. § III.4.a. Because adequate protection is provided by Privacy Shield participants, contracts with Privacy Shield participants for mere processing do not require prior authorization (or such authorization will be granted automatically by the EU Member States), as would be required for contracts with recipients not participating in the Privacy Shield or otherwise not providing adequate protection. § III.10.a.iii. The Department will remove an organization from the Privacy Shield List in response to any notification it receives of persistent failure to comply, whether it is received from the organization itself, from a privacy self-regulatory body or another independent dispute resolution body, or from a government body, but only after first providing 30 days' notice and an opportunity to respond to the organization that has failed to comply. Accordingly, the Privacy Shield List maintained by the Department will make clear which organizations are assured and which organizations are no longer assured of Privacy Shield benefits. § III.11.g.iii.] | Operational management | Preventive | |
| Establish, implement, and maintain local environment security profiles. CC ID 07037 | Operational management | Preventive | |
| Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 | Operational management | Preventive | |
| Include security requirements in the local environment security profile. CC ID 15717 | Operational management | Preventive | |
| Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 | Operational management | Preventive | |
| Include the technology used in the local environment in the local environment security profile. CC ID 07040 | Operational management | Preventive | |
| Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 | Operational management | Preventive | |
| Include facility information for the local environment in the local environment security profile. CC ID 07042 | Operational management | Preventive | |
| Include facility access information for the local environment in the local environment security profile. CC ID 11773 | Operational management | Preventive | |
| Update the local environment security profile, as necessary. CC ID 07043 | Operational management | Preventive | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Detective | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [{unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a. {unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a. {unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a. {unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a. {unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a. {unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a. Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must include: § II.7.a.] | Privacy protection for information and data | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 | Privacy protection for information and data | Preventive | |
| Establish and maintain privacy notices, as necessary. CC ID 13443 | Privacy protection for information and data | Preventive | |
| Include the purpose of the privacy notice in the privacy notice. CC ID 13526 | Privacy protection for information and data | Preventive | |
| Include the processing purpose in the privacy notice. CC ID 16543 | Privacy protection for information and data | Preventive | |
| Include contact information in the privacy notice. CC ID 14432 | Privacy protection for information and data | Preventive | |
| Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 | Privacy protection for information and data | Preventive | |
| Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Privacy protection for information and data | Preventive | |
| Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 | Privacy protection for information and data | Preventive | |
| Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 | Privacy protection for information and data | Preventive | |
| Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 | Privacy protection for information and data | Preventive | |
| Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 | Privacy protection for information and data | Preventive | |
| Include the personal data collection categories in the privacy notice. CC ID 13457 | Privacy protection for information and data | Preventive | |
| Include disclosure exceptions in the privacy notice. CC ID 13447 | Privacy protection for information and data | Preventive | |
| Include the types of personal data disclosed in the privacy notice. CC ID 13446 | Privacy protection for information and data | Preventive | |
| Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Privacy protection for information and data | Preventive | |
| Specify the time frame that notice will be given. CC ID 00385 | Privacy protection for information and data | Preventive | |
| Include the information about the appeal process in the privacy notice. CC ID 15312 | Privacy protection for information and data | Preventive | |
| Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 | Privacy protection for information and data | Preventive | |
| Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Privacy protection for information and data | Preventive | |
| Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 | Privacy protection for information and data | Corrective | |
| Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 | Privacy protection for information and data | Preventive | |
| Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 | Privacy protection for information and data | Preventive | |
| Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 | Privacy protection for information and data | Preventive | |
| Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain opt-out notices. CC ID 13448 | Privacy protection for information and data | Preventive | |
| Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 | Privacy protection for information and data | Preventive | |
| Include the opt out method for data subjects in the opt-out notice. CC ID 13467 | Privacy protection for information and data | Preventive | |
| Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 | Privacy protection for information and data | Preventive | |
| Explain the right to opt out in the opt-out notice. CC ID 13462 | Privacy protection for information and data | Preventive | |
| Include the organization's right to share personal data in the opt-out notice. CC ID 13450 | Privacy protection for information and data | Preventive | |
| Provide the data subject with a notice of participation procedures. CC ID 06241 [Personal data developed in specific medical or pharmaceutical research studies often play a valuable role in future scientific research. Where personal data collected for one research study are transferred to a U.S. organization in the Privacy Shield, the organization may use the data for a new scientific research activity if appropriate notice and choice have been provided in the first instance. Such notice should provide information about any future specific uses of the data, such as periodic follow-up, related studies, or marketing. § III.14.b.i. It is understood that not all future uses of the data can be specified, since a new research use could arise from new insights on the original data, new medical discoveries and advances, and public health and regulatory developments. Where appropriate, the notice should therefore include an explanation that personal data may be used in future medical and pharmaceutical research activities that are unanticipated. If the use is not consistent with the general research purpose(s) for which the personal data were originally collected, or to which the individual has consented subsequently, new consent must be obtained. § III.14.b.ii.] | Privacy protection for information and data | Preventive | |
| Publish a description of processing activities in an official register. CC ID 00379 | Privacy protection for information and data | Preventive | |
| Establish and maintain a records request manual. CC ID 00381 | Privacy protection for information and data | Preventive | |
| Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 | Privacy protection for information and data | Preventive | |
| Define what is included in registration notices. CC ID 00386 | Privacy protection for information and data | Preventive | |
| Include the verification method in the registration notice. CC ID 16798 | Privacy protection for information and data | Preventive | |
| Include the statutory authority in the registration notice. CC ID 16799 | Privacy protection for information and data | Preventive | |
| Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Privacy protection for information and data | Preventive | |
| Include a purpose specification description in the registration notice. CC ID 00388 | Privacy protection for information and data | Preventive | |
| Include information about the dispute resolution body in the registration notice. CC ID 16800 | Privacy protection for information and data | Preventive | |
| Include the data subject category being processed in the registration notice. CC ID 00389 | Privacy protection for information and data | Preventive | |
| Include the time period for data processing in the registration notice. CC ID 00390 | Privacy protection for information and data | Preventive | |
| Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 | Privacy protection for information and data | Preventive | |
| Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 [An organization must inform individuals about: its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List, § II.1.a.i. An organization must inform individuals about: the choices and means the organization offers individuals for limiting the use and disclosure of their personal data, § II.1.a.viii. {unfair act or practice} {deceptive act or practice} description of the organization's privacy policy for such personal information, including: the specific statutory body that has jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices and violations of laws or regulations governing privacy (and that is listed in the Principles or a future annex to the Principles); § III.6.b.iii.4.] | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 | Privacy protection for information and data | Preventive | |
| Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 | Privacy protection for information and data | Preventive | |
| Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 | Privacy protection for information and data | Preventive | |
| Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 | Privacy protection for information and data | Preventive | |
| Specify the purpose of the disclosure in the written consent. CC ID 13001 | Privacy protection for information and data | Preventive | |
| Specify which education records may be disclosed in the written consent. CC ID 13000 | Privacy protection for information and data | Preventive | |
| Document the conditions when consent is not required to disclose educational data. CC ID 00225 | Privacy protection for information and data | Preventive | |
| Record the health and safety threats of students when disclosing personal data. CC ID 12997 | Privacy protection for information and data | Preventive | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 [An organization must inform individuals about: the right of individuals to access their personal data, § II.1.a.vii.] | Privacy protection for information and data | Preventive | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [An organization must inform individuals about: the purposes for which it collects and uses personal information about them, § II.1.a.iv. An organization must inform individuals about: the purposes for which it collects and uses personal information about them, § II.1.a.iv. An organization must inform individuals about: the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles, § II.1.a.ii. An organization must inform individuals about: the type or identity of third parties to which it discloses personal information, and the purposes for which it does so, § II.1.a.vi. The organization should answer requests from an individual concerning the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data is disclosed. § III.8.a.i.1. Footnote 1 An individual has the right to obtain confirmation of whether or not this organization has personal data relating to him or her. An individual also has the right to have communicated to him or her personal data relating to him or her. An organization may charge a fee that is not excessive. § III.8.f.i. The Access Principle means that individuals have the right to: obtain from an organization confirmation of whether or not the organization is processing personal data relating to them; § III.8.a.i.1.] | Privacy protection for information and data | Preventive | |
| Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 | Privacy protection for information and data | Preventive | |
| Establish and maintain a disclosure accounting record. CC ID 13022 | Privacy protection for information and data | Preventive | |
| Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 | Privacy protection for information and data | Preventive | |
| Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 | Privacy protection for information and data | Preventive | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [An organization must inform individuals about: the type or identity of third parties to which it discloses personal information, and the purposes for which it does so, § II.1.a.vi.] | Privacy protection for information and data | Preventive | |
| Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Privacy protection for information and data | Preventive | |
| Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Privacy protection for information and data | Preventive | |
| Include the disclosure date in the disclosure accounting record. CC ID 07133 | Privacy protection for information and data | Preventive | |
| Include the disclosure recipient in the disclosure accounting record. CC ID 07134 | Privacy protection for information and data | Preventive | |
| Include the disclosure purpose in the disclosure accounting record. CC ID 07135 | Privacy protection for information and data | Preventive | |
| Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Privacy protection for information and data | Preventive | |
| Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Privacy protection for information and data | Preventive | |
| Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Privacy protection for information and data | Preventive | |
| Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Privacy protection for information and data | Preventive | |
| Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Privacy protection for information and data | Preventive | |
| Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Privacy protection for information and data | Preventive | |
| Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 | Privacy protection for information and data | Preventive | |
| Make telephone directory information available to the public. CC ID 08698 | Privacy protection for information and data | Preventive | |
| Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy policy. CC ID 06281 [{is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Privacy protection for information and data | Preventive | |
| Include the data subject's rights in the privacy policy. CC ID 16355 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy policy model document. CC ID 14720 | Privacy protection for information and data | Preventive | |
| Document privacy policies in clearly written and easily understood language. CC ID 00376 | Privacy protection for information and data | Detective | |
| Write privacy notices in the official languages required by law. CC ID 16529 | Privacy protection for information and data | Preventive | |
| Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 | Privacy protection for information and data | Preventive | |
| Define what is included in the privacy policy. CC ID 00404 [{Department of Commerce} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Privacy protection for information and data | Preventive | |
| Define the information being collected in the privacy policy. CC ID 13115 | Privacy protection for information and data | Preventive | |
| Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 | Privacy protection for information and data | Preventive | |
| Include the means by which information is collected in the privacy policy. CC ID 13114 | Privacy protection for information and data | Preventive | |
| Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 [{Department of Commerce} When an organization leaves the Privacy Shield for any reason, it must remove all statements implying that the organization continues to participate in the Privacy Shield or is entitled to the benefits of the Privacy Shield. The EU-U.S. Privacy Shield certification mark, if used, must also be removed. Any misrepresentation to the general public concerning an organization's adherence to the Privacy Shield Principles may be actionable by the FTC or other relevant government body. Misrepresentations to the Department may be actionable under the False Statements Act (18 U.S.C. § 1001). § III.6.h.] | Privacy protection for information and data | Corrective | |
| Include roles and responsibilities in the privacy policy. CC ID 14669 | Privacy protection for information and data | Preventive | |
| Include management commitment in the privacy policy. CC ID 14668 | Privacy protection for information and data | Preventive | |
| Include coordination amongst entities in the privacy policy. CC ID 14667 | Privacy protection for information and data | Preventive | |
| Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 | Privacy protection for information and data | Preventive | |
| Include compliance requirements in the privacy policy. CC ID 14666 | Privacy protection for information and data | Preventive | |
| Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 | Privacy protection for information and data | Preventive | |
| Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 [{Department of Commerce} When an organization leaves the Privacy Shield for any reason, it must remove all statements implying that the organization continues to participate in the Privacy Shield or is entitled to the benefits of the Privacy Shield. The EU-U.S. Privacy Shield certification mark, if used, must also be removed. Any misrepresentation to the general public concerning an organization's adherence to the Privacy Shield Principles may be actionable by the FTC or other relevant government body. Misrepresentations to the Department may be actionable under the False Statements Act (18 U.S.C. § 1001). § III.6.h. {Department of Commerce} {adequate protection} An organization must subject to the Privacy Shield Principles all personal data received from the EU in reliance upon the Privacy Shield. The undertaking to adhere to the Privacy Shield Principles is not time-limited in respect of personal data received during the period in which the organization enjoys the benefits of the Privacy Shield. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Privacy Shield for any reason. An organization that withdraws from the Privacy Shield but wants to retain such data must affirm to the Department on an annual basis its commitment to continue to apply the Principles or provide "adequate" protection for the information by another authorized means (for example, using a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission); otherwise, the organization must return or delete the information. An organization that withdraws from the Privacy Shield must remove from any relevant privacy policy any references to the Privacy Shield that imply that the organization continues to actively participate in the Privacy Shield and is entitled to its benefits. § III.6.f.] | Privacy protection for information and data | Corrective | |
| Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 [description of the organization's privacy policy for such personal information, including: the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.b.iii.7. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i. {Security Principle}(Data Integrity and Purpose Limitation Principle} {Recourse, Enforcement and Liability Principle} An organization must apply the Privacy Shield Principles of Security, Data Integrity and Purpose Limitation, and Recourse, Enforcement and Liability to personal data from publicly available sources. These Principles shall apply also to personal data collected from public records, i.e., those records kept by government agencies or entities at any level that are open to consultation by the public in general. § III.15.a. Organizations are obligated to arbitrate claims and follow the terms as set forth in Annex I, provided that an individual has invoked binding arbitration by delivering notice to the organization at issue and following the procedures and subject to conditions set forth in Annex I. § II.7.c. {include} This list is intended to be illustrative and not limiting. The private sector may design additional mechanisms to provide enforcement, so long as they meet the requirements of the Recourse, Enforcement and Liability Principle and the Supplemental Principles. Please note that the Recourse, Enforcement and Liability Principle's requirements are additional to the requirement that self-regulatory efforts must be enforceable under Section 5 of the Federal Trade Commission Act, which prohibits unfair and deceptive acts, or another law or regulation prohibiting such acts. § III.11.b.] | Privacy protection for information and data | Preventive | |
| Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 [description of the organization's privacy policy for such personal information, including: name of any privacy program in which the organization is a member; § III.6.b.iii.5.] | Privacy protection for information and data | Preventive | |
| Include a complaint form in the privacy policy. CC ID 12364 [Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i.] | Privacy protection for information and data | Preventive | |
| Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 | Privacy protection for information and data | Preventive | |
| Include the processing purpose in the privacy policy. CC ID 00406 | Privacy protection for information and data | Preventive | |
| Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 | Privacy protection for information and data | Preventive | |
| Include the data subject categories being processed in the privacy policy. CC ID 00407 | Privacy protection for information and data | Preventive | |
| Define the retention period for collected information in the privacy policy. CC ID 13116 | Privacy protection for information and data | Preventive | |
| Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 | Privacy protection for information and data | Preventive | |
| Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 | Privacy protection for information and data | Preventive | |
| Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 | Privacy protection for information and data | Preventive | |
| Include instructions on how to opt-out in the privacy policy. CC ID 00411 [An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice. § II.2.a.] | Privacy protection for information and data | Preventive | |
| Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 [description of the organization's privacy policy for such personal information, including: if the organization has a public website, the relevant web address where the privacy policy is available, or if the organization does not have a public website, where the privacy policy is available for viewing by the public; § III.6.b.iii.1. {Department of Commerce} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self-certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. Independent recourse mechanisms must include on their public websites information regarding the Privacy Shield Principles and the services that they provide under the Privacy Shield. This information must include: (1) information on or a link to the Privacy Shield Principles' requirements for independent recourse mechanisms; (2) a link to the Department's Privacy Shield website; (3) an explanation that their dispute resolution services under the Privacy Shield are free of charge to individuals; (4) a description of how a Privacy Shield-related complaint can be filed; (5) the timeframe in which Privacy Shield-related complaints are processed; and (6) a description of the range of potential remedies. § III.11.d.ii. Independent recourse mechanisms must include on their public websites information regarding the Privacy Shield Principles and the services that they provide under the Privacy Shield. This information must include: (1) information on or a link to the Privacy Shield Principles' requirements for independent recourse mechanisms; (2) a link to the Department's Privacy Shield website; (3) an explanation that their dispute resolution services under the Privacy Shield are free of charge to individuals; (4) a description of how a Privacy Shield-related complaint can be filed; (5) the timeframe in which Privacy Shield-related complaints are processed; and (6) a description of the range of potential remedies. § III.11.d.ii.] | Privacy protection for information and data | Preventive | |
| Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 | Privacy protection for information and data | Preventive | |
| Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 | Privacy protection for information and data | Preventive | |
| Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 [description of the organization's privacy policy for such personal information, including: method of verification; and § III.6.b.iii.6.] | Privacy protection for information and data | Preventive | |
| Post the privacy policy in an easily seen location. CC ID 00401 [description of the organization's privacy policy for such personal information, including: if the organization has a public website, the relevant web address where the privacy policy is available, or if the organization does not have a public website, where the privacy policy is available for viewing by the public; § III.6.b.iii.1. {Department of Commerce} Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information. In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities. The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees. § III.6.c. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Privacy protection for information and data | Preventive | |
| Define who will receive the privacy policy. CC ID 00402 [{Department of Commerce} Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information. In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities. The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees. § III.6.c.] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain privacy procedures. CC ID 14665 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy plan. CC ID 14672 | Privacy protection for information and data | Preventive | |
| Include privacy requirements in the privacy plan. CC ID 14699 | Privacy protection for information and data | Preventive | |
| Include the information types in the privacy plan. CC ID 14695 | Privacy protection for information and data | Preventive | |
| Include threats in the privacy plan. CC ID 14694 | Privacy protection for information and data | Preventive | |
| Include roles and responsibilities in the privacy plan. CC ID 14702 | Privacy protection for information and data | Preventive | |
| Include a description of the operational context in the privacy plan. CC ID 14692 | Privacy protection for information and data | Preventive | |
| Include risk assessment results in the privacy plan. CC ID 14701 | Privacy protection for information and data | Preventive | |
| Include the security categorizations and rationale in the privacy plan. CC ID 14690 | Privacy protection for information and data | Preventive | |
| Include security controls in the privacy plan. CC ID 14681 | Privacy protection for information and data | Preventive | |
| Include a description of the operational environment in the privacy plan. CC ID 14679 | Privacy protection for information and data | Preventive | |
| Include network diagrams in the privacy plan. CC ID 14678 | Privacy protection for information and data | Preventive | |
| Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy report. CC ID 14754 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data choice and consent program. CC ID 12569 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data request procedures. CC ID 16546 | Privacy protection for information and data | Preventive | |
| Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 | Privacy protection for information and data | Preventive | |
| Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 | Privacy protection for information and data | Preventive | |
| Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Privacy protection for information and data | Preventive | |
| Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 | Privacy protection for information and data | Preventive | |
| Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 | Privacy protection for information and data | Preventive | |
| Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Privacy protection for information and data | Preventive | |
| Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Privacy protection for information and data | Preventive | |
| Include how personal data will be used in the disclosure authorization form. CC ID 13441 | Privacy protection for information and data | Preventive | |
| Include agreement termination information in the disclosure authorization form. CC ID 13437 | Privacy protection for information and data | Preventive | |
| Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Preventive | |
| Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Preventive | |
| Submit a safe harbor self-certification letter. CC ID 06871 [{Department of Commerce} To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: § III.6.b.] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 | Privacy protection for information and data | Preventive | |
| Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 | Privacy protection for information and data | Preventive | |
| Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 | Privacy protection for information and data | Preventive | |
| Include data subject's rights in the Binding Corporate Rules. CC ID 12596 | Privacy protection for information and data | Preventive | |
| Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 | Privacy protection for information and data | Preventive | |
| Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 | Privacy protection for information and data | Preventive | |
| Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 | Privacy protection for information and data | Preventive | |
| Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 | Privacy protection for information and data | Preventive | |
| Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 | Privacy protection for information and data | Preventive | |
| Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 | Privacy protection for information and data | Preventive | |
| Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 | Privacy protection for information and data | Preventive | |
| Include complaint procedures in the Binding Corporate Rules. CC ID 12613 | Privacy protection for information and data | Preventive | |
| Include the data transfers in the Binding Corporate Rules. CC ID 12590 | Privacy protection for information and data | Preventive | |
| Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 | Privacy protection for information and data | Preventive | |
| Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 | Privacy protection for information and data | Preventive | |
| Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 | Privacy protection for information and data | Preventive | |
| Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 | Privacy protection for information and data | Preventive | |
| Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 | Privacy protection for information and data | Preventive | |
| Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 | Privacy protection for information and data | Preventive | |
| Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 | Privacy protection for information and data | Preventive | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Privacy protection for information and data | Preventive | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 | Privacy protection for information and data | Preventive | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Privacy protection for information and data | Preventive | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Privacy protection for information and data | Preventive | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 | Privacy protection for information and data | Preventive | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Privacy protection for information and data | Preventive | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 | Privacy protection for information and data | Preventive | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Privacy protection for information and data | Preventive | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Privacy protection for information and data | Preventive | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Privacy protection for information and data | Preventive | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Privacy protection for information and data | Preventive | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Privacy protection for information and data | Preventive | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Preventive | |
| Document the law that requires restricted data to be collected. CC ID 00103 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Privacy protection for information and data | Preventive | |
| Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Privacy protection for information and data | Preventive | |
| Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 [{ability} Generally, the purpose of the Choice Principle is to ensure that personal information is used and disclosed in ways that are consistent with the individual's expectations and choices. Accordingly, an individual should be able to exercise "opt out" choice of having personal information used for direct marketing at any time subject to reasonable limits established by the organization, such as giving the organization time to make the opt out effective. An organization may also require sufficient information to confirm the identity of the individual requesting the "opt out." In the United States, individuals may be able to exercise this option through the use of a central "opt out" program such as the Direct Marketing Association's Mail Preference Service. Organizations that participate in the Direct Marketing Association's Mail Preference Service should promote its availability to consumers who do not wish to receive commercial information. In any event, an individual should be given a readily available and affordable mechanism to exercise this option. § III.12.a.] | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 [{personal data} Similarly, an organization may use information for certain direct marketing purposes when it is impracticable to provide the individual with an opportunity to opt out before using the information, if the organization promptly gives the individual such opportunity at the same time (and upon request at any time) to decline (at no cost to the individual) to receive any further direct marketing communications and the organization complies with the individual's wishes. § III.12.b. {ability} Generally, the purpose of the Choice Principle is to ensure that personal information is used and disclosed in ways that are consistent with the individual's expectations and choices. Accordingly, an individual should be able to exercise "opt out" choice of having personal information used for direct marketing at any time subject to reasonable limits established by the organization, such as giving the organization time to make the opt out effective. An organization may also require sufficient information to confirm the identity of the individual requesting the "opt out." In the United States, individuals may be able to exercise this option through the use of a central "opt out" program such as the Direct Marketing Association's Mail Preference Service. Organizations that participate in the Direct Marketing Association's Mail Preference Service should promote its availability to consumers who do not wish to receive commercial information. In any event, an individual should be given a readily available and affordable mechanism to exercise this option. § III.12.a.] | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 [EU Member State law applies to the collection of the personal data and to any processing that takes place prior to the transfer to the United States. The Privacy Shield Principles apply to the data once they have been transferred to the United States. Data used for pharmaceutical research and other purposes should be anonymized when appropriate. § III.14.a.i.] | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Privacy protection for information and data | Preventive | |
| Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Privacy protection for information and data | Preventive | |
| Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [Consistent with the fundamental nature of access, organizations should always make good faith efforts to provide access. For example, where certain information needs to be protected and can be readily separated from other personal information subject to an access request, the organization should redact the protected information and make available the other information. If an organization determines that access should be restricted in any particular instance, it should provide the individual requesting access with an explanation of why it has made that determination and a contact point for any further inquiries. § III.8.a.iii. {human resources information} The Supplemental Principle on Access provides guidance on reasons which may justify denying or limiting access on request in the human resources context. Of course, employers in the European Union must comply with local regulations and ensure that European Union employees have access to such information as is required by law in their home countries, regardless of the location of data processing and storage. The Privacy Shield requires that an organization processing such data in the United States will cooperate in providing such access either directly or through the EU employer. § III.9.c.i. It is not necessary to apply the Access Principle to public record information as long as it is not combined with other personal information (apart from small amounts used to index or organize the public record information); however, any conditions for consultation established by the relevant jurisdiction are to be respected. In contrast, where public record information is combined with other non-public record information (other than as specifically noted above), an organization must provide access to all such information, assuming it is not subject to other permitted exceptions. § III.15.d. It is not necessary to apply the Access Principle to public record information as long as it is not combined with other personal information (apart from small amounts used to index or organize the public record information); however, any conditions for consultation established by the relevant jurisdiction are to be respected. In contrast, where public record information is combined with other non-public record information (other than as specifically noted above), an organization must provide access to all such information, assuming it is not subject to other permitted exceptions. § III.15.d. As with public record information, it is not necessary to provide access to information that is already publicly available to the public at large, as long as it is not combined with non-publicly available information. Organizations that are in the business of selling publicly available information may charge the organization's customary fee in responding to requests for access. Alternatively, individuals may seek access to their information from the organization that originally compiled the data. § III.15.e.] | Privacy protection for information and data | Preventive | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Privacy protection for information and data | Preventive | |
| Define what is to be included in a data access request. CC ID 08699 | Privacy protection for information and data | Preventive | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 [An individual has the right to obtain confirmation of whether or not this organization has personal data relating to him or her. An individual also has the right to have communicated to him or her personal data relating to him or her. An organization may charge a fee that is not excessive. § III.8.f.i.] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Privacy protection for information and data | Preventive | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Preventive | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Preventive | |
| Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Privacy protection for information and data | Preventive | |
| Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Privacy protection for information and data | Preventive | |
| Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Privacy protection for information and data | Preventive | |
| Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Privacy protection for information and data | Preventive | |
| Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Privacy protection for information and data | Preventive | |
| Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Privacy protection for information and data | Preventive | |
| Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Privacy protection for information and data | Preventive | |
| Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Privacy protection for information and data | Preventive | |
| Define and implement valid authorization control requirements. CC ID 06258 | Privacy protection for information and data | Preventive | |
| Define security breach notification requirement exceptions. CC ID 04797 | Privacy protection for information and data | Preventive | |
| Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Privacy protection for information and data | Preventive | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Privacy protection for information and data | Preventive | |
| Define opt-out exceptions for disclosing restricted data. CC ID 00159 [{pharmaceutical company} {Notice Principle} {Choice Principle} {Accountability for Onward Transfer Principle} {Access Principle} A pharmaceutical or medical device company does not have to apply the Privacy Shield Principles with respect to the Notice, Choice, Accountability for Onward Transfer, and Access Principles in its product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices, to the extent that adherence to the Principles interferes with compliance with regulatory requirements. This is true both with respect to reports by, for example, health care providers to pharmaceutical and medical device companies, and with respect to reports by pharmaceutical and medical device companies to government agencies like the Food and Drug Administration. § III.14.f.i.] | Privacy protection for information and data | Preventive | |
| Define how a data subject may give consent. CC ID 00160 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Privacy protection for information and data | Detective | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Privacy protection for information and data | Preventive | |
| Document the redisclosing restricted data exceptions. CC ID 00170 | Privacy protection for information and data | Preventive | |
| Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 [{is not used} For example, if the personal information is used for decisions that will significantly affect the individual, then consistent with the other provisions of these Supplemental Principles, the organization would have to disclose that information even if it is relatively difficult or expensive to provide. If the personal information requested is not sensitive or not used for decisions that will significantly affect the individual, but is readily available and inexpensive to provide, an organization would have to provide access to such information. § III.8.b.ii.] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 [{personal data access request} An organization which claims an exception has the burden of demonstrating its necessity, and the reasons for restricting access and a contact point for further inquiries should be given to individuals. § III.8.e.ii. {pharmaceutical company} {Notice Principle} {Choice Principle} {Accountability for Onward Transfer Principle} {Access Principle} A pharmaceutical or medical device company does not have to apply the Privacy Shield Principles with respect to the Notice, Choice, Accountability for Onward Transfer, and Access Principles in its product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices, to the extent that adherence to the Principles interferes with compliance with regulatory requirements. This is true both with respect to reports by, for example, health care providers to pharmaceutical and medical device companies, and with respect to reports by pharmaceutical and medical device companies to government agencies like the Food and Drug Administration. § III.14.f.i.] | Privacy protection for information and data | Preventive | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Preventive | |
| Include cookie management in the privacy framework. CC ID 13809 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain cookie management procedures. CC ID 13810 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Preventive | |
| Post the collection purpose. CC ID 00101 | Privacy protection for information and data | Preventive | |
| Document each individual's personal data collection consent preferences. CC ID 06945 | Privacy protection for information and data | Preventive | |
| Establish and maintain a personal data definition. CC ID 00028 | Privacy protection for information and data | Preventive | |
| Include the number of children in the personal data definition. CC ID 13759 | Privacy protection for information and data | Preventive | |
| Include the individual's religion in the personal data definition. CC ID 13765 | Privacy protection for information and data | Preventive | |
| Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Privacy protection for information and data | Preventive | |
| Include an individual's license plate number in the personal data definition. CC ID 13763 | Privacy protection for information and data | Preventive | |
| Include an individual's account balances in the personal data definition. CC ID 13770 | Privacy protection for information and data | Preventive | |
| Include an individual's logon credentials in the personal data definition. CC ID 13771 | Privacy protection for information and data | Preventive | |
| Include an individual's military identification number in the personal data definition. CC ID 13083 | Privacy protection for information and data | Preventive | |
| Refrain from including publicly available information in the personal data definition. CC ID 13084 | Privacy protection for information and data | Preventive | |
| Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the data collector's name and contact information. CC ID 00024 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Detective | |
| Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain call metadata controls. CC ID 04790 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 | Privacy protection for information and data | Preventive | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Preventive | |
| Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data transfer program. CC ID 00307 [{Department of Commerce} Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information. In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities. The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees. § III.6.c.] | Privacy protection for information and data | Preventive | |
| Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 [{notice principle} To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles. § II.3.a. {data processor} When personal data is transferred from the EU to the United States only for processing purposes, a contract will be required, regardless of participation by the processor in the Privacy Shield. § III.10.a.i. Data controllers in the European Union are always required to enter into a contract when a transfer for mere processing is made, whether the processing operation is carried out inside or outside the EU, and whether or not the processor participates in the Privacy Shield. The purpose of the contract is to make sure that the processor: § III.10.a.ii. {personal data transfer}{do not need} For transfers between controllers, the recipient controller need not be a Privacy Shield organization or have an independent recourse mechanism. The Privacy Shield organization must enter into a contract with the recipient third-party controller that provides for the same level of protection as is available under the Privacy Shield, not including the requirement that the third party controller be a Privacy Shield organization or have an independent recourse mechanism, provided it makes available an equivalent mechanism. § III.10.c.i.] | Privacy protection for information and data | Preventive | |
| Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 [{Department of Commerce} To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; (iv) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (v) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. § II.3.b. {Notice Principle}{Choice Principle} The Privacy Principles apply immediately upon certification. Recognizing that the Principles will impact commercial relationships with third parties, organizations that certify to the Privacy Shield Framework in the first two months following the Framework's effective date shall bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle as soon as possible, and in any event no later than nine months from the date upon which they certify to the Privacy Shield. During that interim period, where organizations transfer data to a third party, they shall (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles. § III.6.e. {liability} In the context of an onward transfer, a Privacy Shield organization has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield organization shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage. § II.7.d. Airline passenger reservation and other travel information, such as frequent flyer or hotel reservation information and special handling needs, such as meals to meet religious requirements or physical assistance, may be transferred to organizations located outside the EU in several different circumstances. Under Article 26 of the Directive, personal data may be transferred "to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2)" on the condition that it (i) is necessary to provide the services requested by the consumer or to fulfill the terms of an agreement, such as a "frequent flyer" agreement; or (ii) has been unambiguously consented to by the consumer. U.S. organizations subscribing to the Privacy Shield provide adequate protection for personal data and may therefore receive data transfers from the EU without meeting these conditions or other conditions set out in Article 26 of the Directive. Since the Privacy Shield includes specific rules for sensitive information, such information (which may need to be collected, for example, in connection with customers' needs for physical assistance) may be included in transfers to Privacy Shield participants. In all cases, however, the organization transferring the information has to respect the law in the EU Member State in which it is operating, which may inter alia impose special conditions for the handling of sensitive data. § III.13.a.] | Privacy protection for information and data | Preventive | |
| Document transfer disagreements by the data subject in writing. CC ID 00348 | Privacy protection for information and data | Preventive | |
| Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 | Privacy protection for information and data | Preventive | |
| Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy impact assessment. CC ID 13712 | Privacy protection for information and data | Preventive | |
| Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 | Privacy protection for information and data | Preventive | |
| Include how to grant consent in the privacy impact assessment. CC ID 15519 | Privacy protection for information and data | Preventive | |
| Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 | Privacy protection for information and data | Preventive | |
| Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 | Privacy protection for information and data | Preventive | |
| Include data handling procedures in the privacy impact assessment. CC ID 15516 | Privacy protection for information and data | Preventive | |
| Include the intended use of information in the privacy impact assessment. CC ID 15515 | Privacy protection for information and data | Preventive | |
| Include the reason information is being collected in the privacy impact assessment. CC ID 15514 | Privacy protection for information and data | Preventive | |
| File privacy rights violation complaints in writing. CC ID 00477 [Independent recourse mechanisms must include on their public websites information regarding the Privacy Shield Principles and the services that they provide under the Privacy Shield. This information must include: (1) information on or a link to the Privacy Shield Principles' requirements for independent recourse mechanisms; (2) a link to the Department's Privacy Shield website; (3) an explanation that their dispute resolution services under the Privacy Shield are free of charge to individuals; (4) a description of how a Privacy Shield-related complaint can be filed; (5) the timeframe in which Privacy Shield-related complaints are processed; and (6) a description of the range of potential remedies. § III.11.d.ii.] | Privacy protection for information and data | Corrective | |
| Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Privacy protection for information and data | Corrective | |
| Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [Independent recourse mechanisms must include on their public websites information regarding the Privacy Shield Principles and the services that they provide under the Privacy Shield. This information must include: (1) information on or a link to the Privacy Shield Principles' requirements for independent recourse mechanisms; (2) a link to the Department's Privacy Shield website; (3) an explanation that their dispute resolution services under the Privacy Shield are free of charge to individuals; (4) a description of how a Privacy Shield-related complaint can be filed; (5) the timeframe in which Privacy Shield-related complaints are processed; and (6) a description of the range of potential remedies. § III.11.d.ii.] | Privacy protection for information and data | Preventive | |
| Include potential remedies in the privacy dispute resolution program. CC ID 12531 [Independent recourse mechanisms must include on their public websites information regarding the Privacy Shield Principles and the services that they provide under the Privacy Shield. This information must include: (1) information on or a link to the Privacy Shield Principles' requirements for independent recourse mechanisms; (2) a link to the Department's Privacy Shield website; (3) an explanation that their dispute resolution services under the Privacy Shield are free of charge to individuals; (4) a description of how a Privacy Shield-related complaint can be filed; (5) the timeframe in which Privacy Shield-related complaints are processed; and (6) a description of the range of potential remedies. § III.11.d.ii.] | Privacy protection for information and data | Preventive | |
| Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 [An organization must inform individuals about: how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints, § II.1.a.v. An organization must inform individuals about: the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution provider based in the United States, § II.1.a.ix. description of the organization's privacy policy for such personal information, including: a contact office for the handling of complaints, access requests, and any other issues arising under the Privacy Shield; § III.6.b.iii.3. Consistent with the fundamental nature of access, organizations should always make good faith efforts to provide access. For example, where certain information needs to be protected and can be readily separated from other personal information subject to an access request, the organization should redact the protected information and make available the other information. If an organization determines that access should be restricted in any particular instance, it should provide the individual requesting access with an explanation of why it has made that determination and a contact point for any further inquiries. § III.8.a.iii. {personal data access request} An organization which claims an exception has the burden of demonstrating its necessity, and the reasons for restricting access and a contact point for further inquiries should be given to individuals. § III.8.e.ii.] | Privacy protection for information and data | Preventive | |
| Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 [Independent recourse mechanisms must include on their public websites information regarding the Privacy Shield Principles and the services that they provide under the Privacy Shield. This information must include: (1) information on or a link to the Privacy Shield Principles' requirements for independent recourse mechanisms; (2) a link to the Department's Privacy Shield website; (3) an explanation that their dispute resolution services under the Privacy Shield are free of charge to individuals; (4) a description of how a Privacy Shield-related complaint can be filed; (5) the timeframe in which Privacy Shield-related complaints are processed; and (6) a description of the range of potential remedies. § III.11.d.ii.] | Privacy protection for information and data | Preventive | |
| Document unresolved challenges. CC ID 13568 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 | Privacy protection for information and data | Preventive | |
| Document disagreements as to whether personal data is complete and accurate. CC ID 06952 | Privacy protection for information and data | Preventive | |
| Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 | Privacy protection for information and data | Preventive | |
| Include the allegations against the organization in the notice of investigation. CC ID 13031 | Privacy protection for information and data | Preventive | |
| Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 | Privacy protection for information and data | Corrective | |
| Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 [As set forth in Annex I, an arbitration option is available to an individual to determine, for residual claims, whether a Privacy Shield organization has violated its obligations under the Principles as to that individual, and whether any such violation remains fully or partially unremedied. This option is available only for these purposes. This option is not available, for example, with respect to the exceptions to the Principles or with respect to an allegation about the adequacy of the Privacy Shield. Under this arbitration option, the Privacy Shield Panel (consisting of one or three arbitrators, as agreed by the parties) has the authority to impose individual-specific, non-monetary equitable relief (such as access, correction, deletion, or return of the individual's data in question) necessary to remedy the violation of the Principles only with respect to the individual. Individuals and Privacy Shield organizations will be able to seek judicial review and enforcement of the arbitral decisions pursuant to U.S. law under the Federal Arbitration Act. § III.11.d.iv.] | Privacy protection for information and data | Detective | |
| Define the organization's liability based on the applicable law. CC ID 00504 [{liability} In the context of an onward transfer, a Privacy Shield organization has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield organization shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage. § II.7.d. Internet Service Providers ("ISPs"), telecommunications carriers, and other organizations are not liable under the Privacy Shield Principles when on behalf of another organization they merely transmit, route, switch, or cache information. As is the case with the Directive itself, the Privacy Shield does not create secondary liability. To the extent that an organization is acting as a mere conduit for data transmitted by third parties and does not determine the purposes and means of processing those personal datą it would not be liable. § III.3.a. {pharmaceutical company} {Notice Principle} {Choice Principle} {Accountability for Onward Transfer Principle} {Access Principle} A pharmaceutical or medical device company does not have to apply the Privacy Shield Principles with respect to the Notice, Choice, Accountability for Onward Transfer, and Access Principles in its product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices, to the extent that adherence to the Principles interferes with compliance with regulatory requirements. This is true both with respect to reports by, for example, health care providers to pharmaceutical and medical device companies, and with respect to reports by pharmaceutical and medical device companies to government agencies like the Food and Drug Administration. § III.14.f.i.] | Privacy protection for information and data | Preventive | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 [Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must include: § II.7.a. At a minimum such mechanisms must include: readily available independent recourse mechanisms by which each individual's complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Principles, and damages awarded where the applicable law or private-sector initiatives so provide; § II.7.a.i. {be rigorous} At a minimum such mechanisms must include: obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations. § II.7.a.iii.] | Privacy protection for information and data | Preventive | |
| Define the appeal process based on the applicable law. CC ID 00506 | Privacy protection for information and data | Preventive | |
| Provide notice of proposed penalties. CC ID 06216 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain customer data authentication procedures. CC ID 13187 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Preventive | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Third Party and supply chain oversight | Preventive | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Preventive | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Third Party and supply chain oversight | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Preventive | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Third Party and supply chain oversight | Preventive | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Third Party and supply chain oversight | Preventive | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Third Party and supply chain oversight | Preventive | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Preventive | |
| Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Preventive | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Third Party and supply chain oversight | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in third party contracts. CC ID 13487 | Third Party and supply chain oversight | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Third Party and supply chain oversight | Preventive | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Preventive | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Preventive | |
| Include a reporting structure in third party contracts. CC ID 06532 | Third Party and supply chain oversight | Preventive | |
| Include points of contact in third party contracts. CC ID 12355 | Third Party and supply chain oversight | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Preventive | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Third Party and supply chain oversight | Preventive | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Third Party and supply chain oversight | Preventive | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Third Party and supply chain oversight | Preventive | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Third Party and supply chain oversight | Preventive | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Third Party and supply chain oversight | Preventive | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Third Party and supply chain oversight | Preventive | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Third Party and supply chain oversight | Preventive | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 | Third Party and supply chain oversight | Preventive | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Third Party and supply chain oversight | Preventive | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Preventive | |
| Include change control notification processes in third party contracts. CC ID 06524 | Third Party and supply chain oversight | Preventive | |
| Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Preventive | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Third Party and supply chain oversight | Preventive | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Third Party and supply chain oversight | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Preventive | |
| Include a termination provision clause in third party contracts. CC ID 01367 | Third Party and supply chain oversight | Detective | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 | Third Party and supply chain oversight | Preventive | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Third Party and supply chain oversight | Preventive | |
| Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Preventive | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Third Party and supply chain oversight | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Third Party and supply chain oversight | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Third Party and supply chain oversight | Preventive | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 [{data processor} The purpose of the contract is to make sure that the processor: taking into account the nature of the processing, assists the controller in responding to individuals exercising their rights under the Principles. § III.10.a.ii.3.] | Third Party and supply chain oversight | Preventive | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Third Party and supply chain oversight | Preventive | |
| Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 | Third Party and supply chain oversight | Preventive | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Align disciplinary actions with the level of compliance violation. CC ID 12404 [Dispute resolution bodies have discretion about the circumstances in which they use these sanctions. The sensitivity of the data concerned is one factor to be taken into consideration in deciding whether deletion of data should be required, as is whether an organization has collected, used, or disclosed information in blatant contravention of the Privacy Shield Principles. § III.11.e.i. Footnote 3 Dispute resolution bodies have discretion about the circumstances in which they use these sanctions. The sensitivity of the data concerned is one factor to be taken into consideration in deciding whether deletion of data should be required, as is whether an organization has collected, used, or disclosed information in blatant contravention of the Privacy Shield Principles. § III.11.e.i. Footnote 3] | Monitoring and measurement | Preventive | |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Preventive | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Preventive | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Preventive | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Preventive | |
| Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources management | Preventive | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources management | Preventive | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Preventive | |
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Corrective | |
| Refrain from using employees' privacy choices to restrict employment. CC ID 12425 [{Notice Principle}{Choice Principle} A U.S. organization that has received employee information from the EU under the Privacy Shield may disclose it to third parties or use it for different purposes only in accordance with the Notice and Choice Principles. For example, where an organization intends to use personal information collected through the employment relationship for non-employment-related purposes, such as marketing communications, the U.S. organization must provide the affected individuals with the requisite choice before doing so, unless they have already authorized the use of the information for such purposes. Moreover, such choices must not be used to restrict employment opportunities or take any punitive action against such employees. § III.9.b.i. {Notice Principle}{Choice Principle} A U.S. organization that has received employee information from the EU under the Privacy Shield may disclose it to third parties or use it for different purposes only in accordance with the Notice and Choice Principles. For example, where an organization intends to use personal information collected through the employment relationship for non-employment-related purposes, such as marketing communications, the U.S. organization must provide the affected individuals with the requisite choice before doing so, unless they have already authorized the use of the information for such purposes. Moreover, such choices must not be used to restrict employment opportunities or take any punitive action against such employees. § III.9.b.i.] | Human Resources management | Preventive | |
| Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 | Privacy protection for information and data | Preventive | |
| Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 | Privacy protection for information and data | Preventive | |
| Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 | Privacy protection for information and data | Preventive | |
| Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 | Privacy protection for information and data | Preventive | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Privacy protection for information and data | Preventive | |
| Review compliance with the organization's privacy objectives. CC ID 13490 | Privacy protection for information and data | Detective | |
| Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Privacy protection for information and data | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Determine the causes of compliance violations. CC ID 12401 | Monitoring and measurement | Corrective | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Monitoring and measurement | Detective | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Monitoring and measurement | Detective | |
| Analyze requirements for processing personal data in contracts. CC ID 12550 | Privacy protection for information and data | Detective | |
| Confirm the data quality of personal data collected from third parties. CC ID 13510 | Privacy protection for information and data | Detective | |
| Review the methods for collecting personal data, as necessary. CC ID 13511 | Privacy protection for information and data | Detective | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Detective | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Monitoring and measurement | Preventive | |
| Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Monitoring and measurement | Detective | |
| Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Monitoring and measurement | Detective | |
| Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Monitoring and measurement | Detective | |
| Restrict access to logs to authorized individuals. CC ID 01342 | Monitoring and measurement | Preventive | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Monitoring and measurement | Preventive | |
| Back up logs according to backup procedures. CC ID 01344 | Monitoring and measurement | Preventive | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that are not being stored. CC ID 06314 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Monitoring and measurement | Preventive | |
| Protect logs from unauthorized activity. CC ID 01345 | Monitoring and measurement | Preventive | |
| Perform testing and validating activities on all logs. CC ID 06322 | Monitoring and measurement | Preventive | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Monitoring and measurement | Preventive | |
| Preserve the identity of individuals in audit trails. CC ID 10594 | Monitoring and measurement | Preventive | |
| Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Preventive | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Preventive | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Detective | |
| Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Detective | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitoring and measurement | Preventive | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Corrective | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Detective | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Detective | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Preventive | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Preventive | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Correct compliance violations. CC ID 13515 | Monitoring and measurement | Corrective | |
| Convert data into standard units before reporting metrics. CC ID 15507 | Monitoring and measurement | Corrective | |
| Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Preventive | |
| Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Preventive | |
| Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Preventive | |
| Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Preventive | |
| Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Preventive | |
| Analyze the organizational culture. CC ID 12899 | Operational management | Preventive | |
| Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Detective | |
| Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Detective | |
| Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Detective | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [{Department of Commerce} The result of any remedies provided by the dispute resolution body should be that the effects of non-compliance are reversed or corrected by the organization, insofar as feasible, and that future processing by the organization will be in conformity with the Principles and, where appropriate, that processing of the personal data of the individual who brought the complaint will cease. Sanctions need to be rigorous enough to ensure compliance by the organization with the Principles. A range of sanctions of varying degrees of severity will allow dispute resolution bodies to respond appropriately to varying degrees of non-compliance. Sanctions should include both publicity for findings of non-compliance and the requirement to delete data in certain circumstances. Other sanctions could include suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance and injunctive awards. Private sector dispute resolution bodies and self-regulatory bodies must notify failures of Privacy Shield organizations to comply with their rulings to the governmental body with applicable jurisdiction or to the courts, as appropriate, and to notify the Department. § III.11.e.i. {Department of Commerce} The result of any remedies provided by the dispute resolution body should be that the effects of non-compliance are reversed or corrected by the organization, insofar as feasible, and that future processing by the organization will be in conformity with the Principles and, where appropriate, that processing of the personal data of the individual who brought the complaint will cease. Sanctions need to be rigorous enough to ensure compliance by the organization with the Principles. A range of sanctions of varying degrees of severity will allow dispute resolution bodies to respond appropriately to varying degrees of non-compliance. Sanctions should include both publicity for findings of non-compliance and the requirement to delete data in certain circumstances. Other sanctions could include suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance and injunctive awards. Private sector dispute resolution bodies and self-regulatory bodies must notify failures of Privacy Shield organizations to comply with their rulings to the governmental body with applicable jurisdiction or to the courts, as appropriate, and to notify the Department. § III.11.e.i.] | Operational management | Corrective | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Preventive | |
| Require a data protection impact assessment when profiling the data subject. CC ID 12680 | Privacy protection for information and data | Detective | |
| Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 | Privacy protection for information and data | Preventive | |
| Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the data retention period for personal data. CC ID 12587 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the adequacy decision. CC ID 12586 | Privacy protection for information and data | Preventive | |
| Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 | Privacy protection for information and data | Preventive | |
| Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Preventive | |
| Provide shareholders access to electronic messages via electronic means. CC ID 11855 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 | Privacy protection for information and data | Preventive | |
| Align the enterprise architecture with the privacy plan. CC ID 14705 | Privacy protection for information and data | Preventive | |
| Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Privacy protection for information and data | Preventive | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Privacy protection for information and data | Preventive | |
| Allow data subjects to submit data requests. CC ID 16545 | Privacy protection for information and data | Preventive | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Preventive | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Preventive | |
| Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Privacy protection for information and data | Detective | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Privacy protection for information and data | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Preventive | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 [{personal data} Other reasons for denying or limiting access are: breaching a legal or other professional privilege or obligation; § III.8.e.i.3.] | Privacy protection for information and data | Preventive | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Preventive | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Corrective | |
| Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 | Privacy protection for information and data | Preventive | |
| Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 | Privacy protection for information and data | Preventive | |
| Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 | Privacy protection for information and data | Preventive | |
| Define the fee structure for the appeal process. CC ID 16532 | Privacy protection for information and data | Preventive | |
| Define the time requirements for the appeal process. CC ID 16531 | Privacy protection for information and data | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [By derogation to the previous paragraph, it is not necessary to provide choice when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organization. However, an organization shall always enter into a contract with the agent. § II.2.b.] | Third Party and supply chain oversight | Detective | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Retain records in accordance with applicable requirements. CC ID 00968 [{unfair act or practice}{deceptive act or practice}{Department of Commerce} Organizations must retain their records on the implementation of their Privacy Shield privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent body responsible for investigating complaints or to the agency with unfair and deceptive practices jurisdiction. Organizations must also respond promptly to inquiries and other requests for information from the Department relating to the organization's adherence to the Principles. § III.7.e. {is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a.] | Records management | Preventive | |
| Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 | Privacy protection for information and data | Preventive | |
| Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 | Privacy protection for information and data | Preventive | |
| Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 | Privacy protection for information and data | Corrective | |
| Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 | Privacy protection for information and data | Corrective | |
| Grant access to education records in support of educational program audits. CC ID 13032 | Privacy protection for information and data | Preventive | |
| Grant access to education records in support of external requirements. CC ID 13033 | Privacy protection for information and data | Preventive | |
| Collect and retain disclosure authorizations for each data subject. CC ID 13434 | Privacy protection for information and data | Preventive | |
| Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Preventive | |
| Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Preventive | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Corrective | |
| Refrain from processing restricted data, as necessary. CC ID 12551 | Privacy protection for information and data | Preventive | |
| Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Privacy protection for information and data | Preventive | |
| Include the data processor's contact information in the record of processing activities. CC ID 12657 | Privacy protection for information and data | Preventive | |
| Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Privacy protection for information and data | Preventive | |
| Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Privacy protection for information and data | Preventive | |
| Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Privacy protection for information and data | Preventive | |
| Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 | Privacy protection for information and data | Preventive | |
| Include the personal data processing categories in the record of processing activities. CC ID 12661 | Privacy protection for information and data | Preventive | |
| Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Privacy protection for information and data | Preventive | |
| Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Privacy protection for information and data | Preventive | |
| Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Privacy protection for information and data | Preventive | |
| Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Privacy protection for information and data | Preventive | |
| Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Privacy protection for information and data | Preventive | |
| Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Privacy protection for information and data | Preventive | |
| Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Privacy protection for information and data | Preventive | |
| Include the data controller's contact information in the record of processing activities. CC ID 12637 | Privacy protection for information and data | Preventive | |
| Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Privacy protection for information and data | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Privacy protection for information and data | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Privacy protection for information and data | Preventive | |
| Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 | Privacy protection for information and data | Preventive | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 | Privacy protection for information and data | Preventive | |
| Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 | Privacy protection for information and data | Preventive | |
Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Back up audit trails according to backup procedures. CC ID 11642 | Monitoring and measurement | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a network activity baseline. CC ID 13188 | Monitoring and measurement | Detective | |
| Deploy log normalization tools, as necessary. CC ID 12141 | Monitoring and measurement | Preventive | |
| Restrict access to audit trails to a need to know basis. CC ID 11641 | Monitoring and measurement | Preventive | |
| Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 | Privacy protection for information and data | Preventive | |
| Display warning screens and confirmation screens for all payment transactions. CC ID 06409 | Privacy protection for information and data | Preventive | |
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Privacy protection for information and data | Preventive | |
| Employ a random number generator to create authenticators. CC ID 13782 | Privacy protection for information and data | Preventive | |
| Provide unobservability of users and resources. CC ID 04551 | Privacy protection for information and data | Preventive | |
| Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 | Monitoring and measurement | Preventive | |
| Test compliance controls for proper functionality. CC ID 00660 [Organizations must provide follow up procedures for verifying that the attestations and assertions they make about their Privacy Shield privacy practices are true and those privacy practices have been implemented as represented and in accordance with the Privacy Shield Principles. § III.7.a. Organizations must provide follow up procedures for verifying that the attestations and assertions they make about their Privacy Shield privacy practices are true and those privacy practices have been implemented as represented and in accordance with the Privacy Shield Principles. § III.7.a. At a minimum such mechanisms must include: follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of non-compliance; and § II.7.a.ii.] | Monitoring and measurement | Detective | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Detective | |
| Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Preventive | |
| Conduct personal data risk assessments. CC ID 00357 [{unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a.] | Privacy protection for information and data | Detective | |
| Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Detective | |
| Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 | Privacy protection for information and data | Detective | |
| Record restricted data correctly. CC ID 00089 [{Security Principle}(Data Integrity and Purpose Limitation Principle} {Recourse, Enforcement and Liability Principle} An organization must apply the Privacy Shield Principles of Security, Data Integrity and Purpose Limitation, and Recourse, Enforcement and Liability to personal data from publicly available sources. These Principles shall apply also to personal data collected from public records, i.e., those records kept by government agencies or entities at any level that are open to consultation by the public in general. § III.15.a.] | Privacy protection for information and data | Detective | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Third Party and supply chain oversight | Detective | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Third Party and supply chain oversight | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Detective | |
| Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Detective | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Detective | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [{Department of Commerce} To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; (iv) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (v) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. § II.3.b.] | Third Party and supply chain oversight | Detective | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Determine the causes of compliance violations. CC ID 12401 | Monitoring and measurement | Investigate | |
| Correct compliance violations. CC ID 13515 | Monitoring and measurement | Process or Activity | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [{is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Monitoring and measurement | Behavior | |
| Convert data into standard units before reporting metrics. CC ID 15507 | Monitoring and measurement | Process or Activity | |
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [{Department of Commerce} The result of any remedies provided by the dispute resolution body should be that the effects of non-compliance are reversed or corrected by the organization, insofar as feasible, and that future processing by the organization will be in conformity with the Principles and, where appropriate, that processing of the personal data of the individual who brought the complaint will cease. Sanctions need to be rigorous enough to ensure compliance by the organization with the Principles. A range of sanctions of varying degrees of severity will allow dispute resolution bodies to respond appropriately to varying degrees of non-compliance. Sanctions should include both publicity for findings of non-compliance and the requirement to delete data in certain circumstances. Other sanctions could include suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance and injunctive awards. Private sector dispute resolution bodies and self-regulatory bodies must notify failures of Privacy Shield organizations to comply with their rulings to the governmental body with applicable jurisdiction or to the courts, as appropriate, and to notify the Department. § III.11.e.i. {Department of Commerce} The result of any remedies provided by the dispute resolution body should be that the effects of non-compliance are reversed or corrected by the organization, insofar as feasible, and that future processing by the organization will be in conformity with the Principles and, where appropriate, that processing of the personal data of the individual who brought the complaint will cease. Sanctions need to be rigorous enough to ensure compliance by the organization with the Principles. A range of sanctions of varying degrees of severity will allow dispute resolution bodies to respond appropriately to varying degrees of non-compliance. Sanctions should include both publicity for findings of non-compliance and the requirement to delete data in certain circumstances. Other sanctions could include suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance and injunctive awards. Private sector dispute resolution bodies and self-regulatory bodies must notify failures of Privacy Shield organizations to comply with their rulings to the governmental body with applicable jurisdiction or to the courts, as appropriate, and to notify the Department. § III.11.e.i.] | Operational management | Process or Activity | |
| Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 | Privacy protection for information and data | Records Management | |
| Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 | Privacy protection for information and data | Records Management | |
| Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 [{Department of Commerce} When an organization leaves the Privacy Shield for any reason, it must remove all statements implying that the organization continues to participate in the Privacy Shield or is entitled to the benefits of the Privacy Shield. The EU-U.S. Privacy Shield certification mark, if used, must also be removed. Any misrepresentation to the general public concerning an organization's adherence to the Privacy Shield Principles may be actionable by the FTC or other relevant government body. Misrepresentations to the Department may be actionable under the False Statements Act (18 U.S.C. § 1001). § III.6.h.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 [{Department of Commerce} When an organization leaves the Privacy Shield for any reason, it must remove all statements implying that the organization continues to participate in the Privacy Shield or is entitled to the benefits of the Privacy Shield. The EU-U.S. Privacy Shield certification mark, if used, must also be removed. Any misrepresentation to the general public concerning an organization's adherence to the Privacy Shield Principles may be actionable by the FTC or other relevant government body. Misrepresentations to the Department may be actionable under the False Statements Act (18 U.S.C. § 1001). § III.6.h. {Department of Commerce} {adequate protection} An organization must subject to the Privacy Shield Principles all personal data received from the EU in reliance upon the Privacy Shield. The undertaking to adhere to the Privacy Shield Principles is not time-limited in respect of personal data received during the period in which the organization enjoys the benefits of the Privacy Shield. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Privacy Shield for any reason. An organization that withdraws from the Privacy Shield but wants to retain such data must affirm to the Department on an annual basis its commitment to continue to apply the Principles or provide "adequate" protection for the information by another authorized means (for example, using a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission); otherwise, the organization must return or delete the information. An organization that withdraws from the Privacy Shield must remove from any relevant privacy policy any references to the Privacy Shield that imply that the organization continues to actively participate in the Privacy Shield and is entitled to its benefits. § III.6.f.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate private communications when required by law. CC ID 14335 | Privacy protection for information and data | Communicate | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Communicate | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Records Management | |
| Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Privacy protection for information and data | Communicate | |
| Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Privacy protection for information and data | Communicate | |
| Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 | Privacy protection for information and data | Communicate | |
| Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 | Privacy protection for information and data | Communicate | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Process or Activity | |
| Implement procedures to file privacy rights violation complaints. CC ID 00476 [Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must include: § II.7.a. At a minimum such mechanisms must include: readily available independent recourse mechanisms by which each individual's complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Principles, and damages awarded where the applicable law or private-sector initiatives so provide; § II.7.a.i. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i.] | Privacy protection for information and data | Data and Information Management | |
| File privacy rights violation complaints in writing. CC ID 00477 [Independent recourse mechanisms must include on their public websites information regarding the Privacy Shield Principles and the services that they provide under the Privacy Shield. This information must include: (1) information on or a link to the Privacy Shield Principles' requirements for independent recourse mechanisms; (2) a link to the Department's Privacy Shield website; (3) an explanation that their dispute resolution services under the Privacy Shield are free of charge to individuals; (4) a description of how a Privacy Shield-related complaint can be filed; (5) the timeframe in which Privacy Shield-related complaints are processed; and (6) a description of the range of potential remedies. § III.11.d.ii.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 [An organization must inform individuals about: the possibility, under certain conditions, for the individual to invoke binding arbitration, § II.1.a.xi. An organization must inform individuals about: the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution provider based in the United States, § II.1.a.ix. Where the organization has chosen outside compliance review, such a review must demonstrate that its privacy policy regarding personal information received from the EU conforms to the Privacy Shield Principles, that it is being complied with, and that individuals are informed of the mechanisms through which they may pursue complaints. The methods of review may include, without limitation, auditing, random reviews, use of "decoys", or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed must be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about compliance. § III.7.d. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Privacy protection for information and data | Behavior | |
| File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 | Privacy protection for information and data | Behavior | |
| Change or destroy any personal data that is incorrect. CC ID 00462 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 [{Department of Commerce} In order to help ensure compliance with their Privacy Shield commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Privacy Shield when requested by the Department. In addition, organizations must respond expeditiously to complaints regarding their compliance with the Principles referred through the Department by DPAs. The response should address whether the complaint has merit and, if so, how the organization will rectify the problem. The Department will protect the confidentiality of information it receives in accordance with U.S. law. § III.11.c.] | Privacy protection for information and data | Behavior | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 | Privacy protection for information and data | Behavior | |
| Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 | Privacy protection for information and data | Behavior | |
| Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 [To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; (iv) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (v) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. § II.3.b.] | Privacy protection for information and data | Data and Information Management | |
| Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 | Privacy protection for information and data | Business Processes | |
| Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 | Privacy protection for information and data | Communicate | |
| Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 | Privacy protection for information and data | Behavior | |
| Order the organization to change to be in compliance with applicable law. CC ID 00499 | Privacy protection for information and data | Behavior | |
| Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 | Privacy protection for information and data | Behavior | |
| Award damages based on applicable law. CC ID 00501 | Privacy protection for information and data | Behavior | |
| Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 [{persistent failure to comply}{Department of Commerce} If an organization persistently fails to comply with the Principles, it is no longer entitled to benefit from the Privacy Shield. Organizations that have persistently failed to comply with the Principles will be removed from the Privacy Shield List by the Department and must return or delete the personal information they received under the Privacy Shield. § III.11.g.i.] | Privacy protection for information and data | Data and Information Management | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Test compliance controls for proper functionality. CC ID 00660 [Organizations must provide follow up procedures for verifying that the attestations and assertions they make about their Privacy Shield privacy practices are true and those privacy practices have been implemented as represented and in accordance with the Privacy Shield Principles. § III.7.a. Organizations must provide follow up procedures for verifying that the attestations and assertions they make about their Privacy Shield privacy practices are true and those privacy practices have been implemented as represented and in accordance with the Privacy Shield Principles. § III.7.a. At a minimum such mechanisms must include: follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of non-compliance; and § II.7.a.ii.] | Monitoring and measurement | Testing | |
| Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Monitoring and measurement | Actionable Reports or Measurements | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Business Processes | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Monitoring and measurement | Investigate | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Monitoring and measurement | Investigate | |
| Report on the policies and controls that have been implemented by management. CC ID 01670 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security management roles that have been assigned. CC ID 01671 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of servers located in controlled access areas. CC ID 02067 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique active user identifiers. CC ID 02074 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of users with access to shared accounts. CC ID 04573 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Monitoring and measurement | Log Management | |
| Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Monitoring and measurement | Log Management | |
| Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Monitoring and measurement | Log Management | |
| Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with all approved patches installed. CC ID 02113 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the mean time from patch availability to patch installation. CC ID 02114 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a network activity baseline. CC ID 13188 | Monitoring and measurement | Technical Security | |
| Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Monitoring and measurement | Actionable Reports or Measurements | |
| Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Process or Activity | |
| Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Process or Activity | |
| Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Process or Activity | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Establish/Maintain Documentation | |
| Require a data protection impact assessment when profiling the data subject. CC ID 12680 | Privacy protection for information and data | Process or Activity | |
| Document privacy policies in clearly written and easily understood language. CC ID 00376 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Privacy protection for information and data | Behavior | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 [Access may not be refused on cost grounds if the individual offers to pay the costs. § III.8.f.iii.] | Privacy protection for information and data | Behavior | |
| Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Privacy protection for information and data | Process or Activity | |
| Analyze requirements for processing personal data in contracts. CC ID 12550 | Privacy protection for information and data | Investigate | |
| Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Data and Information Management | |
| Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 | Privacy protection for information and data | Business Processes | |
| Confirm the data quality of personal data collected from third parties. CC ID 13510 | Privacy protection for information and data | Investigate | |
| Review the methods for collecting personal data, as necessary. CC ID 13511 | Privacy protection for information and data | Investigate | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Testing | |
| Conduct personal data risk assessments. CC ID 00357 [{unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a.] | Privacy protection for information and data | Testing | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Data and Information Management | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Investigate | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Behavior | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Data and Information Management | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Log Management | |
| Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Log Management | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Data and Information Management | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Process or Activity | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Testing | |
| Review compliance with the organization's privacy objectives. CC ID 13490 | Privacy protection for information and data | Human Resources Management | |
| Investigate privacy rights violation complaints. CC ID 00480 [{Department of Commerce} Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Organizations that have chosen to cooperate with DPAs, including organizations that process human resources data, must respond directly to such authorities with regard to the investigation and resolution of complaints § II.7.b. {comply}{privacy rights violation complaint}{legal authority} The Recourse, Enforcement and Liability Principle sets out the requirements for Privacy Shield enforcement. How to meet the requirements of point (a)(ii) of the Principle is set out in the Supplemental Principle on Verification. This Supplemental Principle addresses points (a)(i) and (a)(iii), both of which require independent recourse mechanisms. These mechanisms may take different forms, but they must meet the Recourse, Enforcement and Liability Principle's requirements. Organizations satisfy the requirements through the following: (i) compliance with private sector developed privacy programs that incorporate the Privacy Shield Principles into their rules and that include effective enforcement mechanisms of the type described in the Recourse, Enforcement and Liability Principle; (ii) compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or (iii) commitment to cooperate with data protection authorities located in the European Union or their authorized representatives. § III.11.a. {Department of Commerce} In order to help ensure compliance with their Privacy Shield commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Privacy Shield when requested by the Department. In addition, organizations must respond expeditiously to complaints regarding their compliance with the Principles referred through the Department by DPAs. The response should address whether the complaint has merit and, if so, how the organization will rectify the problem. The Department will protect the confidentiality of information it receives in accordance with U.S. law. § III.11.c. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i.] | Privacy protection for information and data | Behavior | |
| Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 | Privacy protection for information and data | Behavior | |
| Investigate privacy rights violation complaints in private. CC ID 00492 | Privacy protection for information and data | Behavior | |
| Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 [{Department of Commerce} Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Organizations that have chosen to cooperate with DPAs, including organizations that process human resources data, must respond directly to such authorities with regard to the investigation and resolution of complaints § II.7.b. {unfair act or practice}{deceptive act or practice}{Department of Commerce} Organizations must retain their records on the implementation of their Privacy Shield privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent body responsible for investigating complaints or to the agency with unfair and deceptive practices jurisdiction. Organizations must also respond promptly to inquiries and other requests for information from the Department relating to the organization's adherence to the Principles. § III.7.e. {Department of Commerce} In order to help ensure compliance with their Privacy Shield commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Privacy Shield when requested by the Department. In addition, organizations must respond expeditiously to complaints regarding their compliance with the Principles referred through the Department by DPAs. The response should address whether the complaint has merit and, if so, how the organization will rectify the problem. The Department will protect the confidentiality of information it receives in accordance with U.S. law. § III.11.c. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i.] | Privacy protection for information and data | Behavior | |
| Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 | Privacy protection for information and data | Behavior | |
| Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 [As set forth in Annex I, an arbitration option is available to an individual to determine, for residual claims, whether a Privacy Shield organization has violated its obligations under the Principles as to that individual, and whether any such violation remains fully or partially unremedied. This option is available only for these purposes. This option is not available, for example, with respect to the exceptions to the Principles or with respect to an allegation about the adequacy of the Privacy Shield. Under this arbitration option, the Privacy Shield Panel (consisting of one or three arbitrators, as agreed by the parties) has the authority to impose individual-specific, non-monetary equitable relief (such as access, correction, deletion, or return of the individual's data in question) necessary to remedy the violation of the Principles only with respect to the individual. Individuals and Privacy Shield organizations will be able to seek judicial review and enforcement of the arbitral decisions pursuant to U.S. law under the Federal Arbitration Act. § III.11.d.iv.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 | Privacy protection for information and data | Testing | |
| Record restricted data correctly. CC ID 00089 [{Security Principle}(Data Integrity and Purpose Limitation Principle} {Recourse, Enforcement and Liability Principle} An organization must apply the Privacy Shield Principles of Security, Data Integrity and Purpose Limitation, and Recourse, Enforcement and Liability to personal data from publicly available sources. These Principles shall apply also to personal data collected from public records, i.e., those records kept by government agencies or entities at any level that are open to consultation by the public in general. § III.15.a.] | Privacy protection for information and data | Testing | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [By derogation to the previous paragraph, it is not necessary to provide choice when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organization. However, an organization shall always enter into a contract with the agent. § II.2.b.] | Third Party and supply chain oversight | Process or Activity | |
| Include a termination provision clause in third party contracts. CC ID 01367 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Third Party and supply chain oversight | Testing | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Third Party and supply chain oversight | Testing | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Testing | |
| Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Testing | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Testing | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Data and Information Management | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Testing | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [{Department of Commerce} To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; (iv) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (v) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. § II.3.b.] | Third Party and supply chain oversight | Testing | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the effective date on all organizational policies. CC ID 06820 [description of the organization's privacy policy for such personal information, including: its effective date of implementation; § III.6.b.iii.2.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a compliance testing strategy. CC ID 00659 [To meet the verification requirements of the Recourse, Enforcement and Liability Principle, an organization must verify such attestations and assertions either through self-assessment or outside compliance reviews. § III.7.b. To meet the verification requirements of the Recourse, Enforcement and Liability Principle, an organization must verify such attestations and assertions either through self-assessment or outside compliance reviews. § III.7.b. Where the organization has chosen outside compliance review, such a review must demonstrate that its privacy policy regarding personal information received from the EU conforms to the Privacy Shield Principles, that it is being complied with, and that individuals are informed of the mechanisms through which they may pursue complaints. The methods of review may include, without limitation, auditing, random reviews, use of "decoys", or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed must be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about compliance. § III.7.d. Where the organization has chosen outside compliance review, such a review must demonstrate that its privacy policy regarding personal information received from the EU conforms to the Privacy Shield Principles, that it is being complied with, and that individuals are informed of the mechanisms through which they may pursue complaints. The methods of review may include, without limitation, auditing, random reviews, use of "decoys", or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed must be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about compliance. § III.7.d. At a minimum such mechanisms must include: follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of non-compliance; and § II.7.a.ii. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 | Monitoring and measurement | Testing | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [{is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain risk management metrics. CC ID 01656 | Monitoring and measurement | Establish/Maintain Documentation | |
| Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Monitoring and measurement | Business Processes | |
| Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Monitoring and measurement | Audits and Risk Management | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Monitoring and measurement | Establish/Maintain Documentation | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Establish/Maintain Documentation | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 [Dispute resolution bodies have discretion about the circumstances in which they use these sanctions. The sensitivity of the data concerned is one factor to be taken into consideration in deciding whether deletion of data should be required, as is whether an organization has collected, used, or disclosed information in blatant contravention of the Privacy Shield Principles. § III.11.e.i. Footnote 3 Dispute resolution bodies have discretion about the circumstances in which they use these sanctions. The sensitivity of the data concerned is one factor to be taken into consideration in deciding whether deletion of data should be required, as is whether an organization has collected, used, or disclosed information in blatant contravention of the Privacy Shield Principles. § III.11.e.i. Footnote 3] | Monitoring and measurement | Human Resources Management | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Communicate | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a security program metrics program. CC ID 01660 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Monitoring and measurement | Establish/Maintain Documentation | |
| Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an audit metrics program. CC ID 01664 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Monitoring and measurement | Establish/Maintain Documentation | |
| Monitor compliance with the Quality Control system. CC ID 01023 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Monitoring and measurement | Establish/Maintain Documentation | |
| Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain waste management metrics. CC ID 16152 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain emissions management metrics. CC ID 16145 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain financial management metrics. CC ID 16749 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Monitoring and measurement | Business Processes | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Monitoring and measurement | Establish/Maintain Documentation | |
| Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Establish/Maintain Documentation | |
| Deploy log normalization tools, as necessary. CC ID 12141 | Monitoring and measurement | Technical Security | |
| Restrict access to logs to authorized individuals. CC ID 01342 | Monitoring and measurement | Log Management | |
| Restrict access to audit trails to a need to know basis. CC ID 11641 | Monitoring and measurement | Technical Security | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Monitoring and measurement | Log Management | |
| Back up audit trails according to backup procedures. CC ID 11642 | Monitoring and measurement | Systems Continuity | |
| Back up logs according to backup procedures. CC ID 01344 | Monitoring and measurement | Log Management | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that are not being stored. CC ID 06314 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Monitoring and measurement | Log Management | |
| Protect logs from unauthorized activity. CC ID 01345 | Monitoring and measurement | Log Management | |
| Perform testing and validating activities on all logs. CC ID 06322 | Monitoring and measurement | Log Management | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Monitoring and measurement | Log Management | |
| Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Monitoring and measurement | Configuration | |
| Preserve the identity of individuals in audit trails. CC ID 10594 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Establish/Maintain Documentation | |
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Monitoring and measurement | Audits and Risk Management | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 | Audits and risk management | Establish/Maintain Documentation | |
| Include a commitment to comply with recommendations from applicable statutory bodies in the Statement of Compliance. CC ID 12371 [{Department of Commerce} Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information. In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities. The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees. § III.6.c.] | Audits and risk management | Establish/Maintain Documentation | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 [{self-certification submission} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. Where the organization has chosen outside compliance review, such a review must demonstrate that its privacy policy regarding personal information received from the EU conforms to the Privacy Shield Principles, that it is being complied with, and that individuals are informed of the mechanisms through which they may pursue complaints. The methods of review may include, without limitation, auditing, random reviews, use of "decoys", or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed must be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about compliance. § III.7.d. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c. The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self-certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self-certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. Independent recourse mechanisms must publish an annual report providing aggregate statistics regarding their dispute resolution services. The annual report must include: (1) the total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received; (3) dispute resolution quality measures, such as the length of time taken to process complaints; and (4) the outcomes of the complaints received, notably the number and types of remedies or sanctions imposed. § III.11.d.iii. {Department of Commerce} Persistent failure to comply arises where an organization that has self-certified to the Department refuses to comply with a final determination by any privacy self-regulatory, independent dispute resolution, or government body, or where such a body determines that an organization frequently fails to comply with the Principles to the point where its claim to comply is no longer credible. In these cases, the organization must promptly notify the Department of such facts. Failure to do so may be actionable under the False Statements Act (18 U.S.C. § 1001). An organization's withdrawal from a private-sector privacy self-regulatory program or independent dispute resolution mechanism does not relieve it of its obligation to comply with the Principles and would constitute a persistent failure to comply. § III.11.g.ii. {Department of Commerce} The result of any remedies provided by the dispute resolution body should be that the effects of non-compliance are reversed or corrected by the organization, insofar as feasible, and that future processing by the organization will be in conformity with the Principles and, where appropriate, that processing of the personal data of the individual who brought the complaint will cease. Sanctions need to be rigorous enough to ensure compliance by the organization with the Principles. A range of sanctions of varying degrees of severity will allow dispute resolution bodies to respond appropriately to varying degrees of non-compliance. Sanctions should include both publicity for findings of non-compliance and the requirement to delete data in certain circumstances. Other sanctions could include suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance and injunctive awards. Private sector dispute resolution bodies and self-regulatory bodies must notify failures of Privacy Shield organizations to comply with their rulings to the governmental body with applicable jurisdiction or to the courts, as appropriate, and to notify the Department. § III.11.e.i. {Department of Commerce} The result of any remedies provided by the dispute resolution body should be that the effects of non-compliance are reversed or corrected by the organization, insofar as feasible, and that future processing by the organization will be in conformity with the Principles and, where appropriate, that processing of the personal data of the individual who brought the complaint will cease. Sanctions need to be rigorous enough to ensure compliance by the organization with the Principles. A range of sanctions of varying degrees of severity will allow dispute resolution bodies to respond appropriately to varying degrees of non-compliance. Sanctions should include both publicity for findings of non-compliance and the requirement to delete data in certain circumstances. Other sanctions could include suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance and injunctive awards. Private sector dispute resolution bodies and self-regulatory bodies must notify failures of Privacy Shield organizations to comply with their rulings to the governmental body with applicable jurisdiction or to the courts, as appropriate, and to notify the Department. § III.11.e.i. {law enforcement reasons} In order to provide transparency in respect of lawful requests by public authorities to access personal information, Privacy Shield organizations may voluntarily issue periodic transparency reports on the number of requests for personal information they receive by public authorities for law enforcement or national security reasons, to the extent such disclosures are permissible under applicable law. § III.16.a.] | Audits and risk management | Communicate | |
| Include a commitment to cooperate with applicable statutory bodies in the Statement of Compliance. CC ID 12370 [{Department of Commerce} Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information. In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities. The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees. § III.6.c.] | Audits and risk management | Establish/Maintain Documentation | |
| Include the statutory bodies having jurisdiction over privacy rights violations in the Statement of Compliance. CC ID 12369 [{Department of Commerce} Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information. In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities. The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees. § III.6.c.] | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the organization's privacy policy in the Statement of Compliance. CC ID 12362 [To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: description of the organization's privacy policy for such personal information, including: § III.6.b.iii. The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self-certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d.] | Audits and risk management | Establish/Maintain Documentation | |
| Include the privacy programs the organization is a member of in the Statement of Compliance. CC ID 16818 | Audits and risk management | Actionable Reports or Measurements | |
| Include the outcomes of privacy rights violation complaints received in the Statement of Compliance. CC ID 12534 [Independent recourse mechanisms must publish an annual report providing aggregate statistics regarding their dispute resolution services. The annual report must include: (1) the total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received; (3) dispute resolution quality measures, such as the length of time taken to process complaints; and (4) the outcomes of the complaints received, notably the number and types of remedies or sanctions imposed. § III.11.d.iii.] | Audits and risk management | Establish/Maintain Documentation | |
| Include dispute resolution quality measures in the Statement of Compliance. CC ID 12533 [Independent recourse mechanisms must publish an annual report providing aggregate statistics regarding their dispute resolution services. The annual report must include: (1) the total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received; (3) dispute resolution quality measures, such as the length of time taken to process complaints; and (4) the outcomes of the complaints received, notably the number and types of remedies or sanctions imposed. § III.11.d.iii.] | Audits and risk management | Establish/Maintain Documentation | |
| Include the type of privacy rights violation complaints received in the Statement of Compliance. CC ID 12532 [Independent recourse mechanisms must publish an annual report providing aggregate statistics regarding their dispute resolution services. The annual report must include: (1) the total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received; (3) dispute resolution quality measures, such as the length of time taken to process complaints; and (4) the outcomes of the complaints received, notably the number and types of remedies or sanctions imposed. § III.11.d.iii.] | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of privacy rights violation complaints received in the Statement of Compliance. CC ID 12530 [Independent recourse mechanisms must publish an annual report providing aggregate statistics regarding their dispute resolution services. The annual report must include: (1) the total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received; (3) dispute resolution quality measures, such as the length of time taken to process complaints; and (4) the outcomes of the complaints received, notably the number and types of remedies or sanctions imposed. § III.11.d.iii.] | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's fax number in the Statement of Compliance. CC ID 12361 [{telephone number} To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: name of organization, mailing address, e-mail address, telephone, and fax numbers; § III.6.b.i.] | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's telephone number in the Statement of Compliance. CC ID 12360 [{telephone number} To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: name of organization, mailing address, e-mail address, telephone, and fax numbers; § III.6.b.i.] | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's e-mail address in the Statement of Compliance. CC ID 12359 [{telephone number} To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: name of organization, mailing address, e-mail address, telephone, and fax numbers; § III.6.b.i.] | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's name in the Statement of Compliance. CC ID 12351 [{telephone number} To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: name of organization, mailing address, e-mail address, telephone, and fax numbers; § III.6.b.i.] | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's mailing address in the Statement of Compliance. CC ID 12358 [{telephone number} To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: name of organization, mailing address, e-mail address, telephone, and fax numbers; § III.6.b.i.] | Audits and risk management | Establish/Maintain Documentation | |
| Describe how the organization processes personal data in the Statement of Compliance. CC ID 12377 [To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: description of the activities of the organization with respect to personal information received from the EU; and § III.6.b.ii.] | Audits and risk management | Establish/Maintain Documentation | |
| Approve and sign the Statement of Compliance. CC ID 12392 [Where the organization has chosen outside compliance review, such a review must demonstrate that its privacy policy regarding personal information received from the EU conforms to the Privacy Shield Principles, that it is being complied with, and that individuals are informed of the mechanisms through which they may pursue complaints. The methods of review may include, without limitation, auditing, random reviews, use of "decoys", or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed must be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about compliance. § III.7.d.] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Establish Roles | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [{is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Human Resources management | Establish Roles | |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Human Resources Management | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Establish/Maintain Documentation | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Establish/Maintain Documentation | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Establish/Maintain Documentation | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Human Resources Management | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Human Resources Management | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Establish Roles | |
| Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources management | Human Resources Management | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources management | Human Resources Management | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Human Resources Management | |
| Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 | Human Resources management | Establish/Maintain Documentation | |
| Refrain from using employees' privacy choices to restrict employment. CC ID 12425 [{Notice Principle}{Choice Principle} A U.S. organization that has received employee information from the EU under the Privacy Shield may disclose it to third parties or use it for different purposes only in accordance with the Notice and Choice Principles. For example, where an organization intends to use personal information collected through the employment relationship for non-employment-related purposes, such as marketing communications, the U.S. organization must provide the affected individuals with the requisite choice before doing so, unless they have already authorized the use of the information for such purposes. Moreover, such choices must not be used to restrict employment opportunities or take any punitive action against such employees. § III.9.b.i. {Notice Principle}{Choice Principle} A U.S. organization that has received employee information from the EU under the Privacy Shield may disclose it to third parties or use it for different purposes only in accordance with the Notice and Choice Principles. For example, where an organization intends to use personal information collected through the employment relationship for non-employment-related purposes, such as marketing communications, the U.S. organization must provide the affected individuals with the requisite choice before doing so, unless they have already authorized the use of the information for such purposes. Moreover, such choices must not be used to restrict employment opportunities or take any punitive action against such employees. § III.9.b.i.] | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain a Code of Conduct. CC ID 04897 | Human Resources management | Establish/Maintain Documentation | |
| Take disciplinary actions against individuals who violate the Code of Conduct. CC ID 06435 [{Department of Commerce} The result of any remedies provided by the dispute resolution body should be that the effects of non-compliance are reversed or corrected by the organization, insofar as feasible, and that future processing by the organization will be in conformity with the Principles and, where appropriate, that processing of the personal data of the individual who brought the complaint will cease. Sanctions need to be rigorous enough to ensure compliance by the organization with the Principles. A range of sanctions of varying degrees of severity will allow dispute resolution bodies to respond appropriately to varying degrees of non-compliance. Sanctions should include both publicity for findings of non-compliance and the requirement to delete data in certain circumstances. Other sanctions could include suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance and injunctive awards. Private sector dispute resolution bodies and self-regulatory bodies must notify failures of Privacy Shield organizations to comply with their rulings to the governmental body with applicable jurisdiction or to the courts, as appropriate, and to notify the Department. § III.11.e.i.] | Human Resources management | Behavior | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [{comply}{privacy rights violation complaint}{legal authority} The Recourse, Enforcement and Liability Principle sets out the requirements for Privacy Shield enforcement. How to meet the requirements of point (a)(ii) of the Principle is set out in the Supplemental Principle on Verification. This Supplemental Principle addresses points (a)(i) and (a)(iii), both of which require independent recourse mechanisms. These mechanisms may take different forms, but they must meet the Recourse, Enforcement and Liability Principle's requirements. Organizations satisfy the requirements through the following: (i) compliance with private sector developed privacy programs that incorporate the Privacy Shield Principles into their rules and that include effective enforcement mechanisms of the type described in the Recourse, Enforcement and Liability Principle; (ii) compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or (iii) commitment to cooperate with data protection authorities located in the European Union or their authorized representatives. § III.11.a. {comply}{privacy rights violation complaint}{legal authority} The Recourse, Enforcement and Liability Principle sets out the requirements for Privacy Shield enforcement. How to meet the requirements of point (a)(ii) of the Principle is set out in the Supplemental Principle on Verification. This Supplemental Principle addresses points (a)(i) and (a)(iii), both of which require independent recourse mechanisms. These mechanisms may take different forms, but they must meet the Recourse, Enforcement and Liability Principle's requirements. Organizations satisfy the requirements through the following: (i) compliance with private sector developed privacy programs that incorporate the Privacy Shield Principles into their rules and that include effective enforcement mechanisms of the type described in the Recourse, Enforcement and Liability Principle; (ii) compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or (iii) commitment to cooperate with data protection authorities located in the European Union or their authorized representatives. § III.11.a. Airline passenger reservation and other travel information, such as frequent flyer or hotel reservation information and special handling needs, such as meals to meet religious requirements or physical assistance, may be transferred to organizations located outside the EU in several different circumstances. Under Article 26 of the Directive, personal data may be transferred "to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2)" on the condition that it (i) is necessary to provide the services requested by the consumer or to fulfill the terms of an agreement, such as a "frequent flyer" agreement; or (ii) has been unambiguously consented to by the consumer. U.S. organizations subscribing to the Privacy Shield provide adequate protection for personal data and may therefore receive data transfers from the EU without meeting these conditions or other conditions set out in Article 26 of the Directive. Since the Privacy Shield includes specific rules for sensitive information, such information (which may need to be collected, for example, in connection with customers' needs for physical assistance) may be included in transfers to Privacy Shield participants. In all cases, however, the organization transferring the information has to respect the law in the EU Member State in which it is operating, which may inter alia impose special conditions for the handling of sensitive data. § III.13.a. Organizations are obligated to arbitrate claims and follow the terms as set forth in Annex I, provided that an individual has invoked binding arbitration by delivering notice to the organization at issue and following the procedures and subject to conditions set forth in Annex I. § II.7.c.] | Operational management | Business Processes | |
| Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Process or Activity | |
| Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Process or Activity | |
| Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Process or Activity | |
| Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Process or Activity | |
| Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Process or Activity | |
| Analyze the organizational culture. CC ID 12899 | Operational management | Process or Activity | |
| Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Behavior | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Business Processes | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Business Processes | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Business Processes | |
| Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Behavior | |
| Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Behavior | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Business Processes | |
| Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Behavior | |
| Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Behavior | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 | Operational management | Establish/Maintain Documentation | |
| Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Communicate | |
| Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Business Processes | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Operational management | Behavior | |
| Document the organization's local environments. CC ID 06726 [Given U.S. constitutional protections for freedom of the press and the Directive's exemption for journalistic material, where the rights of a free press embodied in the First Amendment of the U.S. Constitution intersect with privacy protection interests, the First Amendment must govern the balancing of these interests with regard to the activities of U.S. persons or organizations. § III.2.a. Privacy Shield benefits are assured from the date on which the Department has placed the organization's self-certification submission on the Privacy Shield List after having determined that the submission is complete. § III.6.a. The Privacy Shield Principles are relevant only when individually identified records are transferred or accessed. Statistical reporting relying on aggregate employment data and containing no personal data or the use of anonymized data does not raise privacy concerns. § III.9.a.ii. The FTC has committed to reviewing on a priority basis referrals alleging non-compliance with the Principles received from: (i) privacy self-regulatory organizations and other independent dispute resolution bodies; (ii) EU Member States; and (iii) the Department, to determine whether Section 5 of the FTC Act prohibiting unfair or deceptive acts or practices in commerce has been violated. If the FTC concludes that it has reason to believe Section 5 has been violated, it may resolve the matter by seeking an administrative cease and desist order prohibiting the challenged practices or by filing a complaint in a federal district court, which if successful could result in a federal court order to same effect. This includes false claims of adherence to the Privacy Shield Principles or participation in the Privacy Shield by organizations, which either are no longer on the Privacy Shield List or have never self-certified to the Department. The FTC may obtain civil penalties for violations of an administrative cease and desist order and may pursue civil or criminal contempt for violation of a federal court order. The FTC will notify the Department of any such actions it takes. The Department encourages other government bodies to notify it of the final disposition of any such referrals or other rulings determining adherence to the Privacy Shield Principles. § III.11.f.ii. Where an organization is found to have intentionally made personal information public in contravention of the Principles so that it or others may benefit from these exceptions, it will cease to qualify for the benefits of the Privacy Shield. § III.15.c. The information provided by the Privacy Shield organizations in these reports together with information that has been released by the intelligence community, along with other information, can be used to inform the annual joint review of the functioning of the Privacy Shield in accordance with the Principles. § III.16.b. The activities of auditors and investment bankers may involve processing personal data without the consent or knowledge of the individual. This is permitted by the Notice, Choice, and Access Principles under the circumstances described below. § III.4.a. Because adequate protection is provided by Privacy Shield participants, contracts with Privacy Shield participants for mere processing do not require prior authorization (or such authorization will be granted automatically by the EU Member States), as would be required for contracts with recipients not participating in the Privacy Shield or otherwise not providing adequate protection. § III.10.a.iii. The Department will remove an organization from the Privacy Shield List in response to any notification it receives of persistent failure to comply, whether it is received from the organization itself, from a privacy self-regulatory body or another independent dispute resolution body, or from a government body, but only after first providing 30 days' notice and an opportunity to respond to the organization that has failed to comply. Accordingly, the Privacy Shield List maintained by the Department will make clear which organizations are assured and which organizations are no longer assured of Privacy Shield benefits. § III.11.g.iii.] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain local environment security profiles. CC ID 07037 | Operational management | Establish/Maintain Documentation | |
| Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 | Operational management | Establish/Maintain Documentation | |
| Include security requirements in the local environment security profile. CC ID 15717 | Operational management | Establish/Maintain Documentation | |
| Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 | Operational management | Establish/Maintain Documentation | |
| Include the technology used in the local environment in the local environment security profile. CC ID 07040 | Operational management | Establish/Maintain Documentation | |
| Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 | Operational management | Establish/Maintain Documentation | |
| Include facility information for the local environment in the local environment security profile. CC ID 07042 | Operational management | Establish/Maintain Documentation | |
| Include facility access information for the local environment in the local environment security profile. CC ID 11773 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 | Operational management | Communicate | |
| Update the local environment security profile, as necessary. CC ID 07043 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Establish/Maintain Documentation | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Process or Activity | |
| Retain records in accordance with applicable requirements. CC ID 00968 [{unfair act or practice}{deceptive act or practice}{Department of Commerce} Organizations must retain their records on the implementation of their Privacy Shield privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent body responsible for investigating complaints or to the agency with unfair and deceptive practices jurisdiction. Organizations must also respond promptly to inquiries and other requests for information from the Department relating to the organization's adherence to the Principles. § III.7.e. {is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a.] | Records management | Records Management | |
| Acquire or sell an organization. CC ID 12421 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Conduct a due diligence assessment as part of an organization's acquisition. CC ID 12424 [{due diligence review} {statutory requirements} The activities of auditors and investment bankers may involve processing personal data without the consent or knowledge of the individual. This is permitted by the Notice, Choice, and Access Principles under the circumstances described below. Public stock corporations and closely held companies, including Privacy Shield organizations, are regularly subject to audits. Such audits, particularly those looking into potential wrongdoing, may be jeopardized if disclosed prematurely. Similarly, a Privacy Shield organization involved in a potential merger or takeover will need to perform, or be the subject of, a "due diligence" review. This will often entail the collection and processing of personal data, such as information on senior executives and other key personnel. Premature disclosure could impede the transaction or even violate applicable securities regulation. Investment bankers and attorneys engaged in due diligence, or auditors conducting an audit, may process information without knowledge of the individual only to the extent and for the period necessary to meet statutory or public interest requirements and in other circumstances in which the application of these Principles would prejudice the legitimate interests of the organization. These legitimate interests include the monitoring of organizations' compliance with their legal obligations and legitimate accounting activities, and the need for confidentiality connected with possible acquisitions, mergers, joint ventures, or other similar transactions carried out by investment bankers or auditors. § III.4.b.] | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [{unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a. {unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a. {unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a. {unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a. {unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a. {unauthorized disclosure}{unauthorized alteration}{unauthorized destruction} Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. § II.4.a. Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must include: § II.7.a.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 [An organization must inform individuals about: its commitment to subject to the Principles all personal data received from the EU in reliance on the Privacy Shield, § II.1.a.iii {Department of Commerce} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. {Department of Commerce} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. {Department of Commerce} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. {Department of Commerce} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. {law enforcement reasons} In order to provide transparency in respect of lawful requests by public authorities to access personal information, Privacy Shield organizations may voluntarily issue periodic transparency reports on the number of requests for personal information they receive by public authorities for law enforcement or national security reasons, to the extent such disclosures are permissible under applicable law. § III.16.a.] | Privacy protection for information and data | Data and Information Management | |
| Establish and maintain privacy notices, as necessary. CC ID 13443 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the purpose of the privacy notice in the privacy notice. CC ID 13526 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the processing purpose in the privacy notice. CC ID 16543 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include contact information in the privacy notice. CC ID 14432 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the personal data collection categories in the privacy notice. CC ID 13457 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include disclosure exceptions in the privacy notice. CC ID 13447 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of personal data disclosed in the privacy notice. CC ID 13446 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Specify the time frame that notice will be given. CC ID 00385 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the information about the appeal process in the privacy notice. CC ID 15312 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 | Privacy protection for information and data | Communicate | |
| Deliver privacy notices to data subjects, as necessary. CC ID 13444 | Privacy protection for information and data | Communicate | |
| Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Update privacy notices, as necessary. CC ID 13474 | Privacy protection for information and data | Communicate | |
| Redeliver privacy notices, as necessary. CC ID 14850 | Privacy protection for information and data | Communicate | |
| Deliver privacy notices to third parties, as necessary. CC ID 13473 | Privacy protection for information and data | Communicate | |
| Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 | Privacy protection for information and data | Communicate | |
| Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain opt-out notices. CC ID 13448 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the opt out method for data subjects in the opt-out notice. CC ID 13467 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Explain the right to opt out in the opt-out notice. CC ID 13462 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the organization's right to share personal data in the opt-out notice. CC ID 13450 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Deliver opt-out notices, as necessary. CC ID 13449 | Privacy protection for information and data | Communicate | |
| Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 | Privacy protection for information and data | Communicate | |
| Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 [{Department of Commerce} To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; (iv) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (v) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. § II.3.b.] | Privacy protection for information and data | Communicate | |
| Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 [{Department of Commerce} {adequate protection} An organization must subject to the Privacy Shield Principles all personal data received from the EU in reliance upon the Privacy Shield. The undertaking to adhere to the Privacy Shield Principles is not time-limited in respect of personal data received during the period in which the organization enjoys the benefits of the Privacy Shield. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Privacy Shield for any reason. An organization that withdraws from the Privacy Shield but wants to retain such data must affirm to the Department on an annual basis its commitment to continue to apply the Principles or provide "adequate" protection for the information by another authorized means (for example, using a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission); otherwise, the organization must return or delete the information. An organization that withdraws from the Privacy Shield must remove from any relevant privacy policy any references to the Privacy Shield that imply that the organization continues to actively participate in the Privacy Shield and is entitled to its benefits. § III.6.f.] | Privacy protection for information and data | Communicate | |
| Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 [{Department of Commerce} An organization that will cease to exist as a separate legal entity as a result of a merger or a takeover must notify the Department of this in advance. The notification should also indicate whether the acquiring entity or the entity resulting from the merger will (i) continue to be bound by the Privacy Shield Principles by the operation of law governing the takeover or merger or (ii) elect to self-certify its adherence to the Privacy Shield Principles or put in place other safeguards, such as a written agreement that will ensure adherence to the Privacy Shield Principles. Where neither (i) nor (ii) applies, any personal data that has been acquired under the Privacy Shield must be promptly deleted. § III.6.g.] | Privacy protection for information and data | Communicate | |
| Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 | Privacy protection for information and data | Data and Information Management | |
| Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 [{Department of Commerce} An organization that will cease to exist as a separate legal entity as a result of a merger or a takeover must notify the Department of this in advance. The notification should also indicate whether the acquiring entity or the entity resulting from the merger will (i) continue to be bound by the Privacy Shield Principles by the operation of law governing the takeover or merger or (ii) elect to self-certify its adherence to the Privacy Shield Principles or put in place other safeguards, such as a written agreement that will ensure adherence to the Privacy Shield Principles. Where neither (i) nor (ii) applies, any personal data that has been acquired under the Privacy Shield must be promptly deleted. § III.6.g.] | Privacy protection for information and data | Communicate | |
| Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 [{investigatory powers} An organization must inform individuals about: being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body, § II.1.a.x.] | Privacy protection for information and data | Communicate | |
| Provide the data subject with a notice of participation procedures. CC ID 06241 [Personal data developed in specific medical or pharmaceutical research studies often play a valuable role in future scientific research. Where personal data collected for one research study are transferred to a U.S. organization in the Privacy Shield, the organization may use the data for a new scientific research activity if appropriate notice and choice have been provided in the first instance. Such notice should provide information about any future specific uses of the data, such as periodic follow-up, related studies, or marketing. § III.14.b.i. It is understood that not all future uses of the data can be specified, since a new research use could arise from new insights on the original data, new medical discoveries and advances, and public health and regulatory developments. Where appropriate, the notice should therefore include an explanation that personal data may be used in future medical and pharmaceutical research activities that are unanticipated. If the use is not consistent with the general research purpose(s) for which the personal data were originally collected, or to which the individual has consented subsequently, new consent must be obtained. § III.14.b.ii.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Deliver notices to the intended parties. CC ID 06240 | Privacy protection for information and data | Data and Information Management | |
| Notify data subjects about their privacy rights. CC ID 12989 | Privacy protection for information and data | Communicate | |
| Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 [An organization must inform individuals about: the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles, § II.1.a.ii.] | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Privacy protection for information and data | Data and Information Management | |
| Provide public proof the organization participates in a privacy program. CC ID 12349 [An organization must inform individuals about: its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List, § II.1.a.i.] | Privacy protection for information and data | Communicate | |
| Publish a description of processing activities in an official register. CC ID 00379 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish and maintain a records request manual. CC ID 00381 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 [An organization applying to participate in a self-regulatory body for the purposes of requalifying for the Privacy Shield must provide that body with full information about its prior participation in the Privacy Shield. § III.11.g.iv.] | Privacy protection for information and data | Behavior | |
| Define what is included in registration notices. CC ID 00386 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include roles and responsibilities in the registration notice. CC ID 16803 | Privacy protection for information and data | Establish Roles | |
| Include the verification method in the registration notice. CC ID 16798 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the statutory authority in the registration notice. CC ID 16799 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include a purpose specification description in the registration notice. CC ID 00388 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include information about the dispute resolution body in the registration notice. CC ID 16800 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject category being processed in the registration notice. CC ID 00389 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the time period for data processing in the registration notice. CC ID 00390 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide legal authorities access to personal data, upon request. CC ID 06818 | Privacy protection for information and data | Data and Information Management | |
| Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 [An organization must inform individuals about: its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List, § II.1.a.i. An organization must inform individuals about: the choices and means the organization offers individuals for limiting the use and disclosure of their personal data, § II.1.a.viii. {unfair act or practice} {deceptive act or practice} description of the organization's privacy policy for such personal information, including: the specific statutory body that has jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices and violations of laws or regulations governing privacy (and that is listed in the Principles or a future annex to the Principles); § III.6.b.iii.4.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 | Privacy protection for information and data | Process or Activity | |
| Document the countries where restricted data may be stored. CC ID 12750 | Privacy protection for information and data | Data and Information Management | |
| Protect the rights of students and their parents or legal representatives. CC ID 00222 | Privacy protection for information and data | Data and Information Management | |
| Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 | Privacy protection for information and data | Technical Security | |
| Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 | Privacy protection for information and data | Records Management | |
| Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 | Privacy protection for information and data | Records Management | |
| Define the criteria for waivers of data subjects' rights. CC ID 16858 | Privacy protection for information and data | Behavior | |
| Revoke waivers of data subject's rights, as necessary. CC ID 16859 | Privacy protection for information and data | Behavior | |
| Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose educational data, as necessary. CC ID 00223 | Privacy protection for information and data | Data and Information Management | |
| Grant access to education records in support of educational program audits. CC ID 13032 | Privacy protection for information and data | Records Management | |
| Grant access to education records in support of external requirements. CC ID 13033 | Privacy protection for information and data | Records Management | |
| Disclose statements added to education records, as necessary. CC ID 12990 | Privacy protection for information and data | Communicate | |
| Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 | Privacy protection for information and data | Data and Information Management | |
| Disclose education records when written consent is received. CC ID 00224 | Privacy protection for information and data | Data and Information Management | |
| Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Specify the purpose of the disclosure in the written consent. CC ID 13001 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Specify which education records may be disclosed in the written consent. CC ID 13000 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the conditions when consent is not required to disclose educational data. CC ID 00225 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 | Privacy protection for information and data | Communicate | |
| Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 | Privacy protection for information and data | Communicate | |
| Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 | Privacy protection for information and data | Communicate | |
| Disclose educational data absent consent to other school officials. CC ID 00226 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent to another institution's school officials. CC ID 00227 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent in connection with financial aid. CC ID 00229 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 | Privacy protection for information and data | Communicate | |
| Disclose educational data absent consent to accrediting organizations. CC ID 00231 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent for a health and safety emergency. CC ID 00234 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent when it is merely directory information. CC ID 00235 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent to a crime victim. CC ID 00236 | Privacy protection for information and data | Data and Information Management | |
| Record the health and safety threats of students when disclosing personal data. CC ID 12997 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from providing information to the data subject, as necessary. CC ID 12625 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Privacy protection for information and data | Communicate | |
| Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Privacy protection for information and data | Communicate | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 [An organization must inform individuals about: the right of individuals to access their personal data, § II.1.a.vii.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the data retention period for personal data. CC ID 12587 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with the adequacy decision. CC ID 12586 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [{database} Access can be provided in the form of disclosure of the relevant personal information by an organization to the individual and does not require access by the individual to an organization's data base. § III.8.d.i. Access needs to be provided only to the extent that an organization stores the personal information. The Access Principle does not itself create any obligation to retain, maintain, reorganize, or restructure personal information files. § III.8.d.ii. Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated. § II.6.a. {personal data} The Access Principle means that individuals have the right to: have communicated to them such data so that they could verify its accuracy and the lawfulness of the processing; and § III.8.a.i.2.] | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Privacy protection for information and data | Business Processes | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Business Processes | |
| Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [An organization must inform individuals about: the purposes for which it collects and uses personal information about them, § II.1.a.iv. An organization must inform individuals about: the purposes for which it collects and uses personal information about them, § II.1.a.iv. An organization must inform individuals about: the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles, § II.1.a.ii. An organization must inform individuals about: the type or identity of third parties to which it discloses personal information, and the purposes for which it does so, § II.1.a.vi. The organization should answer requests from an individual concerning the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data is disclosed. § III.8.a.i.1. Footnote 1 An individual has the right to obtain confirmation of whether or not this organization has personal data relating to him or her. An individual also has the right to have communicated to him or her personal data relating to him or her. An organization may charge a fee that is not excessive. § III.8.f.i. The Access Principle means that individuals have the right to: obtain from an organization confirmation of whether or not the organization is processing personal data relating to them; § III.8.a.i.1.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 [The organization should answer requests from an individual concerning the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data is disclosed. § III.8.a.i.1. Footnote 1] | Privacy protection for information and data | Data and Information Management | |
| Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish and maintain a disclosure accounting record. CC ID 13022 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [An organization must inform individuals about: the type or identity of third parties to which it discloses personal information, and the purposes for which it does so, § II.1.a.vi.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the disclosure date in the disclosure accounting record. CC ID 07133 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the disclosure recipient in the disclosure accounting record. CC ID 07134 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the disclosure purpose in the disclosure accounting record. CC ID 07135 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 | Privacy protection for information and data | Data and Information Management | |
| Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 | Privacy protection for information and data | Communicate | |
| Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide shareholders access to electronic messages via electronic means. CC ID 11855 | Privacy protection for information and data | Process or Activity | |
| Make telephone directory information available to the public. CC ID 08698 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Display warning screens and confirmation screens for all payment transactions. CC ID 06409 | Privacy protection for information and data | Technical Security | |
| Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 | Privacy protection for information and data | Process or Activity | |
| Establish, implement, and maintain a privacy policy. CC ID 06281 [{is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject's rights in the privacy policy. CC ID 16355 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a privacy policy model document. CC ID 14720 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 | Privacy protection for information and data | Behavior | |
| Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Write privacy notices in the official languages required by law. CC ID 16529 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define what is included in the privacy policy. CC ID 00404 [{Department of Commerce} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the information being collected in the privacy policy. CC ID 13115 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the means by which information is collected in the privacy policy. CC ID 13114 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include roles and responsibilities in the privacy policy. CC ID 14669 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include management commitment in the privacy policy. CC ID 14668 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include coordination amongst entities in the privacy policy. CC ID 14667 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include compliance requirements in the privacy policy. CC ID 14666 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 [description of the organization's privacy policy for such personal information, including: the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.b.iii.7. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i. {Security Principle}(Data Integrity and Purpose Limitation Principle} {Recourse, Enforcement and Liability Principle} An organization must apply the Privacy Shield Principles of Security, Data Integrity and Purpose Limitation, and Recourse, Enforcement and Liability to personal data from publicly available sources. These Principles shall apply also to personal data collected from public records, i.e., those records kept by government agencies or entities at any level that are open to consultation by the public in general. § III.15.a. Organizations are obligated to arbitrate claims and follow the terms as set forth in Annex I, provided that an individual has invoked binding arbitration by delivering notice to the organization at issue and following the procedures and subject to conditions set forth in Annex I. § II.7.c. {include} This list is intended to be illustrative and not limiting. The private sector may design additional mechanisms to provide enforcement, so long as they meet the requirements of the Recourse, Enforcement and Liability Principle and the Supplemental Principles. Please note that the Recourse, Enforcement and Liability Principle's requirements are additional to the requirement that self-regulatory efforts must be enforceable under Section 5 of the Federal Trade Commission Act, which prohibits unfair and deceptive acts, or another law or regulation prohibiting such acts. § III.11.b.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 [description of the organization's privacy policy for such personal information, including: name of any privacy program in which the organization is a member; § III.6.b.iii.5.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include a complaint form in the privacy policy. CC ID 12364 [Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. § III.11.d.i.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the processing purpose in the privacy policy. CC ID 00406 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject categories being processed in the privacy policy. CC ID 00407 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the retention period for collected information in the privacy policy. CC ID 13116 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include instructions on how to opt-out in the privacy policy. CC ID 00411 [An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice. § II.2.a.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 [description of the organization's privacy policy for such personal information, including: if the organization has a public website, the relevant web address where the privacy policy is available, or if the organization does not have a public website, where the privacy policy is available for viewing by the public; § III.6.b.iii.1. {Department of Commerce} The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self- certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self-certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. § III.6.d. Independent recourse mechanisms must include on their public websites information regarding the Privacy Shield Principles and the services that they provide under the Privacy Shield. This information must include: (1) information on or a link to the Privacy Shield Principles' requirements for independent recourse mechanisms; (2) a link to the Department's Privacy Shield website; (3) an explanation that their dispute resolution services under the Privacy Shield are free of charge to individuals; (4) a description of how a Privacy Shield-related complaint can be filed; (5) the timeframe in which Privacy Shield-related complaints are processed; and (6) a description of the range of potential remedies. § III.11.d.ii. Independent recourse mechanisms must include on their public websites information regarding the Privacy Shield Principles and the services that they provide under the Privacy Shield. This information must include: (1) information on or a link to the Privacy Shield Principles' requirements for independent recourse mechanisms; (2) a link to the Department's Privacy Shield website; (3) an explanation that their dispute resolution services under the Privacy Shield are free of charge to individuals; (4) a description of how a Privacy Shield-related complaint can be filed; (5) the timeframe in which Privacy Shield-related complaints are processed; and (6) a description of the range of potential remedies. § III.11.d.ii.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 [description of the organization's privacy policy for such personal information, including: method of verification; and § III.6.b.iii.6.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Post the privacy policy in an easily seen location. CC ID 00401 [description of the organization's privacy policy for such personal information, including: if the organization has a public website, the relevant web address where the privacy policy is available, or if the organization does not have a public website, where the privacy policy is available for viewing by the public; § III.6.b.iii.1. {Department of Commerce} Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information. In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities. The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees. § III.6.c. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c. {is comprehensive} {is accessible} {procedures for disciplining them} Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. § III.7.c.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define who will receive the privacy policy. CC ID 00402 [{Department of Commerce} Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information. In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities. The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees. § III.6.c.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain privacy procedures. CC ID 14665 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain a privacy plan. CC ID 14672 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Align the enterprise architecture with the privacy plan. CC ID 14705 | Privacy protection for information and data | Process or Activity | |
| Approve the privacy plan. CC ID 14700 | Privacy protection for information and data | Business Processes | |
| Include privacy requirements in the privacy plan. CC ID 14699 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the information types in the privacy plan. CC ID 14695 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include threats in the privacy plan. CC ID 14694 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include roles and responsibilities in the privacy plan. CC ID 14702 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include a description of the operational context in the privacy plan. CC ID 14692 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include risk assessment results in the privacy plan. CC ID 14701 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the security categorizations and rationale in the privacy plan. CC ID 14690 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include security controls in the privacy plan. CC ID 14681 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 | Privacy protection for information and data | Communicate | |
| Include a description of the operational environment in the privacy plan. CC ID 14679 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include network diagrams in the privacy plan. CC ID 14678 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a privacy report. CC ID 14754 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 | Privacy protection for information and data | Communicate | |
| Protect private communications in keeping with compliance requirements. CC ID 14334 | Privacy protection for information and data | Business Processes | |
| Establish, implement, and maintain personal data choice and consent program. CC ID 12569 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data request procedures. CC ID 16546 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 | Privacy protection for information and data | Human Resources Management | |
| Refrain from charging a fee to implement an opt-out request. CC ID 13877 | Privacy protection for information and data | Business Processes | |
| Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how personal data will be used in the disclosure authorization form. CC ID 13441 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include agreement termination information in the disclosure authorization form. CC ID 13437 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 | Privacy protection for information and data | Business Processes | |
| Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Privacy protection for information and data | Business Processes | |
| Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice. § II.2.a. {ability} Generally, the purpose of the Choice Principle is to ensure that personal information is used and disclosed in ways that are consistent with the individual's expectations and choices. Accordingly, an individual should be able to exercise "opt out" choice of having personal information used for direct marketing at any time subject to reasonable limits established by the organization, such as giving the organization time to make the opt out effective. An organization may also require sufficient information to confirm the identity of the individual requesting the "opt out." In the United States, individuals may be able to exercise this option through the use of a central "opt out" program such as the Direct Marketing Association's Mail Preference Service. Organizations that participate in the Direct Marketing Association's Mail Preference Service should promote its availability to consumers who do not wish to receive commercial information. In any event, an individual should be given a readily available and affordable mechanism to exercise this option. § III.12.a.] | Privacy protection for information and data | Data and Information Management | |
| Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Privacy protection for information and data | Business Processes | |
| Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Privacy protection for information and data | Business Processes | |
| Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Privacy protection for information and data | Data and Information Management | |
| Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 | Privacy protection for information and data | Business Processes | |
| Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Privacy protection for information and data | Process or Activity | |
| Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow consent requests to be provided in any official languages. CC ID 16530 | Privacy protection for information and data | Business Processes | |
| Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Privacy protection for information and data | Communicate | |
| Collect and retain disclosure authorizations for each data subject. CC ID 13434 | Privacy protection for information and data | Records Management | |
| Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 | Privacy protection for information and data | Data and Information Management | |
| Refrain from obtaining consent through deception. CC ID 13556 | Privacy protection for information and data | Data and Information Management | |
| Give individuals the ability to change the uses of their personal data. CC ID 00469 | Privacy protection for information and data | Data and Information Management | |
| Notify data subjects of the implications of withdrawing consent. CC ID 13551 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 | Privacy protection for information and data | Human Resources Management | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Establish Roles | |
| Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 | Privacy protection for information and data | Human Resources Management | |
| Notify the supervisory authority. CC ID 00472 | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Business Processes | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Communicate | |
| Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Business Processes | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Process or Activity | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Privacy protection for information and data | Process or Activity | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Communicate | |
| Cooperate with Data Protection Authorities. CC ID 06870 [{Department of Commerce} Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Organizations that have chosen to cooperate with DPAs, including organizations that process human resources data, must respond directly to such authorities with regard to the investigation and resolution of complaints § II.7.b. {Department of Commerce} Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Organizations that have chosen to cooperate with DPAs, including organizations that process human resources data, must respond directly to such authorities with regard to the investigation and resolution of complaints § II.7.b. {unfair act or practice}{deceptive act or practice}{Department of Commerce} Organizations must retain their records on the implementation of their Privacy Shield privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent body responsible for investigating complaints or to the agency with unfair and deceptive practices jurisdiction. Organizations must also respond promptly to inquiries and other requests for information from the Department relating to the organization's adherence to the Principles. § III.7.e. {unfair act or practice}{deceptive act or practice}{Department of Commerce} Organizations must retain their records on the implementation of their Privacy Shield privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent body responsible for investigating complaints or to the agency with unfair and deceptive practices jurisdiction. Organizations must also respond promptly to inquiries and other requests for information from the Department relating to the organization's adherence to the Principles. § III.7.e. A U.S. organization participating in the Privacy Shield that uses EU human resources data transferred from the European Union in the context of the employment relationship and that wishes such transfers to be covered by the Privacy Shield must therefore commit to cooperate in investigations by and to comply with the advice of competent EU authorities in such cases. § III.9.d.ii. {comply}{privacy rights violation complaint}{legal authority} The Recourse, Enforcement and Liability Principle sets out the requirements for Privacy Shield enforcement. How to meet the requirements of point (a)(ii) of the Principle is set out in the Supplemental Principle on Verification. This Supplemental Principle addresses points (a)(i) and (a)(iii), both of which require independent recourse mechanisms. These mechanisms may take different forms, but they must meet the Recourse, Enforcement and Liability Principle's requirements. Organizations satisfy the requirements through the following: (i) compliance with private sector developed privacy programs that incorporate the Privacy Shield Principles into their rules and that include effective enforcement mechanisms of the type described in the Recourse, Enforcement and Liability Principle; (ii) compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or (iii) commitment to cooperate with data protection authorities located in the European Union or their authorized representatives. § III.11.a. {Department of Commerce} In order to help ensure compliance with their Privacy Shield commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Privacy Shield when requested by the Department. In addition, organizations must respond expeditiously to complaints regarding their compliance with the Principles referred through the Department by DPAs. The response should address whether the complaint has merit and, if so, how the organization will rectify the problem. The Department will protect the confidentiality of information it receives in accordance with U.S. law. § III.11.c.] | Privacy protection for information and data | Data and Information Management | |
| Submit a safe harbor self-certification letter. CC ID 06871 [{Department of Commerce} To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: § III.6.b.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 | Privacy protection for information and data | Human Resources Management | |
| Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data subject's rights in the Binding Corporate Rules. CC ID 12596 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include complaint procedures in the Binding Corporate Rules. CC ID 12613 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data transfers in the Binding Corporate Rules. CC ID 12590 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the data controller of any changes in data processors. CC ID 12648 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Privacy protection for information and data | Human Resources Management | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Display or print the least amount of personal data necessary. CC ID 04643 | Privacy protection for information and data | Data and Information Management | |
| Redact confidential information from public information, as necessary. CC ID 06872 [Where confidential commercial information can be readily separated from other personal information subject to an access request, the organization should redact the confidential commercial information and make available the non-confidential information. § III.8.c.ii.] | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of the collection purpose. CC ID 00095 | Privacy protection for information and data | Behavior | |
| Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Privacy protection for information and data | Data and Information Management | |
| Document the law that requires restricted data to be collected. CC ID 00103 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Privacy protection for information and data | Behavior | |
| Notify the data subject of changes to personal data use. CC ID 00105 [{Notice Principle}{Choice Principle} A U.S. organization that has received employee information from the EU under the Privacy Shield may disclose it to third parties or use it for different purposes only in accordance with the Notice and Choice Principles. For example, where an organization intends to use personal information collected through the employment relationship for non-employment-related purposes, such as marketing communications, the U.S. organization must provide the affected individuals with the requisite choice before doing so, unless they have already authorized the use of the information for such purposes. Moreover, such choices must not be used to restrict employment opportunities or take any punitive action against such employees. § III.9.b.i. Personal data developed in specific medical or pharmaceutical research studies often play a valuable role in future scientific research. Where personal data collected for one research study are transferred to a U.S. organization in the Privacy Shield, the organization may use the data for a new scientific research activity if appropriate notice and choice have been provided in the first instance. Such notice should provide information about any future specific uses of the data, such as periodic follow-up, related studies, or marketing. § III.14.b.i.] | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 [{ability} Generally, the purpose of the Choice Principle is to ensure that personal information is used and disclosed in ways that are consistent with the individual's expectations and choices. Accordingly, an individual should be able to exercise "opt out" choice of having personal information used for direct marketing at any time subject to reasonable limits established by the organization, such as giving the organization time to make the opt out effective. An organization may also require sufficient information to confirm the identity of the individual requesting the "opt out." In the United States, individuals may be able to exercise this option through the use of a central "opt out" program such as the Direct Marketing Association's Mail Preference Service. Organizations that participate in the Direct Marketing Association's Mail Preference Service should promote its availability to consumers who do not wish to receive commercial information. In any event, an individual should be given a readily available and affordable mechanism to exercise this option. § III.12.a.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 [{personal data} Similarly, an organization may use information for certain direct marketing purposes when it is impracticable to provide the individual with an opportunity to opt out before using the information, if the organization promptly gives the individual such opportunity at the same time (and upon request at any time) to decline (at no cost to the individual) to receive any further direct marketing communications and the organization complies with the individual's wishes. § III.12.b. {ability} Generally, the purpose of the Choice Principle is to ensure that personal information is used and disclosed in ways that are consistent with the individual's expectations and choices. Accordingly, an individual should be able to exercise "opt out" choice of having personal information used for direct marketing at any time subject to reasonable limits established by the organization, such as giving the organization time to make the opt out effective. An organization may also require sufficient information to confirm the identity of the individual requesting the "opt out." In the United States, individuals may be able to exercise this option through the use of a central "opt out" program such as the Direct Marketing Association's Mail Preference Service. Organizations that participate in the Direct Marketing Association's Mail Preference Service should promote its availability to consumers who do not wish to receive commercial information. In any event, an individual should be given a readily available and affordable mechanism to exercise this option. § III.12.a.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 [EU Member State law applies to the collection of the personal data and to any processing that takes place prior to the transfer to the United States. The Privacy Shield Principles apply to the data once they have been transferred to the United States. Data used for pharmaceutical research and other purposes should be anonymized when appropriate. § III.14.a.i.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain the data subject's consent when the personal data use changes. CC ID 11832 [It is understood that not all future uses of the data can be specified, since a new research use could arise from new insights on the original data, new medical discoveries and advances, and public health and regulatory developments. Where appropriate, the notice should therefore include an explanation that personal data may be used in future medical and pharmaceutical research activities that are unanticipated. If the use is not consistent with the general research purpose(s) for which the personal data were originally collected, or to which the individual has consented subsequently, new consent must be obtained. § III.14.b.ii.] | Privacy protection for information and data | Behavior | |
| Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Dispose of media and restricted data in a timely manner. CC ID 00125 [{Department of Commerce} {adequate protection} An organization must subject to the Privacy Shield Principles all personal data received from the EU in reliance upon the Privacy Shield. The undertaking to adhere to the Privacy Shield Principles is not time-limited in respect of personal data received during the period in which the organization enjoys the benefits of the Privacy Shield. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Privacy Shield for any reason. An organization that withdraws from the Privacy Shield but wants to retain such data must affirm to the Department on an annual basis its commitment to continue to apply the Principles or provide "adequate" protection for the information by another authorized means (for example, using a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission); otherwise, the organization must return or delete the information. An organization that withdraws from the Privacy Shield must remove from any relevant privacy policy any references to the Privacy Shield that imply that the organization continues to actively participate in the Privacy Shield and is entitled to its benefits. § III.6.f. {Department of Commerce} An organization that will cease to exist as a separate legal entity as a result of a merger or a takeover must notify the Department of this in advance. The notification should also indicate whether the acquiring entity or the entity resulting from the merger will (i) continue to be bound by the Privacy Shield Principles by the operation of law governing the takeover or merger or (ii) elect to self-certify its adherence to the Privacy Shield Principles or put in place other safeguards, such as a written agreement that will ensure adherence to the Privacy Shield Principles. Where neither (i) nor (ii) applies, any personal data that has been acquired under the Privacy Shield must be promptly deleted. § III.6.g.] | Privacy protection for information and data | Data and Information Management | |
| Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Records Management | |
| Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [Consistent with the fundamental nature of access, organizations should always make good faith efforts to provide access. For example, where certain information needs to be protected and can be readily separated from other personal information subject to an access request, the organization should redact the protected information and make available the other information. If an organization determines that access should be restricted in any particular instance, it should provide the individual requesting access with an explanation of why it has made that determination and a contact point for any further inquiries. § III.8.a.iii. {human resources information} The Supplemental Principle on Access provides guidance on reasons which may justify denying or limiting access on request in the human resources context. Of course, employers in the European Union must comply with local regulations and ensure that European Union employees have access to such information as is required by law in their home countries, regardless of the location of data processing and storage. The Privacy Shield requires that an organization processing such data in the United States will cooperate in providing such access either directly or through the EU employer. § III.9.c.i. It is not necessary to apply the Access Principle to public record information as long as it is not combined with other personal information (apart from small amounts used to index or organize the public record information); however, any conditions for consultation established by the relevant jurisdiction are to be respected. In contrast, where public record information is combined with other non-public record information (other than as specifically noted above), an organization must provide access to all such information, assuming it is not subject to other permitted exceptions. § III.15.d. It is not necessary to apply the Access Principle to public record information as long as it is not combined with other personal information (apart from small amounts used to index or organize the public record information); however, any conditions for consultation established by the relevant jurisdiction are to be respected. In contrast, where public record information is combined with other non-public record information (other than as specifically noted above), an organization must provide access to all such information, assuming it is not subject to other permitted exceptions. § III.15.d. As with public record information, it is not necessary to provide access to information that is already publicly available to the public at large, as long as it is not combined with non-publicly available information. Organizations that are in the business of selling publicly available information may charge the organization's customary fee in responding to requests for access. Alternatively, individuals may seek access to their information from the organization that originally compiled the data. § III.15.e.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow data subjects to submit data requests. CC ID 16545 | Privacy protection for information and data | Process or Activity | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Data and Information Management | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [The organization should answer requests from an individual concerning the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data is disclosed. § III.8.a.i.1. Footnote 1] | Privacy protection for information and data | Data and Information Management | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 [{national security requirement} An organization must inform individuals about: the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and § II.1.a.xii.] | Privacy protection for information and data | Data and Information Management | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Data and Information Management | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Privacy protection for information and data | Data and Information Management | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define what is to be included in a data access request. CC ID 08699 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 [Individuals do not have to justify requests for access to their personal data. In responding to individuals' access requests, organizations should first be guided by the concern(s) that led to the requests in the first place. For example, if an access request is vague or broad in scope, an organization may engage the individual in a dialogue so as to better understand the motivation for the request and to locate responsive information. The organization might inquire about which part(s) of the organization the individual interacted with or about the nature of the information or its use that is the subject of the access request. § III.8.a.ii.] | Privacy protection for information and data | Business Processes | |
| Respond to data access requests in a timely manner. CC ID 00421 [{personal data access request} Organizations should respond to access requests within a reasonable time period, in a reasonable manner, and in a form that is readily intelligible to the individual. An organization that provides information to data subjects at regular intervals may satisfy an individual access request with its regular disclosure if it would not constitute an excessive delay. § III.8.i.i.] | Privacy protection for information and data | Behavior | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Privacy protection for information and data | Data and Information Management | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Data and Information Management | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Business Processes | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Process or Activity | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 [An individual has the right to obtain confirmation of whether or not this organization has personal data relating to him or her. An individual also has the right to have communicated to him or her personal data relating to him or her. An organization may charge a fee that is not excessive. § III.8.f.i.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Data and Information Management | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Records Management | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Process or Activity | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 | Privacy protection for information and data | Data and Information Management | |
| Disclose de-identified data, as necessary. CC ID 13034 | Privacy protection for information and data | Communicate | |
| Notify the data subject after personal data is used or disclosed. CC ID 06247 | Privacy protection for information and data | Behavior | |
| Refrain from processing restricted data, as necessary. CC ID 12551 | Privacy protection for information and data | Records Management | |
| Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Privacy protection for information and data | Process or Activity | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Privacy protection for information and data | Business Processes | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Privacy protection for information and data | Process or Activity | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Privacy protection for information and data | Process or Activity | |
| Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Privacy protection for information and data | Records Management | |
| Include the data processor's contact information in the record of processing activities. CC ID 12657 | Privacy protection for information and data | Records Management | |
| Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Privacy protection for information and data | Records Management | |
| Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Privacy protection for information and data | Records Management | |
| Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Privacy protection for information and data | Records Management | |
| Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 | Privacy protection for information and data | Records Management | |
| Include the personal data processing categories in the record of processing activities. CC ID 12661 | Privacy protection for information and data | Records Management | |
| Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Privacy protection for information and data | Records Management | |
| Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Privacy protection for information and data | Records Management | |
| Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Privacy protection for information and data | Records Management | |
| Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Privacy protection for information and data | Records Management | |
| Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Privacy protection for information and data | Records Management | |
| Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Privacy protection for information and data | Records Management | |
| Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Privacy protection for information and data | Records Management | |
| Include the data controller's contact information in the record of processing activities. CC ID 12637 | Privacy protection for information and data | Records Management | |
| Process restricted data lawfully and carefully. CC ID 00086 | Privacy protection for information and data | Establish Roles | |
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Privacy protection for information and data | Technical Security | |
| Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: required to provide medical care or diagnosis; § III.1.a.iii.] | Privacy protection for information and data | Data and Information Management | |
| Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Privacy protection for information and data | Records Management | |
| Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Privacy protection for information and data | Data and Information Management | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Privacy protection for information and data | Records Management | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Privacy protection for information and data | Process or Activity | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Privacy protection for information and data | Records Management | |
| Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Privacy protection for information and data | Data and Information Management | |
| Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Privacy protection for information and data | Data and Information Management | |
| Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define and implement valid authorization control requirements. CC ID 06258 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Privacy protection for information and data | Data and Information Management | |
| Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Privacy protection for information and data | Data and Information Management | |
| Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Privacy protection for information and data | Data and Information Management | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: necessary for the establishment of legal claims or defenses; § III.1.a.ii. {due diligence review} {statutory requirements} The activities of auditors and investment bankers may involve processing personal data without the consent or knowledge of the individual. This is permitted by the Notice, Choice, and Access Principles under the circumstances described below. Public stock corporations and closely held companies, including Privacy Shield organizations, are regularly subject to audits. Such audits, particularly those looking into potential wrongdoing, may be jeopardized if disclosed prematurely. Similarly, a Privacy Shield organization involved in a potential merger or takeover will need to perform, or be the subject of, a "due diligence" review. This will often entail the collection and processing of personal data, such as information on senior executives and other key personnel. Premature disclosure could impede the transaction or even violate applicable securities regulation. Investment bankers and attorneys engaged in due diligence, or auditors conducting an audit, may process information without knowledge of the individual only to the extent and for the period necessary to meet statutory or public interest requirements and in other circumstances in which the application of these Principles would prejudice the legitimate interests of the organization. These legitimate interests include the monitoring of organizations' compliance with their legal obligations and legitimate accounting activities, and the need for confidentiality connected with possible acquisitions, mergers, joint ventures, or other similar transactions carried out by investment bankers or auditors. § III.4.b.] | Privacy protection for information and data | Data and Information Management | |
| Process personal data relating to criminal offenses when required by law. CC ID 00237 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Privacy protection for information and data | Data and Information Management | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: carried out in the course of legitimate activities by a foundation, association or any other non-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; § III.1.a.iv. {Notice Principle} For occasional employment-related operational needs of the Privacy Shield organization with respect to personal data transferred under the Privacy Shield, such as the booking of a flight, hotel room, or insurance coverage, transfers of personal data of a small number of employees can take place to controllers without application of the Access Principle or entering into a contract with the third-party controller, as otherwise required under the Accountability for Onward Transfer Principle, provided that the Privacy Shield organization has complied with the Notice and Choice Principles. § III.9.e.i. {due diligence review} {statutory requirements} The activities of auditors and investment bankers may involve processing personal data without the consent or knowledge of the individual. This is permitted by the Notice, Choice, and Access Principles under the circumstances described below. Public stock corporations and closely held companies, including Privacy Shield organizations, are regularly subject to audits. Such audits, particularly those looking into potential wrongdoing, may be jeopardized if disclosed prematurely. Similarly, a Privacy Shield organization involved in a potential merger or takeover will need to perform, or be the subject of, a "due diligence" review. This will often entail the collection and processing of personal data, such as information on senior executives and other key personnel. Premature disclosure could impede the transaction or even violate applicable securities regulation. Investment bankers and attorneys engaged in due diligence, or auditors conducting an audit, may process information without knowledge of the individual only to the extent and for the period necessary to meet statutory or public interest requirements and in other circumstances in which the application of these Principles would prejudice the legitimate interests of the organization. These legitimate interests include the monitoring of organizations' compliance with their legal obligations and legitimate accounting activities, and the need for confidentiality connected with possible acquisitions, mergers, joint ventures, or other similar transactions carried out by investment bankers or auditors. § III.4.b. To the extent and for the period necessary to avoid prejudicing the ability of the organization in making promotions, appointments, or other similar employment decisions, an organization does not need to offer notice and choice. § III.9.b.iv.] | Privacy protection for information and data | Data and Information Management | |
| Process traffic data in a controlled manner. CC ID 00130 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Privacy protection for information and data | Data and Information Management | |
| Process personal data when it is publicly accessible. CC ID 00187 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: related to data that are manifestly made public by the individual. § III.1.a.vi.] | Privacy protection for information and data | Data and Information Management | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Privacy protection for information and data | Business Processes | |
| Process personal data for the purposes of employment. CC ID 16527 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for debt collection or benefit payments. CC ID 00190 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to advance the public interest. CC ID 00191 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for surveys, archives, or scientific research. CC ID 00192 [Participants may decide or be asked to withdraw from a clinical trial at any time. Any personal data collected previous to withdrawal may still be processed along with other data collected as part of the clinical trial, however, if this was made clear to the participant in the notice at the time he or she agreed to participate. § III.14.c.i.] | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for academic purposes or religious purposes. CC ID 00194 | Privacy protection for information and data | Data and Information Management | |
| Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Privacy protection for information and data | Data and Information Management | |
| Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Privacy protection for information and data | Data and Information Management | |
| Follow legal obligations while processing personal data. CC ID 04794 | Privacy protection for information and data | Data and Information Management | |
| Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 | Privacy protection for information and data | Process or Activity | |
| Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent in order to perform a contract. CC ID 13586 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is needed by law. CC ID 13577 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is from publicly available information. CC ID 13576 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent to create a credit report. CC ID 15288 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when produced for business purposes. CC ID 13563 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for handling insurance claims. CC ID 13561 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for life-threatening emergencies. CC ID 13558 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Privacy protection for information and data | Data and Information Management | |
| Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 [This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party. § II.1.b. {Notice Principle}{Choice Principle} A U.S. organization that has received employee information from the EU under the Privacy Shield may disclose it to third parties or use it for different purposes only in accordance with the Notice and Choice Principles. For example, where an organization intends to use personal information collected through the employment relationship for non-employment-related purposes, such as marketing communications, the U.S. organization must provide the affected individuals with the requisite choice before doing so, unless they have already authorized the use of the information for such purposes. Moreover, such choices must not be used to restrict employment opportunities or take any punitive action against such employees. § III.9.b.i.] | Privacy protection for information and data | Behavior | |
| Define security breach notification requirement exceptions. CC ID 04797 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 | Privacy protection for information and data | Records Management | |
| Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 | Privacy protection for information and data | Data and Information Management | |
| Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define opt-out exceptions for disclosing restricted data. CC ID 00159 [{pharmaceutical company} {Notice Principle} {Choice Principle} {Accountability for Onward Transfer Principle} {Access Principle} A pharmaceutical or medical device company does not have to apply the Privacy Shield Principles with respect to the Notice, Choice, Accountability for Onward Transfer, and Access Principles in its product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices, to the extent that adherence to the Principles interferes with compliance with regulatory requirements. This is true both with respect to reports by, for example, health care providers to pharmaceutical and medical device companies, and with respect to reports by pharmaceutical and medical device companies to government agencies like the Food and Drug Administration. § III.14.f.i.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define how a data subject may give consent. CC ID 00160 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 | Privacy protection for information and data | Communicate | |
| Disclose restricted data absent consent when the law does not require consent. CC ID 00136 | Privacy protection for information and data | Data and Information Management | |
| Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent to create a credit report. CC ID 15297 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for handling insurance claims. CC ID 13585 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to perform a contract. CC ID 00139 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent for public economic interests. CC ID 00148 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 [{Notice Principle}{Choice Principle}{Accountability for Onward Transfer Principle} It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials. § III.15.b.] | Privacy protection for information and data | Data and Information Management | |
| Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is needed by law. CC ID 00163 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: necessary to carry out the organization's obligations in the field of employment law; or § III.1.a.v. {Notice Principle}{Choice Principle}{personal data transfer} Pharmaceutical and medical device companies are allowed to provide personal data from clinical trials conducted in the EU to regulators in the United States for regulatory and supervision purposes. Similar transfers are allowed to parties other than regulators, such as company locations and other researchers, consistent with the Principles of Notice and Choice. § III.14.d.i. {shall not impair} Absence of notice in accordance with point (a)(xii) of the Notice Principle shall not prevent or impair an organization's ability to respond to any lawful request. § III.16.c.] | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Capture personal data removal requests. CC ID 13507 | Privacy protection for information and data | Communicate | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 | Privacy protection for information and data | Records Management | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Process or Activity | |
| Dispose of personal data removal requests, as necessary. CC ID 13512 | Privacy protection for information and data | Business Processes | |
| Limit the redisclosure and reuse of restricted data. CC ID 00168 | Privacy protection for information and data | Data and Information Management | |
| Refrain from redisclosing or reusing restricted data. CC ID 00169 | Privacy protection for information and data | Data and Information Management | |
| Document the redisclosing restricted data exceptions. CC ID 00170 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Redisclose restricted data when the data subject consents. CC ID 00171 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data in order to protect public revenue. CC ID 00173 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Privacy protection for information and data | Data and Information Management | |
| Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), organizations must obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt- in choice. In addition, an organization should treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive. § II.2.c.] | Privacy protection for information and data | Data and Information Management | |
| Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Privacy protection for information and data | Data and Information Management | |
| Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Privacy protection for information and data | Data and Information Management | |
| Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Privacy protection for information and data | Data and Information Management | |
| Process Personal Identification Numbers with consent. CC ID 00239 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Privacy protection for information and data | Behavior | |
| Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Privacy protection for information and data | Data and Information Management | |
| Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Privacy protection for information and data | Data and Information Management | |
| Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Privacy protection for information and data | Data and Information Management | |
| Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Privacy protection for information and data | Data and Information Management | |
| Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Privacy protection for information and data | Data and Information Management | |
| Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Privacy protection for information and data | Data and Information Management | |
| Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Privacy protection for information and data | Data and Information Management | |
| Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 [{is not used} For example, if the personal information is used for decisions that will significantly affect the individual, then consistent with the other provisions of these Supplemental Principles, the organization would have to disclose that information even if it is relatively difficult or expensive to provide. If the personal information requested is not sensitive or not used for decisions that will significantly affect the individual, but is readily available and inexpensive to provide, an organization would have to provide access to such information. § III.8.b.ii.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Privacy protection for information and data | Data and Information Management | |
| Review personal data disclosure requests. CC ID 07129 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 [{personal data access request} An organization which claims an exception has the burden of demonstrating its necessity, and the reasons for restricting access and a contact point for further inquiries should be given to individuals. § III.8.e.ii. {pharmaceutical company} {Notice Principle} {Choice Principle} {Accountability for Onward Transfer Principle} {Access Principle} A pharmaceutical or medical device company does not have to apply the Privacy Shield Principles with respect to the Notice, Choice, Accountability for Onward Transfer, and Access Principles in its product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices, to the extent that adherence to the Principles interferes with compliance with regulatory requirements. This is true both with respect to reports by, for example, health care providers to pharmaceutical and medical device companies, and with respect to reports by pharmaceutical and medical device companies to government agencies like the Food and Drug Administration. § III.14.f.i.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Privacy protection for information and data | Data and Information Management | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Privacy protection for information and data | Data and Information Management | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Data and Information Management | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [Confidential commercial information is information that an organization has taken steps to protect from disclosure, where disclosure would help a competitor in the market. Organizations may deny or limit access to the extent that granting full access would reveal its own confidential commercial information, such as marketing inferences or classifications generated by the organization, or the confidential commercial information of another that is subject to a contractual obligation of confidentiality. § III.8.c.i. {personal data} Other reasons for denying or limiting access are: prejudicing the confidentiality necessary in monitoring, inspection or regulatory functions connected with sound management, or in future or ongoing negotiations involving the organization. § III.8.e.i.5.] | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Process or Activity | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Data and Information Management | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 [As organizations must always make good faith efforts to provide individuals with access to their personal data, the circumstances in which organizations may restrict such access are limited, and any reasons for restricting access must be specific. As under the Directive, an organization can restrict access to information to the extent that disclosure is likely to interfere with the safeguarding of important countervailing public interests, such as national security; defense; or public security. In addition, where personal information is processed solely for research or statistical purposes, access may be denied. Other reasons for denying or limiting access are: § III.8.e.i. {clinical trial}{personal data} Agreement to participate in the trial under these conditions is a reasonable forgoing of the right of access. Following the conclusion of the trial and analysis of the results, participants should have access to their data if they request it. They should seek it primarily from the physician or other health care provider from whom they received treatment within the clinical trial, or secondarily from the sponsoring organization. § III.14.e.ii. To ensure objectivity in many clinical trials, participants, and often investigators as well, cannot be given access to information about which treatment each participant may be receiving. Doing so would jeopardize the validity of the research study and results. Participants in such clinical trials (referred to as "blinded" studies) do not have to be provided access to the data on their treatment during the trial if this restriction has been explained when the participant entered the trial and the disclosure of such information would jeopardize the integrity of the research effort. § III.14.e.i.] | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 [The right of access to personal data may be restricted in exceptional circumstances where the legitimate rights of persons other than the individual would be violated or where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question. Expense and burden are important factors and should be taken into account but they are not controlling factors in determining whether providing access is reasonable. § III.8.b.i. {personal data} Other reasons for denying or limiting access are: disclosure where the legitimate rights or important interests of others would be violated; § III.8.e.i.2.] | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 [As organizations must always make good faith efforts to provide individuals with access to their personal data, the circumstances in which organizations may restrict such access are limited, and any reasons for restricting access must be specific. As under the Directive, an organization can restrict access to information to the extent that disclosure is likely to interfere with the safeguarding of important countervailing public interests, such as national security; defense; or public security. In addition, where personal information is processed solely for research or statistical purposes, access may be denied. Other reasons for denying or limiting access are: § III.8.e.i.] | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 [{personal data} Other reasons for denying or limiting access are: interference with the execution or enforcement of the law or with private causes of action, including the prevention, investigation or detection of offenses or the right to a fair trial; § III.8.e.i.1.] | Privacy protection for information and data | Data and Information Management | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 [{personal data} Other reasons for denying or limiting access are: prejudicing employee security investigations or grievance proceedings or in connection with employee succession planning and corporate re-organizations; or § III.8.e.i.4.] | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 [{personal data} Other reasons for denying or limiting access are: prejudicing employee security investigations or grievance proceedings or in connection with employee succession planning and corporate re-organizations; or § III.8.e.i.4.] | Privacy protection for information and data | Data and Information Management | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 [The right of access to personal data may be restricted in exceptional circumstances where the legitimate rights of persons other than the individual would be violated or where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question. Expense and burden are important factors and should be taken into account but they are not controlling factors in determining whether providing access is reasonable. § III.8.b.i.] | Privacy protection for information and data | Data and Information Management | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [Consistent with the fundamental nature of access, organizations should always make good faith efforts to provide access. For example, where certain information needs to be protected and can be readily separated from other personal information subject to an access request, the organization should redact the protected information and make available the other information. If an organization determines that access should be restricted in any particular instance, it should provide the individual requesting access with an explanation of why it has made that determination and a contact point for any further inquiries. § III.8.a.iii. {personal data access request} An organization which claims an exception has the burden of demonstrating its necessity, and the reasons for restricting access and a contact point for further inquiries should be given to individuals. § III.8.e.ii.] | Privacy protection for information and data | Data and Information Management | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Communicate | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Data and Information Management | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 [{personal data} Other reasons for denying or limiting access are: breaching a legal or other professional privilege or obligation; § III.8.e.i.3.] | Privacy protection for information and data | Process or Activity | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [{is not used} For example, if the personal information is used for decisions that will significantly affect the individual, then consistent with the other provisions of these Supplemental Principles, the organization would have to disclose that information even if it is relatively difficult or expensive to provide. If the personal information requested is not sensitive or not used for decisions that will significantly affect the individual, but is readily available and inexpensive to provide, an organization would have to provide access to such information. § III.8.b.ii.] | Privacy protection for information and data | Data and Information Management | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 [{personal data} An organization is not required to provide access unless it is supplied with sufficient information to allow it to confirm the identity of the person making the request. § III.8.h.i. {ability} Generally, the purpose of the Choice Principle is to ensure that personal information is used and disclosed in ways that are consistent with the individual's expectations and choices. Accordingly, an individual should be able to exercise "opt out" choice of having personal information used for direct marketing at any time subject to reasonable limits established by the organization, such as giving the organization time to make the opt out effective. An organization may also require sufficient information to confirm the identity of the individual requesting the "opt out." In the United States, individuals may be able to exercise this option through the use of a central "opt out" program such as the Direct Marketing Association's Mail Preference Service. Organizations that participate in the Direct Marketing Association's Mail Preference Service should promote its availability to consumers who do not wish to receive commercial information. In any event, an individual should be given a readily available and affordable mechanism to exercise this option. § III.12.a.] | Privacy protection for information and data | Data and Information Management | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Communicate | |
| Provide data or records in a reasonable time frame. CC ID 00429 [An organization may set reasonable limits on the number of times within a given period that access requests from a particular individual will be met. In setting such limitations, an organization should consider such factors as the frequency with which information is updated, the purpose for which the data are used, and the nature of the information. § III.8.g.i.] | Privacy protection for information and data | Data and Information Management | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Privacy protection for information and data | Communicate | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Data and Information Management | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Privacy protection for information and data | Data and Information Management | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Data and Information Management | |
| Provide data at a cost that is not excessive. CC ID 00430 [An individual has the right to obtain confirmation of whether or not this organization has personal data relating to him or her. An individual also has the right to have communicated to him or her personal data relating to him or her. An organization may charge a fee that is not excessive. § III.8.f.i. Charging a fee may be justified, for example, where requests for access are manifestly excessive, in particular because of their repetitive character. § III.8.f.ii. As with public record information, it is not necessary to provide access to information that is already publicly available to the public at large, as long as it is not combined with non-publicly available information. Organizations that are in the business of selling publicly available information may charge the organization's customary fee in responding to requests for access. Alternatively, individuals may seek access to their information from the organization that originally compiled the data. § III.15.e.] | Privacy protection for information and data | Data and Information Management | |
| Provide records or data in a reasonable manner. CC ID 00431 [As organizations must always make good faith efforts to provide individuals with access to their personal data, the circumstances in which organizations may restrict such access are limited, and any reasons for restricting access must be specific. As under the Directive, an organization can restrict access to information to the extent that disclosure is likely to interfere with the safeguarding of important countervailing public interests, such as national security; defense; or public security. In addition, where personal information is processed solely for research or statistical purposes, access may be denied. Other reasons for denying or limiting access are: § III.8.e.i. Where confidential commercial information can be readily separated from other personal information subject to an access request, the organization should redact the confidential commercial information and make available the non-confidential information. § III.8.c.ii. {personal data access request} Organizations should respond to access requests within a reasonable time period, in a reasonable manner, and in a form that is readily intelligible to the individual. An organization that provides information to data subjects at regular intervals may satisfy an individual access request with its regular disclosure if it would not constitute an excessive delay. § III.8.i.i.] | Privacy protection for information and data | Data and Information Management | |
| Provide personal data in a form that is intelligible. CC ID 00432 [{personal data access request} Organizations should respond to access requests within a reasonable time period, in a reasonable manner, and in a form that is readily intelligible to the individual. An organization that provides information to data subjects at regular intervals may satisfy an individual access request with its regular disclosure if it would not constitute an excessive delay. § III.8.i.i.] | Privacy protection for information and data | Data and Information Management | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Data and Information Management | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Data and Information Management | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Data and Information Management | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include cookie management in the privacy framework. CC ID 13809 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain cookie management procedures. CC ID 13810 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 | Privacy protection for information and data | Data and Information Management | |
| Refrain from collecting personal data, as necessary. CC ID 15269 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Use personal data for specified purposes. CC ID 11831 [{is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a. {is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a.] | Privacy protection for information and data | Data and Information Management | |
| Post the collection purpose. CC ID 00101 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Privacy protection for information and data | Data and Information Management | |
| Document each individual's personal data collection consent preferences. CC ID 06945 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide explicit consent that is clear and unambiguous. CC ID 00181 | Privacy protection for information and data | Data and Information Management | |
| Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Privacy protection for information and data | Data and Information Management | |
| Adhere to each individual's personal data collection consent preferences. CC ID 06947 [In addition, employers should make reasonable efforts to accommodate employee privacy preferences. This could include, for example, restricting access to the personal data, anonymizing certain data, or assigning codes or pseudonyms when the actual names are not required for the management purpose at hand. § III.9.b.iii.] | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of the source of collected personal data. CC ID 00083 | Privacy protection for information and data | Behavior | |
| Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Privacy protection for information and data | Data and Information Management | |
| Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Privacy protection for information and data | Data and Information Management | |
| Establish and maintain a personal data definition. CC ID 00028 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's name in the personal data definition. CC ID 04710 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Privacy protection for information and data | Data and Information Management | |
| Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's signature in the personal data definition. CC ID 04711 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's date of birth in the personal data definition. CC ID 04770 | Privacy protection for information and data | Data and Information Management | |
| Include the number of children in the personal data definition. CC ID 13759 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the individual's religion in the personal data definition. CC ID 13765 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's biometric data in the personal data definition. CC ID 04698 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's photographic image in the personal data definition. CC ID 04779 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's fingerprints in the personal data definition. CC ID 04689 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's address in the personal data definition. CC ID 04687 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's telephone number in the personal data definition. CC ID 04688 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's fax number in the personal data definition. CC ID 07120 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's license plate number in the personal data definition. CC ID 13763 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's financial account number in the personal data definition. CC ID 04692 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's account balances in the personal data definition. CC ID 13770 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's logon credentials in the personal data definition. CC ID 13771 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's passport number in the personal data definition. CC ID 04713 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's military identification number in the personal data definition. CC ID 13083 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's e-mail address in the personal data definition. CC ID 04696 | Privacy protection for information and data | Data and Information Management | |
| Include electronic signatures in the personal data definition. CC ID 04697 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's payment card information in the personal data definition. CC ID 04751 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's payment card service code in the personal data definition. CC ID 04753 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Privacy protection for information and data | Data and Information Management | |
| Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's medical history in the personal data definition. CC ID 04701 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's medical treatment in the personal data definition. CC ID 04702 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's health insurance information in the personal data definition. CC ID 04705 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's education information in the personal data definition. CC ID 04714 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's employment information in the personal data definition. CC ID 04715 | Privacy protection for information and data | Data and Information Management | |
| Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's employment history in the personal data definition. CC ID 04716 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's place of employment in the personal data definition. CC ID 04765 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's property information in the personal data definition. CC ID 04780 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's property title in the personal data definition. CC ID 04781 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Privacy protection for information and data | Data and Information Management | |
| Include hardware asset identification information in the personal data definition. CC ID 07123 | Privacy protection for information and data | Data and Information Management | |
| Include MAC addresses in the personal data definition. CC ID 04778 | Privacy protection for information and data | Data and Information Management | |
| Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Privacy protection for information and data | Data and Information Management | |
| Include asset serial numbers in the personal data definition. CC ID 07124 | Privacy protection for information and data | Data and Information Management | |
| Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Privacy protection for information and data | Data and Information Management | |
| Refrain from including publicly available information in the personal data definition. CC ID 13084 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define specially restricted data. CC ID 00037 | Privacy protection for information and data | Data and Information Management | |
| Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Privacy protection for information and data | Data and Information Management | |
| Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Privacy protection for information and data | Data and Information Management | |
| Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Privacy protection for information and data | Data and Information Management | |
| Implement a nondiscrimination principle. CC ID 00081 | Privacy protection for information and data | Data and Information Management | |
| Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Privacy protection for information and data | Data and Information Management | |
| Preserve each individual's right to human dignity. CC ID 00082 | Privacy protection for information and data | Data and Information Management | |
| Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Privacy protection for information and data | Data and Information Management | |
| Employ a random number generator to create authenticators. CC ID 13782 | Privacy protection for information and data | Technical Security | |
| Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Privacy protection for information and data | Data and Information Management | |
| Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Privacy protection for information and data | Data and Information Management | |
| Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Privacy protection for information and data | Data and Information Management | |
| Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Privacy protection for information and data | Behavior | |
| Manage health data collection. CC ID 00050 | Privacy protection for information and data | Data and Information Management | |
| Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Privacy protection for information and data | Data and Information Management | |
| Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Privacy protection for information and data | Data and Information Management | |
| Collect Individually Identifiable Health Information for research. CC ID 00054 | Privacy protection for information and data | Data and Information Management | |
| Remove personal data before disclosing health data. CC ID 00055 | Privacy protection for information and data | Data and Information Management | |
| Give special attention to collecting children's data. CC ID 00038 | Privacy protection for information and data | Data and Information Management | |
| Use simple understandable language to collect information from children. CC ID 00039 | Privacy protection for information and data | Behavior | |
| Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Collect personal data directly from the data subject. CC ID 00011 | Privacy protection for information and data | Data and Information Management | |
| Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Privacy protection for information and data | Data and Information Management | |
| Provide unlinkability for users and resources. CC ID 04550 | Privacy protection for information and data | Data and Information Management | |
| Provide unobservability of users and resources. CC ID 04551 | Privacy protection for information and data | Technical Security | |
| Collect restricted data in a fair and lawful manner. CC ID 00010 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: in the vital interests of the data subject or another person; § III.1.a.i.] | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent for handling insurance claims. CC ID 13543 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 [Personal information that is gathered for publication, broadcast, or other forms of public communication of journalistic material, whether used or not, as well as information found in previously published material disseminated from media archives, is not subject to the requirements of the Privacy Shield Principles. § III.2.b.] | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent from publicly available information. CC ID 00019 [{Notice Principle}{Choice Principle}{Accountability for Onward Transfer Principle} It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials. § III.15.b.] | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent when needed by law. CC ID 00020 [{pharmaceutical company} {Notice Principle} {Choice Principle} {Accountability for Onward Transfer Principle} {Access Principle} A pharmaceutical or medical device company does not have to apply the Privacy Shield Principles with respect to the Notice, Choice, Accountability for Onward Transfer, and Access Principles in its product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices, to the extent that adherence to the Principles interferes with compliance with regulatory requirements. This is true both with respect to reports by, for example, health care providers to pharmaceutical and medical device companies, and with respect to reports by pharmaceutical and medical device companies to government agencies like the Food and Drug Administration. § III.14.f.i.] | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent to create a credit report. CC ID 15287 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Privacy protection for information and data | Data and Information Management | |
| Collect the minimum amount of restricted data necessary. CC ID 00078 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data in a proper information framework. CC ID 00009 | Privacy protection for information and data | Data and Information Management | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data when required by law. CC ID 00031 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 [An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: carried out in the course of legitimate activities by a foundation, association or any other non-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; § III.1.a.iv.] | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data for legal purposes. CC ID 00036 | Privacy protection for information and data | Data and Information Management | |
| Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Privacy protection for information and data | Communicate | |
| Provide the data subject with the data collector's name and contact information. CC ID 00024 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Data and Information Management | |
| Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Technical Security | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 [{Department of Commerce} {adequate protection} An organization must subject to the Privacy Shield Principles all personal data received from the EU in reliance upon the Privacy Shield. The undertaking to adhere to the Privacy Shield Principles is not time-limited in respect of personal data received during the period in which the organization enjoys the benefits of the Privacy Shield. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Privacy Shield for any reason. An organization that withdraws from the Privacy Shield but wants to retain such data must affirm to the Department on an annual basis its commitment to continue to apply the Principles or provide "adequate" protection for the information by another authorized means (for example, using a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission); otherwise, the organization must return or delete the information. An organization that withdraws from the Privacy Shield must remove from any relevant privacy policy any references to the Privacy Shield that imply that the organization continues to actively participate in the Privacy Shield and is entitled to its benefits. § III.6.f. {Department of Commerce} {adequate protection} An organization must subject to the Privacy Shield Principles all personal data received from the EU in reliance upon the Privacy Shield. The undertaking to adhere to the Privacy Shield Principles is not time-limited in respect of personal data received during the period in which the organization enjoys the benefits of the Privacy Shield. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Privacy Shield for any reason. An organization that withdraws from the Privacy Shield but wants to retain such data must affirm to the Department on an annual basis its commitment to continue to apply the Principles or provide "adequate" protection for the information by another authorized means (for example, using a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission); otherwise, the organization must return or delete the information. An organization that withdraws from the Privacy Shield must remove from any relevant privacy policy any references to the Privacy Shield that imply that the organization continues to actively participate in the Privacy Shield and is entitled to its benefits. § III.6.f.] | Privacy protection for information and data | Data and Information Management | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Configuration | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Configuration | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Configuration | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Technical Security | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Data and Information Management | |
| Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Log Management | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Log Management | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Technical Security | |
| Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Technical Security | |
| Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Testing | |
| Limit data leakage. CC ID 00356 [{data processor} The purpose of the contract is to make sure that the processor: provides appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alternation, unauthorized disclosure or access, and understands whether onward transfer is allowed; and § III.10.a.ii.2. {Security Principle}(Data Integrity and Purpose Limitation Principle} {Recourse, Enforcement and Liability Principle} An organization must apply the Privacy Shield Principles of Security, Data Integrity and Purpose Limitation, and Recourse, Enforcement and Liability to personal data from publicly available sources. These Principles shall apply also to personal data collected from public records, i.e., those records kept by government agencies or entities at any level that are open to consultation by the public in general. § III.15.a.] | Privacy protection for information and data | Data and Information Management | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Business Processes | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Acquisition/Sale of Assets or Services | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Process or Activity | |
| Include text about data ownership in the data handling policy. CC ID 15720 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain call metadata controls. CC ID 04790 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 | Privacy protection for information and data | Data and Information Management | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Privacy protection for information and data | Data and Information Management | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Privacy protection for information and data | Data and Information Management | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Privacy protection for information and data | Data and Information Management | |
| Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Data and Information Management | |
| Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Business Processes | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain a personal data transfer program. CC ID 00307 [{Department of Commerce} Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information. In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities. The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees. § III.6.c.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain consent from an individual prior to transferring personal data. CC ID 06948 | Privacy protection for information and data | Data and Information Management | |
| Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 [{notice principle} To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles. § II.3.a. {data processor} When personal data is transferred from the EU to the United States only for processing purposes, a contract will be required, regardless of participation by the processor in the Privacy Shield. § III.10.a.i. Data controllers in the European Union are always required to enter into a contract when a transfer for mere processing is made, whether the processing operation is carried out inside or outside the EU, and whether or not the processor participates in the Privacy Shield. The purpose of the contract is to make sure that the processor: § III.10.a.ii. {personal data transfer}{do not need} For transfers between controllers, the recipient controller need not be a Privacy Shield organization or have an independent recourse mechanism. The Privacy Shield organization must enter into a contract with the recipient third-party controller that provides for the same level of protection as is available under the Privacy Shield, not including the requirement that the third party controller be a Privacy Shield organization or have an independent recourse mechanism, provided it makes available an equivalent mechanism. § III.10.c.i.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 [{personal data transfer}{do not need} For transfers between controllers, the recipient controller need not be a Privacy Shield organization or have an independent recourse mechanism. The Privacy Shield organization must enter into a contract with the recipient third-party controller that provides for the same level of protection as is available under the Privacy Shield, not including the requirement that the third party controller be a Privacy Shield organization or have an independent recourse mechanism, provided it makes available an equivalent mechanism. § III.10.c.i.] | Privacy protection for information and data | Business Processes | |
| Notify data subjects when their personal data is transferred. CC ID 00352 | Privacy protection for information and data | Behavior | |
| Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 [{Department of Commerce} To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; (iv) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (v) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. § II.3.b. {Notice Principle}{Choice Principle} The Privacy Principles apply immediately upon certification. Recognizing that the Principles will impact commercial relationships with third parties, organizations that certify to the Privacy Shield Framework in the first two months following the Framework's effective date shall bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle as soon as possible, and in any event no later than nine months from the date upon which they certify to the Privacy Shield. During that interim period, where organizations transfer data to a third party, they shall (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles. § III.6.e. {liability} In the context of an onward transfer, a Privacy Shield organization has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield organization shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage. § II.7.d. Airline passenger reservation and other travel information, such as frequent flyer or hotel reservation information and special handling needs, such as meals to meet religious requirements or physical assistance, may be transferred to organizations located outside the EU in several different circumstances. Under Article 26 of the Directive, personal data may be transferred "to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2)" on the condition that it (i) is necessary to provide the services requested by the consumer or to fulfill the terms of an agreement, such as a "frequent flyer" agreement; or (ii) has been unambiguously consented to by the consumer. U.S. organizations subscribing to the Privacy Shield provide adequate protection for personal data and may therefore receive data transfers from the EU without meeting these conditions or other conditions set out in Article 26 of the Directive. Since the Privacy Shield includes specific rules for sensitive information, such information (which may need to be collected, for example, in connection with customers' needs for physical assistance) may be included in transfers to Privacy Shield participants. In all cases, however, the organization transferring the information has to respect the law in the EU Member State in which it is operating, which may inter alia impose special conditions for the handling of sensitive data. § III.13.a.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 | Privacy protection for information and data | Communicate | |
| Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 [{Notice Principle}{Choice Principle}{personal data transfer} Pharmaceutical and medical device companies are allowed to provide personal data from clinical trials conducted in the EU to regulators in the United States for regulatory and supervision purposes. Similar transfers are allowed to parties other than regulators, such as company locations and other researchers, consistent with the Principles of Notice and Choice. § III.14.d.i.] | Privacy protection for information and data | Data and Information Management | |
| Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 | Privacy protection for information and data | Data and Information Management | |
| Prohibit the transfer of personal data when security is inadequate. CC ID 00345 [{notice principle} To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles. § II.3.a. {notice principle} To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles. § II.3.a.] | Privacy protection for information and data | Data and Information Management | |
| Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 | Privacy protection for information and data | Data and Information Management | |
| Refrain from transferring past the first transfer. CC ID 00347 | Privacy protection for information and data | Data and Information Management | |
| Document transfer disagreements by the data subject in writing. CC ID 00348 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow the data subject the right to object to the personal data transfer. CC ID 00349 | Privacy protection for information and data | Data and Information Management | |
| Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 | Privacy protection for information and data | Records Management | |
| Follow the instructions of the data transferrer. CC ID 00334 [Where an organization in the EU transfers personal information about its employees (past or present) collected in the context of the employment relationship, to a parent, affiliate, or unaffiliated service provider in the United States participating in the Privacy Shield, the transfer enjoys the benefits of the Privacy Shield. In such cases, the collection of the information and its processing prior to transfer will have been subject to the national laws of the EU country where it was collected, and any conditions for or restrictions on its transfer according to those laws will have to be respected. § III.9.a.i. {employee information} It should be noted that certain generally applicable conditions for transfer from some EU Member States may preclude other uses of such information even after transfer outside the EU and such conditions will have to be respected. § III.9.b.ii. {data processor} The purpose of the contract is to make sure that the processor: acts only on instructions from the controller; § III.10.a.ii.1. {Notice Principle}{Choice Principle}{Accountability for Onward Transfer Principle} It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials. § III.15.b. {Notice Principle}{Choice Principle}{Accountability for Onward Transfer Principle} It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials. § III.15.b. {Notice Principle}{Choice Principle}{Accountability for Onward Transfer Principle} It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials. § III.15.b.] | Privacy protection for information and data | Behavior | |
| Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 [{Notice Principle}{Choice Principle}{Accountability for Onward Transfer Principle} It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials. § III.15.b.] | Privacy protection for information and data | Data and Information Management | |
| Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Privacy protection for information and data | Data and Information Management | |
| Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 [{key-coded data} Invariably, research data are uniquely key-coded at their origin by the principal investigator so as not to reveal the identity of individual data subjects. Pharmaceutical companies sponsoring such research do not receive the key. The unique key code is held only by the researcher, so that he or she can identify the research subject under special circumstances (e.g., if follow-up medical attention is required). A transfer from the EU to the United States of data coded in this way would not constitute a transfer of personal data that would be subject to the Privacy Shield Principles. § III.14.g.i.] | Privacy protection for information and data | Data and Information Management | |
| Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Privacy protection for information and data | Data and Information Management | |
| Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Privacy protection for information and data | Data and Information Management | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Privacy protection for information and data | Data and Information Management | |
| Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 | Privacy protection for information and data | Data and Information Management | |
| Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Privacy protection for information and data | Data and Information Management | |
| Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Privacy protection for information and data | Data and Information Management | |
| Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 [{notice principle} To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles. § II.3.a. For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), organizations must obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt- in choice. In addition, an organization should treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive. § II.2.c. {Department of Commerce} To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; (iv) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (v) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. § II.3.b. {Notice Principle}{Choice Principle} The Privacy Principles apply immediately upon certification. Recognizing that the Principles will impact commercial relationships with third parties, organizations that certify to the Privacy Shield Framework in the first two months following the Framework's effective date shall bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle as soon as possible, and in any event no later than nine months from the date upon which they certify to the Privacy Shield. During that interim period, where organizations transfer data to a third party, they shall (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles. § III.6.e. {Notice Principle}{Choice Principle} The Privacy Principles apply immediately upon certification. Recognizing that the Principles will impact commercial relationships with third parties, organizations that certify to the Privacy Shield Framework in the first two months following the Framework's effective date shall bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle as soon as possible, and in any event no later than nine months from the date upon which they certify to the Privacy Shield. During that interim period, where organizations transfer data to a third party, they shall (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles. § III.6.e. {Notice Principle}{Choice Principle} The Privacy Principles apply immediately upon certification. Recognizing that the Principles will impact commercial relationships with third parties, organizations that certify to the Privacy Shield Framework in the first two months following the Framework's effective date shall bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle as soon as possible, and in any event no later than nine months from the date upon which they certify to the Privacy Shield. During that interim period, where organizations transfer data to a third party, they shall (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles. § III.6.e.] | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 [When personal information is transferred between two controllers within a controlled group of corporations or entities, a contract is not always required under the Accountability for Onward Transfer Principle. Data controllers within a controlled group of corporations or entities may base such transfers on other instruments, such as EU Binding Corporate Rules or other intra-group instruments (e.g., compliance and control programs), ensuring the continuity of protection of personal information under the Privacy Shield Principles. In case of such transfers, the Privacy Shield organization remains responsible for compliance with Privacy Shield Principles. § III.10.b.i.] | Privacy protection for information and data | Business Processes | |
| Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 | Privacy protection for information and data | Data and Information Management | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 | Privacy protection for information and data | Data and Information Management | |
| Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 [An organization must inform individuals about: its liability in cases of onward transfers to third parties. § II.1.a.xiii.] | Privacy protection for information and data | Communicate | |
| Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 | Privacy protection for information and data | Data and Information Management | |
| Obtain consent prior to downloading software to an individual's computer. CC ID 06951 | Privacy protection for information and data | Data and Information Management | |
| Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 | Privacy protection for information and data | Process or Activity | |
| Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 | Privacy protection for information and data | Process or Activity | |
| Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 | Privacy protection for information and data | Process or Activity | |
| Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a privacy impact assessment. CC ID 13712 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how to grant consent in the privacy impact assessment. CC ID 15519 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data handling procedures in the privacy impact assessment. CC ID 15516 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the intended use of information in the privacy impact assessment. CC ID 15515 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the reason information is being collected in the privacy impact assessment. CC ID 15514 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the type of information to be collected in the privacy impact assessment. CC ID 15513 | Privacy protection for information and data | Business Processes | |
| Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Privacy protection for information and data | Communicate | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 [{be rigorous} At a minimum such mechanisms must include: obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations. § II.7.a.iii. To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; (iv) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (v) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. § II.3.b.] | Privacy protection for information and data | Data and Information Management | |
| Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 | Privacy protection for information and data | Behavior | |
| Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 | Privacy protection for information and data | Business Processes | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [Independent recourse mechanisms must include on their public websites information regarding the Privacy Shield Principles and the services that they provide under the Privacy Shield. This information must include: (1) information on or a link to the Privacy Shield Principles' requirements for independent recourse mechanisms; (2) a link to the Department's Privacy Shield website; (3) an explanation that their dispute resolution services under the Privacy Shield are free of charge to individuals; (4) a description of how a Privacy Shield-related complaint can be filed; (5) the timeframe in which Privacy Shield-related complaints are processed; and (6) a description of the range of potential remedies. § III.11.d.ii.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include potential remedies in the privacy dispute resolution program. CC ID 12531 [Independent recourse mechanisms must include on their public websites information regarding the Privacy Shield Principles and the services that they provide under the Privacy Shield. This information must include: (1) information on or a link to the Privacy Shield Principles' requirements for independent recourse mechanisms; (2) a link to the Department's Privacy Shield website; (3) an explanation that their dispute resolution services under the Privacy Shield are free of charge to individuals; (4) a description of how a Privacy Shield-related complaint can be filed; (5) the timeframe in which Privacy Shield-related complaints are processed; and (6) a description of the range of potential remedies. § III.11.d.ii.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 [An organization must inform individuals about: how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints, § II.1.a.v. An organization must inform individuals about: the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution provider based in the United States, § II.1.a.ix. description of the organization's privacy policy for such personal information, including: a contact office for the handling of complaints, access requests, and any other issues arising under the Privacy Shield; § III.6.b.iii.3. Consistent with the fundamental nature of access, organizations should always make good faith efforts to provide access. For example, where certain information needs to be protected and can be readily separated from other personal information subject to an access request, the organization should redact the protected information and make available the other information. If an organization determines that access should be restricted in any particular instance, it should provide the individual requesting access with an explanation of why it has made that determination and a contact point for any further inquiries. § III.8.a.iii. {personal data access request} An organization which claims an exception has the burden of demonstrating its necessity, and the reasons for restricting access and a contact point for further inquiries should be given to individuals. § III.8.e.ii.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 [Independent recourse mechanisms must include on their public websites information regarding the Privacy Shield Principles and the services that they provide under the Privacy Shield. This information must include: (1) information on or a link to the Privacy Shield Principles' requirements for independent recourse mechanisms; (2) a link to the Department's Privacy Shield website; (3) an explanation that their dispute resolution services under the Privacy Shield are free of charge to individuals; (4) a description of how a Privacy Shield-related complaint can be filed; (5) the timeframe in which Privacy Shield-related complaints are processed; and (6) a description of the range of potential remedies. § III.11.d.ii.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document unresolved challenges. CC ID 13568 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify individuals of their right to challenge personal data. CC ID 00457 [Under the Privacy Shield Principles, the right of access is fundamental to privacy protection. In particular, it allows individuals to verify the accuracy of information held about them. The Access Principle means that individuals have the right to: § III.8.a.i. Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated. § II.6.a. The Access Principle means that individuals have the right to: have the data corrected, amended or deleted where it is inaccurate or processed in violation of the Principles. § III.8.a.i.3.] | Privacy protection for information and data | Data and Information Management | |
| Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 | Privacy protection for information and data | Data and Information Management | |
| Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 | Privacy protection for information and data | Configuration | |
| Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Privacy protection for information and data | Human Resources Management | |
| Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Privacy protection for information and data | Data and Information Management | |
| Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 | Privacy protection for information and data | Communicate | |
| Investigate the disputed accuracy of personal data. CC ID 00461 | Privacy protection for information and data | Data and Information Management | |
| Notify third parties of unresolved challenges. CC ID 13559 | Privacy protection for information and data | Communicate | |
| Document disagreements as to whether personal data is complete and accurate. CC ID 06952 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the allegations against the organization in the notice of investigation. CC ID 13031 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [In so far as personal information is used only in the context of the employment relationship, primary responsibility for the data vis-à-vis the employee remains with the organization in the EU. It follows that, where European employees make complaints about violations of their data protection rights and are not satisfied with the results of internal review, complaint, and appeal procedures (or any applicable grievance procedures under a contract with a trade union), they should be directed to the state or national data protection or labor authority in the jurisdiction where the employees work. This includes cases where the alleged mishandling of their personal information is the responsibility of the U.S. organization that has received the information from the employer and thus involves an alleged breach of the Privacy Shield Principles. This will be the most efficient way to address the often overlapping rights and obligations imposed by local labor law and labor agreements as well as data protection law. § III.9.d.i.] | Privacy protection for information and data | Behavior | |
| Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 | Privacy protection for information and data | Behavior | |
| Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 | Privacy protection for information and data | Behavior | |
| Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 | Privacy protection for information and data | Behavior | |
| Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 | Privacy protection for information and data | Behavior | |
| Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 | Privacy protection for information and data | Behavior | |
| Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Privacy protection for information and data | Behavior | |
| Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 | Privacy protection for information and data | Behavior | |
| Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 | Privacy protection for information and data | Behavior | |
| Define the organization's liability based on the applicable law. CC ID 00504 [{liability} In the context of an onward transfer, a Privacy Shield organization has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield organization shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage. § II.7.d. Internet Service Providers ("ISPs"), telecommunications carriers, and other organizations are not liable under the Privacy Shield Principles when on behalf of another organization they merely transmit, route, switch, or cache information. As is the case with the Directive itself, the Privacy Shield does not create secondary liability. To the extent that an organization is acting as a mere conduit for data transmitted by third parties and does not determine the purposes and means of processing those personal datą it would not be liable. § III.3.a. {pharmaceutical company} {Notice Principle} {Choice Principle} {Accountability for Onward Transfer Principle} {Access Principle} A pharmaceutical or medical device company does not have to apply the Privacy Shield Principles with respect to the Notice, Choice, Accountability for Onward Transfer, and Access Principles in its product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices, to the extent that adherence to the Principles interferes with compliance with regulatory requirements. This is true both with respect to reports by, for example, health care providers to pharmaceutical and medical device companies, and with respect to reports by pharmaceutical and medical device companies to government agencies like the Food and Drug Administration. § III.14.f.i.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 [Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must include: § II.7.a. At a minimum such mechanisms must include: readily available independent recourse mechanisms by which each individual's complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Principles, and damages awarded where the applicable law or private-sector initiatives so provide; § II.7.a.i. {be rigorous} At a minimum such mechanisms must include: obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations. § II.7.a.iii.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the appeal process based on the applicable law. CC ID 00506 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the fee structure for the appeal process. CC ID 16532 | Privacy protection for information and data | Process or Activity | |
| Define the time requirements for the appeal process. CC ID 16531 | Privacy protection for information and data | Process or Activity | |
| Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Privacy protection for information and data | Communicate | |
| Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Privacy protection for information and data | Communicate | |
| Provide notice of proposed penalties. CC ID 06216 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the public and other agencies after a penalty becomes final. CC ID 06217 [{Federal Trade Commission order}{Privacy Shield} When an organization becomes subject to an FTC or court order based on non-compliance, the organization shall make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements. The Department has established a dedicated point of contact for DPAs for any problems of compliance by Privacy Shield organizations. The FTC will give priority consideration to referrals of non-compliance with the Principles from the Department and EU Member State authorities, and will exchange information regarding referrals with the referring state authorities on a timely basis, subject to existing confidentiality restrictions. § II.7.e.] | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain customer data authentication procedures. CC ID 13187 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Check the accuracy of restricted data. CC ID 00088 [{is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a. {is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a.] | Privacy protection for information and data | Data and Information Management | |
| Check that restricted data is complete. CC ID 00090 [{is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a.] | Privacy protection for information and data | Data and Information Management | |
| Keep restricted data up-to-date and valid. CC ID 00091 [{is accurate} {is complete} {is current} Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. § II.5.a.] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 | Third Party and supply chain oversight | Business Processes | |
| Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in third party contracts. CC ID 13487 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a reporting structure in third party contracts. CC ID 06532 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include points of contact in third party contracts. CC ID 12355 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include change control notification processes in third party contracts. CC ID 06524 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 [{data processor} The purpose of the contract is to make sure that the processor: taking into account the nature of the processing, assists the controller in responding to individuals exercising their rights under the Principles. § III.10.a.ii.3.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include disclosure requirements in third party contracts. CC ID 08825 | Third Party and supply chain oversight | Business Processes | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Business Processes | |
| Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 | Third Party and supply chain oversight | Establish/Maintain Documentation | |